1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * linux/fs/binfmt_elf.c
4 *
5 * These are the functions used to load ELF format executables as used
6 * on SVr4 machines. Information on the format may be found in the book
7 * "UNIX SYSTEM V RELEASE 4 Programmers Guide: Ansi C and Programming Support
8 * Tools".
9 *
10 * Copyright 1993, 1994: Eric Youngdale (ericy@cais.com).
11 */
12
13 #include <linux/module.h>
14 #include <linux/kernel.h>
15 #include <linux/fs.h>
16 #include <linux/log2.h>
17 #include <linux/mm.h>
18 #include <linux/mman.h>
19 #include <linux/errno.h>
20 #include <linux/signal.h>
21 #include <linux/binfmts.h>
22 #include <linux/string.h>
23 #include <linux/file.h>
24 #include <linux/slab.h>
25 #include <linux/personality.h>
26 #include <linux/elfcore.h>
27 #include <linux/init.h>
28 #include <linux/highuid.h>
29 #include <linux/compiler.h>
30 #include <linux/highmem.h>
31 #include <linux/hugetlb.h>
32 #include <linux/pagemap.h>
33 #include <linux/vmalloc.h>
34 #include <linux/security.h>
35 #include <linux/random.h>
36 #include <linux/elf.h>
37 #include <linux/elf-randomize.h>
38 #include <linux/utsname.h>
39 #include <linux/coredump.h>
40 #include <linux/sched.h>
41 #include <linux/sched/coredump.h>
42 #include <linux/sched/task_stack.h>
43 #include <linux/sched/cputime.h>
44 #include <linux/sizes.h>
45 #include <linux/types.h>
46 #include <linux/cred.h>
47 #include <linux/dax.h>
48 #include <linux/uaccess.h>
49 #include <linux/rseq.h>
50 #include <asm/param.h>
51 #include <asm/page.h>
52
53 #ifndef ELF_COMPAT
54 #define ELF_COMPAT 0
55 #endif
56
57 #ifndef user_long_t
58 #define user_long_t long
59 #endif
60 #ifndef user_siginfo_t
61 #define user_siginfo_t siginfo_t
62 #endif
63
64 /* That's for binfmt_elf_fdpic to deal with */
65 #ifndef elf_check_fdpic
66 #define elf_check_fdpic(ex) false
67 #endif
68
69 static int load_elf_binary(struct linux_binprm *bprm);
70
71 #ifdef CONFIG_USELIB
72 static int load_elf_library(struct file *);
73 #else
74 #define load_elf_library NULL
75 #endif
76
77 /*
78 * If we don't support core dumping, then supply a NULL so we
79 * don't even try.
80 */
81 #ifdef CONFIG_ELF_CORE
82 static int elf_core_dump(struct coredump_params *cprm);
83 #else
84 #define elf_core_dump NULL
85 #endif
86
87 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
88 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
89 #else
90 #define ELF_MIN_ALIGN PAGE_SIZE
91 #endif
92
93 #ifndef ELF_CORE_EFLAGS
94 #define ELF_CORE_EFLAGS 0
95 #endif
96
97 #define ELF_PAGESTART(_v) ((_v) & ~(int)(ELF_MIN_ALIGN-1))
98 #define ELF_PAGEOFFSET(_v) ((_v) & (ELF_MIN_ALIGN-1))
99 #define ELF_PAGEALIGN(_v) (((_v) + ELF_MIN_ALIGN - 1) & ~(ELF_MIN_ALIGN - 1))
100
101 static struct linux_binfmt elf_format = {
102 .module = THIS_MODULE,
103 .load_binary = load_elf_binary,
104 .load_shlib = load_elf_library,
105 #ifdef CONFIG_COREDUMP
106 .core_dump = elf_core_dump,
107 .min_coredump = ELF_EXEC_PAGESIZE,
108 #endif
109 };
110
111 #define BAD_ADDR(x) (unlikely((unsigned long)(x) >= TASK_SIZE))
112
set_brk(unsigned long start,unsigned long end,int prot)113 static int set_brk(unsigned long start, unsigned long end, int prot)
114 {
115 start = ELF_PAGEALIGN(start);
116 end = ELF_PAGEALIGN(end);
117 if (end > start) {
118 /*
119 * Map the last of the bss segment.
120 * If the header is requesting these pages to be
121 * executable, honour that (ppc32 needs this).
122 */
123 int error = vm_brk_flags(start, end - start,
124 prot & PROT_EXEC ? VM_EXEC : 0);
125 if (error)
126 return error;
127 }
128 current->mm->start_brk = current->mm->brk = end;
129 return 0;
130 }
131
132 /* We need to explicitly zero any fractional pages
133 after the data section (i.e. bss). This would
134 contain the junk from the file that should not
135 be in memory
136 */
padzero(unsigned long elf_bss)137 static int padzero(unsigned long elf_bss)
138 {
139 unsigned long nbyte;
140
141 nbyte = ELF_PAGEOFFSET(elf_bss);
142 if (nbyte) {
143 nbyte = ELF_MIN_ALIGN - nbyte;
144 if (clear_user((void __user *) elf_bss, nbyte))
145 return -EFAULT;
146 }
147 return 0;
148 }
149
150 /* Let's use some macros to make this stack manipulation a little clearer */
151 #ifdef CONFIG_STACK_GROWSUP
152 #define STACK_ADD(sp, items) ((elf_addr_t __user *)(sp) + (items))
153 #define STACK_ROUND(sp, items) \
154 ((15 + (unsigned long) ((sp) + (items))) &~ 15UL)
155 #define STACK_ALLOC(sp, len) ({ \
156 elf_addr_t __user *old_sp = (elf_addr_t __user *)sp; sp += len; \
157 old_sp; })
158 #else
159 #define STACK_ADD(sp, items) ((elf_addr_t __user *)(sp) - (items))
160 #define STACK_ROUND(sp, items) \
161 (((unsigned long) (sp - items)) &~ 15UL)
162 #define STACK_ALLOC(sp, len) (sp -= len)
163 #endif
164
165 #ifndef ELF_BASE_PLATFORM
166 /*
167 * AT_BASE_PLATFORM indicates the "real" hardware/microarchitecture.
168 * If the arch defines ELF_BASE_PLATFORM (in asm/elf.h), the value
169 * will be copied to the user stack in the same manner as AT_PLATFORM.
170 */
171 #define ELF_BASE_PLATFORM NULL
172 #endif
173
174 static int
create_elf_tables(struct linux_binprm * bprm,const struct elfhdr * exec,unsigned long interp_load_addr,unsigned long e_entry,unsigned long phdr_addr)175 create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec,
176 unsigned long interp_load_addr,
177 unsigned long e_entry, unsigned long phdr_addr)
178 {
179 struct mm_struct *mm = current->mm;
180 unsigned long p = bprm->p;
181 int argc = bprm->argc;
182 int envc = bprm->envc;
183 elf_addr_t __user *sp;
184 elf_addr_t __user *u_platform;
185 elf_addr_t __user *u_base_platform;
186 elf_addr_t __user *u_rand_bytes;
187 const char *k_platform = ELF_PLATFORM;
188 const char *k_base_platform = ELF_BASE_PLATFORM;
189 unsigned char k_rand_bytes[16];
190 int items;
191 elf_addr_t *elf_info;
192 elf_addr_t flags = 0;
193 int ei_index;
194 const struct cred *cred = current_cred();
195 struct vm_area_struct *vma;
196
197 /*
198 * In some cases (e.g. Hyper-Threading), we want to avoid L1
199 * evictions by the processes running on the same package. One
200 * thing we can do is to shuffle the initial stack for them.
201 */
202
203 p = arch_align_stack(p);
204
205 /*
206 * If this architecture has a platform capability string, copy it
207 * to userspace. In some cases (Sparc), this info is impossible
208 * for userspace to get any other way, in others (i386) it is
209 * merely difficult.
210 */
211 u_platform = NULL;
212 if (k_platform) {
213 size_t len = strlen(k_platform) + 1;
214
215 u_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);
216 if (copy_to_user(u_platform, k_platform, len))
217 return -EFAULT;
218 }
219
220 /*
221 * If this architecture has a "base" platform capability
222 * string, copy it to userspace.
223 */
224 u_base_platform = NULL;
225 if (k_base_platform) {
226 size_t len = strlen(k_base_platform) + 1;
227
228 u_base_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);
229 if (copy_to_user(u_base_platform, k_base_platform, len))
230 return -EFAULT;
231 }
232
233 /*
234 * Generate 16 random bytes for userspace PRNG seeding.
235 */
236 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
237 u_rand_bytes = (elf_addr_t __user *)
238 STACK_ALLOC(p, sizeof(k_rand_bytes));
239 if (copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
240 return -EFAULT;
241
242 /* Create the ELF interpreter info */
243 elf_info = (elf_addr_t *)mm->saved_auxv;
244 /* update AT_VECTOR_SIZE_BASE if the number of NEW_AUX_ENT() changes */
245 #define NEW_AUX_ENT(id, val) \
246 do { \
247 *elf_info++ = id; \
248 *elf_info++ = val; \
249 } while (0)
250
251 #ifdef ARCH_DLINFO
252 /*
253 * ARCH_DLINFO must come first so PPC can do its special alignment of
254 * AUXV.
255 * update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT() in
256 * ARCH_DLINFO changes
257 */
258 ARCH_DLINFO;
259 #endif
260 NEW_AUX_ENT(AT_HWCAP, ELF_HWCAP);
261 NEW_AUX_ENT(AT_PAGESZ, ELF_EXEC_PAGESIZE);
262 NEW_AUX_ENT(AT_CLKTCK, CLOCKS_PER_SEC);
263 NEW_AUX_ENT(AT_PHDR, phdr_addr);
264 NEW_AUX_ENT(AT_PHENT, sizeof(struct elf_phdr));
265 NEW_AUX_ENT(AT_PHNUM, exec->e_phnum);
266 NEW_AUX_ENT(AT_BASE, interp_load_addr);
267 if (bprm->interp_flags & BINPRM_FLAGS_PRESERVE_ARGV0)
268 flags |= AT_FLAGS_PRESERVE_ARGV0;
269 NEW_AUX_ENT(AT_FLAGS, flags);
270 NEW_AUX_ENT(AT_ENTRY, e_entry);
271 NEW_AUX_ENT(AT_UID, from_kuid_munged(cred->user_ns, cred->uid));
272 NEW_AUX_ENT(AT_EUID, from_kuid_munged(cred->user_ns, cred->euid));
273 NEW_AUX_ENT(AT_GID, from_kgid_munged(cred->user_ns, cred->gid));
274 NEW_AUX_ENT(AT_EGID, from_kgid_munged(cred->user_ns, cred->egid));
275 NEW_AUX_ENT(AT_SECURE, bprm->secureexec);
276 NEW_AUX_ENT(AT_RANDOM, (elf_addr_t)(unsigned long)u_rand_bytes);
277 #ifdef ELF_HWCAP2
278 NEW_AUX_ENT(AT_HWCAP2, ELF_HWCAP2);
279 #endif
280 NEW_AUX_ENT(AT_EXECFN, bprm->exec);
281 if (k_platform) {
282 NEW_AUX_ENT(AT_PLATFORM,
283 (elf_addr_t)(unsigned long)u_platform);
284 }
285 if (k_base_platform) {
286 NEW_AUX_ENT(AT_BASE_PLATFORM,
287 (elf_addr_t)(unsigned long)u_base_platform);
288 }
289 if (bprm->have_execfd) {
290 NEW_AUX_ENT(AT_EXECFD, bprm->execfd);
291 }
292 #ifdef CONFIG_RSEQ
293 NEW_AUX_ENT(AT_RSEQ_FEATURE_SIZE, offsetof(struct rseq, end));
294 NEW_AUX_ENT(AT_RSEQ_ALIGN, __alignof__(struct rseq));
295 #endif
296 #undef NEW_AUX_ENT
297 /* AT_NULL is zero; clear the rest too */
298 memset(elf_info, 0, (char *)mm->saved_auxv +
299 sizeof(mm->saved_auxv) - (char *)elf_info);
300
301 /* And advance past the AT_NULL entry. */
302 elf_info += 2;
303
304 ei_index = elf_info - (elf_addr_t *)mm->saved_auxv;
305 sp = STACK_ADD(p, ei_index);
306
307 items = (argc + 1) + (envc + 1) + 1;
308 bprm->p = STACK_ROUND(sp, items);
309
310 /* Point sp at the lowest address on the stack */
311 #ifdef CONFIG_STACK_GROWSUP
312 sp = (elf_addr_t __user *)bprm->p - items - ei_index;
313 bprm->exec = (unsigned long)sp; /* XXX: PARISC HACK */
314 #else
315 sp = (elf_addr_t __user *)bprm->p;
316 #endif
317
318
319 /*
320 * Grow the stack manually; some architectures have a limit on how
321 * far ahead a user-space access may be in order to grow the stack.
322 */
323 if (mmap_write_lock_killable(mm))
324 return -EINTR;
325 vma = find_extend_vma_locked(mm, bprm->p);
326 mmap_write_unlock(mm);
327 if (!vma)
328 return -EFAULT;
329
330 /* Now, let's put argc (and argv, envp if appropriate) on the stack */
331 if (put_user(argc, sp++))
332 return -EFAULT;
333
334 /* Populate list of argv pointers back to argv strings. */
335 p = mm->arg_end = mm->arg_start;
336 while (argc-- > 0) {
337 size_t len;
338 if (put_user((elf_addr_t)p, sp++))
339 return -EFAULT;
340 len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
341 if (!len || len > MAX_ARG_STRLEN)
342 return -EINVAL;
343 p += len;
344 }
345 if (put_user(0, sp++))
346 return -EFAULT;
347 mm->arg_end = p;
348
349 /* Populate list of envp pointers back to envp strings. */
350 mm->env_end = mm->env_start = p;
351 while (envc-- > 0) {
352 size_t len;
353 if (put_user((elf_addr_t)p, sp++))
354 return -EFAULT;
355 len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
356 if (!len || len > MAX_ARG_STRLEN)
357 return -EINVAL;
358 p += len;
359 }
360 if (put_user(0, sp++))
361 return -EFAULT;
362 mm->env_end = p;
363
364 /* Put the elf_info on the stack in the right place. */
365 if (copy_to_user(sp, mm->saved_auxv, ei_index * sizeof(elf_addr_t)))
366 return -EFAULT;
367 return 0;
368 }
369
elf_map(struct file * filep,unsigned long addr,const struct elf_phdr * eppnt,int prot,int type,unsigned long total_size)370 static unsigned long elf_map(struct file *filep, unsigned long addr,
371 const struct elf_phdr *eppnt, int prot, int type,
372 unsigned long total_size)
373 {
374 unsigned long map_addr;
375 unsigned long size = eppnt->p_filesz + ELF_PAGEOFFSET(eppnt->p_vaddr);
376 unsigned long off = eppnt->p_offset - ELF_PAGEOFFSET(eppnt->p_vaddr);
377 addr = ELF_PAGESTART(addr);
378 size = ELF_PAGEALIGN(size);
379
380 /* mmap() will return -EINVAL if given a zero size, but a
381 * segment with zero filesize is perfectly valid */
382 if (!size)
383 return addr;
384
385 /*
386 * total_size is the size of the ELF (interpreter) image.
387 * The _first_ mmap needs to know the full size, otherwise
388 * randomization might put this image into an overlapping
389 * position with the ELF binary image. (since size < total_size)
390 * So we first map the 'big' image - and unmap the remainder at
391 * the end. (which unmap is needed for ELF images with holes.)
392 */
393 if (total_size) {
394 total_size = ELF_PAGEALIGN(total_size);
395 map_addr = vm_mmap(filep, addr, total_size, prot, type, off);
396 if (!BAD_ADDR(map_addr))
397 vm_munmap(map_addr+size, total_size-size);
398 } else
399 map_addr = vm_mmap(filep, addr, size, prot, type, off);
400
401 if ((type & MAP_FIXED_NOREPLACE) &&
402 PTR_ERR((void *)map_addr) == -EEXIST)
403 pr_info("%d (%s): Uhuuh, elf segment at %px requested but the memory is mapped already\n",
404 task_pid_nr(current), current->comm, (void *)addr);
405
406 return(map_addr);
407 }
408
total_mapping_size(const struct elf_phdr * phdr,int nr)409 static unsigned long total_mapping_size(const struct elf_phdr *phdr, int nr)
410 {
411 elf_addr_t min_addr = -1;
412 elf_addr_t max_addr = 0;
413 bool pt_load = false;
414 int i;
415
416 for (i = 0; i < nr; i++) {
417 if (phdr[i].p_type == PT_LOAD) {
418 min_addr = min(min_addr, ELF_PAGESTART(phdr[i].p_vaddr));
419 max_addr = max(max_addr, phdr[i].p_vaddr + phdr[i].p_memsz);
420 pt_load = true;
421 }
422 }
423 return pt_load ? (max_addr - min_addr) : 0;
424 }
425
elf_read(struct file * file,void * buf,size_t len,loff_t pos)426 static int elf_read(struct file *file, void *buf, size_t len, loff_t pos)
427 {
428 ssize_t rv;
429
430 rv = kernel_read(file, buf, len, &pos);
431 if (unlikely(rv != len)) {
432 return (rv < 0) ? rv : -EIO;
433 }
434 return 0;
435 }
436
maximum_alignment(struct elf_phdr * cmds,int nr)437 static unsigned long maximum_alignment(struct elf_phdr *cmds, int nr)
438 {
439 unsigned long alignment = 0;
440 int i;
441
442 for (i = 0; i < nr; i++) {
443 if (cmds[i].p_type == PT_LOAD) {
444 unsigned long p_align = cmds[i].p_align;
445
446 /* skip non-power of two alignments as invalid */
447 if (!is_power_of_2(p_align))
448 continue;
449 alignment = max(alignment, p_align);
450 }
451 }
452
453 /* ensure we align to at least one page */
454 return ELF_PAGEALIGN(alignment);
455 }
456
457 /**
458 * load_elf_phdrs() - load ELF program headers
459 * @elf_ex: ELF header of the binary whose program headers should be loaded
460 * @elf_file: the opened ELF binary file
461 *
462 * Loads ELF program headers from the binary file elf_file, which has the ELF
463 * header pointed to by elf_ex, into a newly allocated array. The caller is
464 * responsible for freeing the allocated data. Returns NULL upon failure.
465 */
load_elf_phdrs(const struct elfhdr * elf_ex,struct file * elf_file)466 static struct elf_phdr *load_elf_phdrs(const struct elfhdr *elf_ex,
467 struct file *elf_file)
468 {
469 struct elf_phdr *elf_phdata = NULL;
470 int retval = -1;
471 unsigned int size;
472
473 /*
474 * If the size of this structure has changed, then punt, since
475 * we will be doing the wrong thing.
476 */
477 if (elf_ex->e_phentsize != sizeof(struct elf_phdr))
478 goto out;
479
480 /* Sanity check the number of program headers... */
481 /* ...and their total size. */
482 size = sizeof(struct elf_phdr) * elf_ex->e_phnum;
483 if (size == 0 || size > 65536 || size > ELF_MIN_ALIGN)
484 goto out;
485
486 elf_phdata = kmalloc(size, GFP_KERNEL);
487 if (!elf_phdata)
488 goto out;
489
490 /* Read in the program headers */
491 retval = elf_read(elf_file, elf_phdata, size, elf_ex->e_phoff);
492
493 out:
494 if (retval) {
495 kfree(elf_phdata);
496 elf_phdata = NULL;
497 }
498 return elf_phdata;
499 }
500
501 #ifndef CONFIG_ARCH_BINFMT_ELF_STATE
502
503 /**
504 * struct arch_elf_state - arch-specific ELF loading state
505 *
506 * This structure is used to preserve architecture specific data during
507 * the loading of an ELF file, throughout the checking of architecture
508 * specific ELF headers & through to the point where the ELF load is
509 * known to be proceeding (ie. SET_PERSONALITY).
510 *
511 * This implementation is a dummy for architectures which require no
512 * specific state.
513 */
514 struct arch_elf_state {
515 };
516
517 #define INIT_ARCH_ELF_STATE {}
518
519 /**
520 * arch_elf_pt_proc() - check a PT_LOPROC..PT_HIPROC ELF program header
521 * @ehdr: The main ELF header
522 * @phdr: The program header to check
523 * @elf: The open ELF file
524 * @is_interp: True if the phdr is from the interpreter of the ELF being
525 * loaded, else false.
526 * @state: Architecture-specific state preserved throughout the process
527 * of loading the ELF.
528 *
529 * Inspects the program header phdr to validate its correctness and/or
530 * suitability for the system. Called once per ELF program header in the
531 * range PT_LOPROC to PT_HIPROC, for both the ELF being loaded and its
532 * interpreter.
533 *
534 * Return: Zero to proceed with the ELF load, non-zero to fail the ELF load
535 * with that return code.
536 */
arch_elf_pt_proc(struct elfhdr * ehdr,struct elf_phdr * phdr,struct file * elf,bool is_interp,struct arch_elf_state * state)537 static inline int arch_elf_pt_proc(struct elfhdr *ehdr,
538 struct elf_phdr *phdr,
539 struct file *elf, bool is_interp,
540 struct arch_elf_state *state)
541 {
542 /* Dummy implementation, always proceed */
543 return 0;
544 }
545
546 /**
547 * arch_check_elf() - check an ELF executable
548 * @ehdr: The main ELF header
549 * @has_interp: True if the ELF has an interpreter, else false.
550 * @interp_ehdr: The interpreter's ELF header
551 * @state: Architecture-specific state preserved throughout the process
552 * of loading the ELF.
553 *
554 * Provides a final opportunity for architecture code to reject the loading
555 * of the ELF & cause an exec syscall to return an error. This is called after
556 * all program headers to be checked by arch_elf_pt_proc have been.
557 *
558 * Return: Zero to proceed with the ELF load, non-zero to fail the ELF load
559 * with that return code.
560 */
arch_check_elf(struct elfhdr * ehdr,bool has_interp,struct elfhdr * interp_ehdr,struct arch_elf_state * state)561 static inline int arch_check_elf(struct elfhdr *ehdr, bool has_interp,
562 struct elfhdr *interp_ehdr,
563 struct arch_elf_state *state)
564 {
565 /* Dummy implementation, always proceed */
566 return 0;
567 }
568
569 #endif /* !CONFIG_ARCH_BINFMT_ELF_STATE */
570
make_prot(u32 p_flags,struct arch_elf_state * arch_state,bool has_interp,bool is_interp)571 static inline int make_prot(u32 p_flags, struct arch_elf_state *arch_state,
572 bool has_interp, bool is_interp)
573 {
574 int prot = 0;
575
576 if (p_flags & PF_R)
577 prot |= PROT_READ;
578 if (p_flags & PF_W)
579 prot |= PROT_WRITE;
580 if (p_flags & PF_X)
581 prot |= PROT_EXEC;
582
583 return arch_elf_adjust_prot(prot, arch_state, has_interp, is_interp);
584 }
585
586 /* This is much more generalized than the library routine read function,
587 so we keep this separate. Technically the library read function
588 is only provided so that we can read a.out libraries that have
589 an ELF header */
590
load_elf_interp(struct elfhdr * interp_elf_ex,struct file * interpreter,unsigned long no_base,struct elf_phdr * interp_elf_phdata,struct arch_elf_state * arch_state)591 static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
592 struct file *interpreter,
593 unsigned long no_base, struct elf_phdr *interp_elf_phdata,
594 struct arch_elf_state *arch_state)
595 {
596 struct elf_phdr *eppnt;
597 unsigned long load_addr = 0;
598 int load_addr_set = 0;
599 unsigned long last_bss = 0, elf_bss = 0;
600 int bss_prot = 0;
601 unsigned long error = ~0UL;
602 unsigned long total_size;
603 int i;
604
605 /* First of all, some simple consistency checks */
606 if (interp_elf_ex->e_type != ET_EXEC &&
607 interp_elf_ex->e_type != ET_DYN)
608 goto out;
609 if (!elf_check_arch(interp_elf_ex) ||
610 elf_check_fdpic(interp_elf_ex))
611 goto out;
612 if (!interpreter->f_op->mmap)
613 goto out;
614
615 total_size = total_mapping_size(interp_elf_phdata,
616 interp_elf_ex->e_phnum);
617 if (!total_size) {
618 error = -EINVAL;
619 goto out;
620 }
621
622 eppnt = interp_elf_phdata;
623 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
624 if (eppnt->p_type == PT_LOAD) {
625 int elf_type = MAP_PRIVATE;
626 int elf_prot = make_prot(eppnt->p_flags, arch_state,
627 true, true);
628 unsigned long vaddr = 0;
629 unsigned long k, map_addr;
630
631 vaddr = eppnt->p_vaddr;
632 if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
633 elf_type |= MAP_FIXED;
634 else if (no_base && interp_elf_ex->e_type == ET_DYN)
635 load_addr = -vaddr;
636
637 map_addr = elf_map(interpreter, load_addr + vaddr,
638 eppnt, elf_prot, elf_type, total_size);
639 total_size = 0;
640 error = map_addr;
641 if (BAD_ADDR(map_addr))
642 goto out;
643
644 if (!load_addr_set &&
645 interp_elf_ex->e_type == ET_DYN) {
646 load_addr = map_addr - ELF_PAGESTART(vaddr);
647 load_addr_set = 1;
648 }
649
650 /*
651 * Check to see if the section's size will overflow the
652 * allowed task size. Note that p_filesz must always be
653 * <= p_memsize so it's only necessary to check p_memsz.
654 */
655 k = load_addr + eppnt->p_vaddr;
656 if (BAD_ADDR(k) ||
657 eppnt->p_filesz > eppnt->p_memsz ||
658 eppnt->p_memsz > TASK_SIZE ||
659 TASK_SIZE - eppnt->p_memsz < k) {
660 error = -ENOMEM;
661 goto out;
662 }
663
664 /*
665 * Find the end of the file mapping for this phdr, and
666 * keep track of the largest address we see for this.
667 */
668 k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
669 if (k > elf_bss)
670 elf_bss = k;
671
672 /*
673 * Do the same thing for the memory mapping - between
674 * elf_bss and last_bss is the bss section.
675 */
676 k = load_addr + eppnt->p_vaddr + eppnt->p_memsz;
677 if (k > last_bss) {
678 last_bss = k;
679 bss_prot = elf_prot;
680 }
681 }
682 }
683
684 /*
685 * Now fill out the bss section: first pad the last page from
686 * the file up to the page boundary, and zero it from elf_bss
687 * up to the end of the page.
688 */
689 if (padzero(elf_bss)) {
690 error = -EFAULT;
691 goto out;
692 }
693 /*
694 * Next, align both the file and mem bss up to the page size,
695 * since this is where elf_bss was just zeroed up to, and where
696 * last_bss will end after the vm_brk_flags() below.
697 */
698 elf_bss = ELF_PAGEALIGN(elf_bss);
699 last_bss = ELF_PAGEALIGN(last_bss);
700 /* Finally, if there is still more bss to allocate, do it. */
701 if (last_bss > elf_bss) {
702 error = vm_brk_flags(elf_bss, last_bss - elf_bss,
703 bss_prot & PROT_EXEC ? VM_EXEC : 0);
704 if (error)
705 goto out;
706 }
707
708 error = load_addr;
709 out:
710 return error;
711 }
712
713 /*
714 * These are the functions used to load ELF style executables and shared
715 * libraries. There is no binary dependent code anywhere else.
716 */
717
parse_elf_property(const char * data,size_t * off,size_t datasz,struct arch_elf_state * arch,bool have_prev_type,u32 * prev_type)718 static int parse_elf_property(const char *data, size_t *off, size_t datasz,
719 struct arch_elf_state *arch,
720 bool have_prev_type, u32 *prev_type)
721 {
722 size_t o, step;
723 const struct gnu_property *pr;
724 int ret;
725
726 if (*off == datasz)
727 return -ENOENT;
728
729 if (WARN_ON_ONCE(*off > datasz || *off % ELF_GNU_PROPERTY_ALIGN))
730 return -EIO;
731 o = *off;
732 datasz -= *off;
733
734 if (datasz < sizeof(*pr))
735 return -ENOEXEC;
736 pr = (const struct gnu_property *)(data + o);
737 o += sizeof(*pr);
738 datasz -= sizeof(*pr);
739
740 if (pr->pr_datasz > datasz)
741 return -ENOEXEC;
742
743 WARN_ON_ONCE(o % ELF_GNU_PROPERTY_ALIGN);
744 step = round_up(pr->pr_datasz, ELF_GNU_PROPERTY_ALIGN);
745 if (step > datasz)
746 return -ENOEXEC;
747
748 /* Properties are supposed to be unique and sorted on pr_type: */
749 if (have_prev_type && pr->pr_type <= *prev_type)
750 return -ENOEXEC;
751 *prev_type = pr->pr_type;
752
753 ret = arch_parse_elf_property(pr->pr_type, data + o,
754 pr->pr_datasz, ELF_COMPAT, arch);
755 if (ret)
756 return ret;
757
758 *off = o + step;
759 return 0;
760 }
761
762 #define NOTE_DATA_SZ SZ_1K
763 #define GNU_PROPERTY_TYPE_0_NAME "GNU"
764 #define NOTE_NAME_SZ (sizeof(GNU_PROPERTY_TYPE_0_NAME))
765
parse_elf_properties(struct file * f,const struct elf_phdr * phdr,struct arch_elf_state * arch)766 static int parse_elf_properties(struct file *f, const struct elf_phdr *phdr,
767 struct arch_elf_state *arch)
768 {
769 union {
770 struct elf_note nhdr;
771 char data[NOTE_DATA_SZ];
772 } note;
773 loff_t pos;
774 ssize_t n;
775 size_t off, datasz;
776 int ret;
777 bool have_prev_type;
778 u32 prev_type;
779
780 if (!IS_ENABLED(CONFIG_ARCH_USE_GNU_PROPERTY) || !phdr)
781 return 0;
782
783 /* load_elf_binary() shouldn't call us unless this is true... */
784 if (WARN_ON_ONCE(phdr->p_type != PT_GNU_PROPERTY))
785 return -ENOEXEC;
786
787 /* If the properties are crazy large, that's too bad (for now): */
788 if (phdr->p_filesz > sizeof(note))
789 return -ENOEXEC;
790
791 pos = phdr->p_offset;
792 n = kernel_read(f, ¬e, phdr->p_filesz, &pos);
793
794 BUILD_BUG_ON(sizeof(note) < sizeof(note.nhdr) + NOTE_NAME_SZ);
795 if (n < 0 || n < sizeof(note.nhdr) + NOTE_NAME_SZ)
796 return -EIO;
797
798 if (note.nhdr.n_type != NT_GNU_PROPERTY_TYPE_0 ||
799 note.nhdr.n_namesz != NOTE_NAME_SZ ||
800 strncmp(note.data + sizeof(note.nhdr),
801 GNU_PROPERTY_TYPE_0_NAME, n - sizeof(note.nhdr)))
802 return -ENOEXEC;
803
804 off = round_up(sizeof(note.nhdr) + NOTE_NAME_SZ,
805 ELF_GNU_PROPERTY_ALIGN);
806 if (off > n)
807 return -ENOEXEC;
808
809 if (note.nhdr.n_descsz > n - off)
810 return -ENOEXEC;
811 datasz = off + note.nhdr.n_descsz;
812
813 have_prev_type = false;
814 do {
815 ret = parse_elf_property(note.data, &off, datasz, arch,
816 have_prev_type, &prev_type);
817 have_prev_type = true;
818 } while (!ret);
819
820 return ret == -ENOENT ? 0 : ret;
821 }
822
load_elf_binary(struct linux_binprm * bprm)823 static int load_elf_binary(struct linux_binprm *bprm)
824 {
825 struct file *interpreter = NULL; /* to shut gcc up */
826 unsigned long load_bias = 0, phdr_addr = 0;
827 int first_pt_load = 1;
828 unsigned long error;
829 struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL;
830 struct elf_phdr *elf_property_phdata = NULL;
831 unsigned long elf_bss, elf_brk;
832 int bss_prot = 0;
833 int retval, i;
834 unsigned long elf_entry;
835 unsigned long e_entry;
836 unsigned long interp_load_addr = 0;
837 unsigned long start_code, end_code, start_data, end_data;
838 unsigned long reloc_func_desc __maybe_unused = 0;
839 int executable_stack = EXSTACK_DEFAULT;
840 struct elfhdr *elf_ex = (struct elfhdr *)bprm->buf;
841 struct elfhdr *interp_elf_ex = NULL;
842 struct arch_elf_state arch_state = INIT_ARCH_ELF_STATE;
843 struct mm_struct *mm;
844 struct pt_regs *regs;
845
846 retval = -ENOEXEC;
847 /* First of all, some simple consistency checks */
848 if (memcmp(elf_ex->e_ident, ELFMAG, SELFMAG) != 0)
849 goto out;
850
851 if (elf_ex->e_type != ET_EXEC && elf_ex->e_type != ET_DYN)
852 goto out;
853 if (!elf_check_arch(elf_ex))
854 goto out;
855 if (elf_check_fdpic(elf_ex))
856 goto out;
857 if (!bprm->file->f_op->mmap)
858 goto out;
859
860 elf_phdata = load_elf_phdrs(elf_ex, bprm->file);
861 if (!elf_phdata)
862 goto out;
863
864 elf_ppnt = elf_phdata;
865 for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++) {
866 char *elf_interpreter;
867
868 if (elf_ppnt->p_type == PT_GNU_PROPERTY) {
869 elf_property_phdata = elf_ppnt;
870 continue;
871 }
872
873 if (elf_ppnt->p_type != PT_INTERP)
874 continue;
875
876 /*
877 * This is the program interpreter used for shared libraries -
878 * for now assume that this is an a.out format binary.
879 */
880 retval = -ENOEXEC;
881 if (elf_ppnt->p_filesz > PATH_MAX || elf_ppnt->p_filesz < 2)
882 goto out_free_ph;
883
884 retval = -ENOMEM;
885 elf_interpreter = kmalloc(elf_ppnt->p_filesz, GFP_KERNEL);
886 if (!elf_interpreter)
887 goto out_free_ph;
888
889 retval = elf_read(bprm->file, elf_interpreter, elf_ppnt->p_filesz,
890 elf_ppnt->p_offset);
891 if (retval < 0)
892 goto out_free_interp;
893 /* make sure path is NULL terminated */
894 retval = -ENOEXEC;
895 if (elf_interpreter[elf_ppnt->p_filesz - 1] != '\0')
896 goto out_free_interp;
897
898 interpreter = open_exec(elf_interpreter);
899 kfree(elf_interpreter);
900 retval = PTR_ERR(interpreter);
901 if (IS_ERR(interpreter))
902 goto out_free_ph;
903
904 /*
905 * If the binary is not readable then enforce mm->dumpable = 0
906 * regardless of the interpreter's permissions.
907 */
908 would_dump(bprm, interpreter);
909
910 interp_elf_ex = kmalloc(sizeof(*interp_elf_ex), GFP_KERNEL);
911 if (!interp_elf_ex) {
912 retval = -ENOMEM;
913 goto out_free_file;
914 }
915
916 /* Get the exec headers */
917 retval = elf_read(interpreter, interp_elf_ex,
918 sizeof(*interp_elf_ex), 0);
919 if (retval < 0)
920 goto out_free_dentry;
921
922 break;
923
924 out_free_interp:
925 kfree(elf_interpreter);
926 goto out_free_ph;
927 }
928
929 elf_ppnt = elf_phdata;
930 for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++)
931 switch (elf_ppnt->p_type) {
932 case PT_GNU_STACK:
933 if (elf_ppnt->p_flags & PF_X)
934 executable_stack = EXSTACK_ENABLE_X;
935 else
936 executable_stack = EXSTACK_DISABLE_X;
937 break;
938
939 case PT_LOPROC ... PT_HIPROC:
940 retval = arch_elf_pt_proc(elf_ex, elf_ppnt,
941 bprm->file, false,
942 &arch_state);
943 if (retval)
944 goto out_free_dentry;
945 break;
946 }
947
948 /* Some simple consistency checks for the interpreter */
949 if (interpreter) {
950 retval = -ELIBBAD;
951 /* Not an ELF interpreter */
952 if (memcmp(interp_elf_ex->e_ident, ELFMAG, SELFMAG) != 0)
953 goto out_free_dentry;
954 /* Verify the interpreter has a valid arch */
955 if (!elf_check_arch(interp_elf_ex) ||
956 elf_check_fdpic(interp_elf_ex))
957 goto out_free_dentry;
958
959 /* Load the interpreter program headers */
960 interp_elf_phdata = load_elf_phdrs(interp_elf_ex,
961 interpreter);
962 if (!interp_elf_phdata)
963 goto out_free_dentry;
964
965 /* Pass PT_LOPROC..PT_HIPROC headers to arch code */
966 elf_property_phdata = NULL;
967 elf_ppnt = interp_elf_phdata;
968 for (i = 0; i < interp_elf_ex->e_phnum; i++, elf_ppnt++)
969 switch (elf_ppnt->p_type) {
970 case PT_GNU_PROPERTY:
971 elf_property_phdata = elf_ppnt;
972 break;
973
974 case PT_LOPROC ... PT_HIPROC:
975 retval = arch_elf_pt_proc(interp_elf_ex,
976 elf_ppnt, interpreter,
977 true, &arch_state);
978 if (retval)
979 goto out_free_dentry;
980 break;
981 }
982 }
983
984 retval = parse_elf_properties(interpreter ?: bprm->file,
985 elf_property_phdata, &arch_state);
986 if (retval)
987 goto out_free_dentry;
988
989 /*
990 * Allow arch code to reject the ELF at this point, whilst it's
991 * still possible to return an error to the code that invoked
992 * the exec syscall.
993 */
994 retval = arch_check_elf(elf_ex,
995 !!interpreter, interp_elf_ex,
996 &arch_state);
997 if (retval)
998 goto out_free_dentry;
999
1000 /* Flush all traces of the currently running executable */
1001 retval = begin_new_exec(bprm);
1002 if (retval)
1003 goto out_free_dentry;
1004
1005 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
1006 may depend on the personality. */
1007 SET_PERSONALITY2(*elf_ex, &arch_state);
1008 if (elf_read_implies_exec(*elf_ex, executable_stack))
1009 current->personality |= READ_IMPLIES_EXEC;
1010
1011 const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space);
1012 if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space)
1013 current->flags |= PF_RANDOMIZE;
1014
1015 setup_new_exec(bprm);
1016
1017 /* Do this so that we can load the interpreter, if need be. We will
1018 change some of these later */
1019 retval = setup_arg_pages(bprm, randomize_stack_top(STACK_TOP),
1020 executable_stack);
1021 if (retval < 0)
1022 goto out_free_dentry;
1023
1024 elf_bss = 0;
1025 elf_brk = 0;
1026
1027 start_code = ~0UL;
1028 end_code = 0;
1029 start_data = 0;
1030 end_data = 0;
1031
1032 /* Now we do a little grungy work by mmapping the ELF image into
1033 the correct location in memory. */
1034 for(i = 0, elf_ppnt = elf_phdata;
1035 i < elf_ex->e_phnum; i++, elf_ppnt++) {
1036 int elf_prot, elf_flags;
1037 unsigned long k, vaddr;
1038 unsigned long total_size = 0;
1039 unsigned long alignment;
1040
1041 if (elf_ppnt->p_type != PT_LOAD)
1042 continue;
1043
1044 if (unlikely (elf_brk > elf_bss)) {
1045 unsigned long nbyte;
1046
1047 /* There was a PT_LOAD segment with p_memsz > p_filesz
1048 before this one. Map anonymous pages, if needed,
1049 and clear the area. */
1050 retval = set_brk(elf_bss + load_bias,
1051 elf_brk + load_bias,
1052 bss_prot);
1053 if (retval)
1054 goto out_free_dentry;
1055 nbyte = ELF_PAGEOFFSET(elf_bss);
1056 if (nbyte) {
1057 nbyte = ELF_MIN_ALIGN - nbyte;
1058 if (nbyte > elf_brk - elf_bss)
1059 nbyte = elf_brk - elf_bss;
1060 if (clear_user((void __user *)elf_bss +
1061 load_bias, nbyte)) {
1062 /*
1063 * This bss-zeroing can fail if the ELF
1064 * file specifies odd protections. So
1065 * we don't check the return value
1066 */
1067 }
1068 }
1069 }
1070
1071 elf_prot = make_prot(elf_ppnt->p_flags, &arch_state,
1072 !!interpreter, false);
1073
1074 elf_flags = MAP_PRIVATE;
1075
1076 vaddr = elf_ppnt->p_vaddr;
1077 /*
1078 * The first time through the loop, first_pt_load is true:
1079 * layout will be calculated. Once set, use MAP_FIXED since
1080 * we know we've already safely mapped the entire region with
1081 * MAP_FIXED_NOREPLACE in the once-per-binary logic following.
1082 */
1083 if (!first_pt_load) {
1084 elf_flags |= MAP_FIXED;
1085 } else if (elf_ex->e_type == ET_EXEC) {
1086 /*
1087 * This logic is run once for the first LOAD Program
1088 * Header for ET_EXEC binaries. No special handling
1089 * is needed.
1090 */
1091 elf_flags |= MAP_FIXED_NOREPLACE;
1092 } else if (elf_ex->e_type == ET_DYN) {
1093 /*
1094 * This logic is run once for the first LOAD Program
1095 * Header for ET_DYN binaries to calculate the
1096 * randomization (load_bias) for all the LOAD
1097 * Program Headers.
1098 *
1099 * There are effectively two types of ET_DYN
1100 * binaries: programs (i.e. PIE: ET_DYN with INTERP)
1101 * and loaders (ET_DYN without INTERP, since they
1102 * _are_ the ELF interpreter). The loaders must
1103 * be loaded away from programs since the program
1104 * may otherwise collide with the loader (especially
1105 * for ET_EXEC which does not have a randomized
1106 * position). For example to handle invocations of
1107 * "./ld.so someprog" to test out a new version of
1108 * the loader, the subsequent program that the
1109 * loader loads must avoid the loader itself, so
1110 * they cannot share the same load range. Sufficient
1111 * room for the brk must be allocated with the
1112 * loader as well, since brk must be available with
1113 * the loader.
1114 *
1115 * Therefore, programs are loaded offset from
1116 * ELF_ET_DYN_BASE and loaders are loaded into the
1117 * independently randomized mmap region (0 load_bias
1118 * without MAP_FIXED nor MAP_FIXED_NOREPLACE).
1119 */
1120 if (interpreter) {
1121 load_bias = ELF_ET_DYN_BASE;
1122 if (current->flags & PF_RANDOMIZE)
1123 load_bias += arch_mmap_rnd();
1124 alignment = maximum_alignment(elf_phdata, elf_ex->e_phnum);
1125 if (alignment)
1126 load_bias &= ~(alignment - 1);
1127 elf_flags |= MAP_FIXED_NOREPLACE;
1128 } else
1129 load_bias = 0;
1130
1131 /*
1132 * Since load_bias is used for all subsequent loading
1133 * calculations, we must lower it by the first vaddr
1134 * so that the remaining calculations based on the
1135 * ELF vaddrs will be correctly offset. The result
1136 * is then page aligned.
1137 */
1138 load_bias = ELF_PAGESTART(load_bias - vaddr);
1139
1140 /*
1141 * Calculate the entire size of the ELF mapping
1142 * (total_size), used for the initial mapping,
1143 * due to load_addr_set which is set to true later
1144 * once the initial mapping is performed.
1145 *
1146 * Note that this is only sensible when the LOAD
1147 * segments are contiguous (or overlapping). If
1148 * used for LOADs that are far apart, this would
1149 * cause the holes between LOADs to be mapped,
1150 * running the risk of having the mapping fail,
1151 * as it would be larger than the ELF file itself.
1152 *
1153 * As a result, only ET_DYN does this, since
1154 * some ET_EXEC (e.g. ia64) may have large virtual
1155 * memory holes between LOADs.
1156 *
1157 */
1158 total_size = total_mapping_size(elf_phdata,
1159 elf_ex->e_phnum);
1160 if (!total_size) {
1161 retval = -EINVAL;
1162 goto out_free_dentry;
1163 }
1164 }
1165
1166 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
1167 elf_prot, elf_flags, total_size);
1168 if (BAD_ADDR(error)) {
1169 retval = IS_ERR_VALUE(error) ?
1170 PTR_ERR((void*)error) : -EINVAL;
1171 goto out_free_dentry;
1172 }
1173
1174 if (first_pt_load) {
1175 first_pt_load = 0;
1176 if (elf_ex->e_type == ET_DYN) {
1177 load_bias += error -
1178 ELF_PAGESTART(load_bias + vaddr);
1179 reloc_func_desc = load_bias;
1180 }
1181 }
1182
1183 /*
1184 * Figure out which segment in the file contains the Program
1185 * Header table, and map to the associated memory address.
1186 */
1187 if (elf_ppnt->p_offset <= elf_ex->e_phoff &&
1188 elf_ex->e_phoff < elf_ppnt->p_offset + elf_ppnt->p_filesz) {
1189 phdr_addr = elf_ex->e_phoff - elf_ppnt->p_offset +
1190 elf_ppnt->p_vaddr;
1191 }
1192
1193 k = elf_ppnt->p_vaddr;
1194 if ((elf_ppnt->p_flags & PF_X) && k < start_code)
1195 start_code = k;
1196 if (start_data < k)
1197 start_data = k;
1198
1199 /*
1200 * Check to see if the section's size will overflow the
1201 * allowed task size. Note that p_filesz must always be
1202 * <= p_memsz so it is only necessary to check p_memsz.
1203 */
1204 if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
1205 elf_ppnt->p_memsz > TASK_SIZE ||
1206 TASK_SIZE - elf_ppnt->p_memsz < k) {
1207 /* set_brk can never work. Avoid overflows. */
1208 retval = -EINVAL;
1209 goto out_free_dentry;
1210 }
1211
1212 k = elf_ppnt->p_vaddr + elf_ppnt->p_filesz;
1213
1214 if (k > elf_bss)
1215 elf_bss = k;
1216 if ((elf_ppnt->p_flags & PF_X) && end_code < k)
1217 end_code = k;
1218 if (end_data < k)
1219 end_data = k;
1220 k = elf_ppnt->p_vaddr + elf_ppnt->p_memsz;
1221 if (k > elf_brk) {
1222 bss_prot = elf_prot;
1223 elf_brk = k;
1224 }
1225 }
1226
1227 e_entry = elf_ex->e_entry + load_bias;
1228 phdr_addr += load_bias;
1229 elf_bss += load_bias;
1230 elf_brk += load_bias;
1231 start_code += load_bias;
1232 end_code += load_bias;
1233 start_data += load_bias;
1234 end_data += load_bias;
1235
1236 /* Calling set_brk effectively mmaps the pages that we need
1237 * for the bss and break sections. We must do this before
1238 * mapping in the interpreter, to make sure it doesn't wind
1239 * up getting placed where the bss needs to go.
1240 */
1241 retval = set_brk(elf_bss, elf_brk, bss_prot);
1242 if (retval)
1243 goto out_free_dentry;
1244 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
1245 retval = -EFAULT; /* Nobody gets to see this, but.. */
1246 goto out_free_dentry;
1247 }
1248
1249 if (interpreter) {
1250 elf_entry = load_elf_interp(interp_elf_ex,
1251 interpreter,
1252 load_bias, interp_elf_phdata,
1253 &arch_state);
1254 if (!IS_ERR_VALUE(elf_entry)) {
1255 /*
1256 * load_elf_interp() returns relocation
1257 * adjustment
1258 */
1259 interp_load_addr = elf_entry;
1260 elf_entry += interp_elf_ex->e_entry;
1261 }
1262 if (BAD_ADDR(elf_entry)) {
1263 retval = IS_ERR_VALUE(elf_entry) ?
1264 (int)elf_entry : -EINVAL;
1265 goto out_free_dentry;
1266 }
1267 reloc_func_desc = interp_load_addr;
1268
1269 allow_write_access(interpreter);
1270 fput(interpreter);
1271
1272 kfree(interp_elf_ex);
1273 kfree(interp_elf_phdata);
1274 } else {
1275 elf_entry = e_entry;
1276 if (BAD_ADDR(elf_entry)) {
1277 retval = -EINVAL;
1278 goto out_free_dentry;
1279 }
1280 }
1281
1282 kfree(elf_phdata);
1283
1284 set_binfmt(&elf_format);
1285
1286 #ifdef ARCH_HAS_SETUP_ADDITIONAL_PAGES
1287 retval = ARCH_SETUP_ADDITIONAL_PAGES(bprm, elf_ex, !!interpreter);
1288 if (retval < 0)
1289 goto out;
1290 #endif /* ARCH_HAS_SETUP_ADDITIONAL_PAGES */
1291
1292 retval = create_elf_tables(bprm, elf_ex, interp_load_addr,
1293 e_entry, phdr_addr);
1294 if (retval < 0)
1295 goto out;
1296
1297 mm = current->mm;
1298 mm->end_code = end_code;
1299 mm->start_code = start_code;
1300 mm->start_data = start_data;
1301 mm->end_data = end_data;
1302 mm->start_stack = bprm->p;
1303
1304 if ((current->flags & PF_RANDOMIZE) && (snapshot_randomize_va_space > 1)) {
1305 /*
1306 * For architectures with ELF randomization, when executing
1307 * a loader directly (i.e. no interpreter listed in ELF
1308 * headers), move the brk area out of the mmap region
1309 * (since it grows up, and may collide early with the stack
1310 * growing down), and into the unused ELF_ET_DYN_BASE region.
1311 */
1312 if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
1313 elf_ex->e_type == ET_DYN && !interpreter) {
1314 mm->brk = mm->start_brk = ELF_ET_DYN_BASE;
1315 }
1316
1317 mm->brk = mm->start_brk = arch_randomize_brk(mm);
1318 #ifdef compat_brk_randomized
1319 current->brk_randomized = 1;
1320 #endif
1321 }
1322
1323 if (current->personality & MMAP_PAGE_ZERO) {
1324 /* Why this, you ask??? Well SVr4 maps page 0 as read-only,
1325 and some applications "depend" upon this behavior.
1326 Since we do not have the power to recompile these, we
1327 emulate the SVr4 behavior. Sigh. */
1328 error = vm_mmap(NULL, 0, PAGE_SIZE, PROT_READ | PROT_EXEC,
1329 MAP_FIXED | MAP_PRIVATE, 0);
1330 }
1331
1332 regs = current_pt_regs();
1333 #ifdef ELF_PLAT_INIT
1334 /*
1335 * The ABI may specify that certain registers be set up in special
1336 * ways (on i386 %edx is the address of a DT_FINI function, for
1337 * example. In addition, it may also specify (eg, PowerPC64 ELF)
1338 * that the e_entry field is the address of the function descriptor
1339 * for the startup routine, rather than the address of the startup
1340 * routine itself. This macro performs whatever initialization to
1341 * the regs structure is required as well as any relocations to the
1342 * function descriptor entries when executing dynamically links apps.
1343 */
1344 ELF_PLAT_INIT(regs, reloc_func_desc);
1345 #endif
1346
1347 finalize_exec(bprm);
1348 START_THREAD(elf_ex, regs, elf_entry, bprm->p);
1349 retval = 0;
1350 out:
1351 return retval;
1352
1353 /* error cleanup */
1354 out_free_dentry:
1355 kfree(interp_elf_ex);
1356 kfree(interp_elf_phdata);
1357 out_free_file:
1358 allow_write_access(interpreter);
1359 if (interpreter)
1360 fput(interpreter);
1361 out_free_ph:
1362 kfree(elf_phdata);
1363 goto out;
1364 }
1365
1366 #ifdef CONFIG_USELIB
1367 /* This is really simpleminded and specialized - we are loading an
1368 a.out library that is given an ELF header. */
load_elf_library(struct file * file)1369 static int load_elf_library(struct file *file)
1370 {
1371 struct elf_phdr *elf_phdata;
1372 struct elf_phdr *eppnt;
1373 unsigned long elf_bss, bss, len;
1374 int retval, error, i, j;
1375 struct elfhdr elf_ex;
1376
1377 error = -ENOEXEC;
1378 retval = elf_read(file, &elf_ex, sizeof(elf_ex), 0);
1379 if (retval < 0)
1380 goto out;
1381
1382 if (memcmp(elf_ex.e_ident, ELFMAG, SELFMAG) != 0)
1383 goto out;
1384
1385 /* First of all, some simple consistency checks */
1386 if (elf_ex.e_type != ET_EXEC || elf_ex.e_phnum > 2 ||
1387 !elf_check_arch(&elf_ex) || !file->f_op->mmap)
1388 goto out;
1389 if (elf_check_fdpic(&elf_ex))
1390 goto out;
1391
1392 /* Now read in all of the header information */
1393
1394 j = sizeof(struct elf_phdr) * elf_ex.e_phnum;
1395 /* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */
1396
1397 error = -ENOMEM;
1398 elf_phdata = kmalloc(j, GFP_KERNEL);
1399 if (!elf_phdata)
1400 goto out;
1401
1402 eppnt = elf_phdata;
1403 error = -ENOEXEC;
1404 retval = elf_read(file, eppnt, j, elf_ex.e_phoff);
1405 if (retval < 0)
1406 goto out_free_ph;
1407
1408 for (j = 0, i = 0; i<elf_ex.e_phnum; i++)
1409 if ((eppnt + i)->p_type == PT_LOAD)
1410 j++;
1411 if (j != 1)
1412 goto out_free_ph;
1413
1414 while (eppnt->p_type != PT_LOAD)
1415 eppnt++;
1416
1417 /* Now use mmap to map the library into memory. */
1418 error = vm_mmap(file,
1419 ELF_PAGESTART(eppnt->p_vaddr),
1420 (eppnt->p_filesz +
1421 ELF_PAGEOFFSET(eppnt->p_vaddr)),
1422 PROT_READ | PROT_WRITE | PROT_EXEC,
1423 MAP_FIXED_NOREPLACE | MAP_PRIVATE,
1424 (eppnt->p_offset -
1425 ELF_PAGEOFFSET(eppnt->p_vaddr)));
1426 if (error != ELF_PAGESTART(eppnt->p_vaddr))
1427 goto out_free_ph;
1428
1429 elf_bss = eppnt->p_vaddr + eppnt->p_filesz;
1430 if (padzero(elf_bss)) {
1431 error = -EFAULT;
1432 goto out_free_ph;
1433 }
1434
1435 len = ELF_PAGEALIGN(eppnt->p_filesz + eppnt->p_vaddr);
1436 bss = ELF_PAGEALIGN(eppnt->p_memsz + eppnt->p_vaddr);
1437 if (bss > len) {
1438 error = vm_brk(len, bss - len);
1439 if (error)
1440 goto out_free_ph;
1441 }
1442 error = 0;
1443
1444 out_free_ph:
1445 kfree(elf_phdata);
1446 out:
1447 return error;
1448 }
1449 #endif /* #ifdef CONFIG_USELIB */
1450
1451 #ifdef CONFIG_ELF_CORE
1452 /*
1453 * ELF core dumper
1454 *
1455 * Modelled on fs/exec.c:aout_core_dump()
1456 * Jeremy Fitzhardinge <jeremy@sw.oz.au>
1457 */
1458
1459 /* An ELF note in memory */
1460 struct memelfnote
1461 {
1462 const char *name;
1463 int type;
1464 unsigned int datasz;
1465 void *data;
1466 };
1467
notesize(struct memelfnote * en)1468 static int notesize(struct memelfnote *en)
1469 {
1470 int sz;
1471
1472 sz = sizeof(struct elf_note);
1473 sz += roundup(strlen(en->name) + 1, 4);
1474 sz += roundup(en->datasz, 4);
1475
1476 return sz;
1477 }
1478
writenote(struct memelfnote * men,struct coredump_params * cprm)1479 static int writenote(struct memelfnote *men, struct coredump_params *cprm)
1480 {
1481 struct elf_note en;
1482 en.n_namesz = strlen(men->name) + 1;
1483 en.n_descsz = men->datasz;
1484 en.n_type = men->type;
1485
1486 return dump_emit(cprm, &en, sizeof(en)) &&
1487 dump_emit(cprm, men->name, en.n_namesz) && dump_align(cprm, 4) &&
1488 dump_emit(cprm, men->data, men->datasz) && dump_align(cprm, 4);
1489 }
1490
fill_elf_header(struct elfhdr * elf,int segs,u16 machine,u32 flags)1491 static void fill_elf_header(struct elfhdr *elf, int segs,
1492 u16 machine, u32 flags)
1493 {
1494 memset(elf, 0, sizeof(*elf));
1495
1496 memcpy(elf->e_ident, ELFMAG, SELFMAG);
1497 elf->e_ident[EI_CLASS] = ELF_CLASS;
1498 elf->e_ident[EI_DATA] = ELF_DATA;
1499 elf->e_ident[EI_VERSION] = EV_CURRENT;
1500 elf->e_ident[EI_OSABI] = ELF_OSABI;
1501
1502 elf->e_type = ET_CORE;
1503 elf->e_machine = machine;
1504 elf->e_version = EV_CURRENT;
1505 elf->e_phoff = sizeof(struct elfhdr);
1506 elf->e_flags = flags;
1507 elf->e_ehsize = sizeof(struct elfhdr);
1508 elf->e_phentsize = sizeof(struct elf_phdr);
1509 elf->e_phnum = segs;
1510 }
1511
fill_elf_note_phdr(struct elf_phdr * phdr,int sz,loff_t offset)1512 static void fill_elf_note_phdr(struct elf_phdr *phdr, int sz, loff_t offset)
1513 {
1514 phdr->p_type = PT_NOTE;
1515 phdr->p_offset = offset;
1516 phdr->p_vaddr = 0;
1517 phdr->p_paddr = 0;
1518 phdr->p_filesz = sz;
1519 phdr->p_memsz = 0;
1520 phdr->p_flags = 0;
1521 phdr->p_align = 4;
1522 }
1523
fill_note(struct memelfnote * note,const char * name,int type,unsigned int sz,void * data)1524 static void fill_note(struct memelfnote *note, const char *name, int type,
1525 unsigned int sz, void *data)
1526 {
1527 note->name = name;
1528 note->type = type;
1529 note->datasz = sz;
1530 note->data = data;
1531 }
1532
1533 /*
1534 * fill up all the fields in prstatus from the given task struct, except
1535 * registers which need to be filled up separately.
1536 */
fill_prstatus(struct elf_prstatus_common * prstatus,struct task_struct * p,long signr)1537 static void fill_prstatus(struct elf_prstatus_common *prstatus,
1538 struct task_struct *p, long signr)
1539 {
1540 prstatus->pr_info.si_signo = prstatus->pr_cursig = signr;
1541 prstatus->pr_sigpend = p->pending.signal.sig[0];
1542 prstatus->pr_sighold = p->blocked.sig[0];
1543 rcu_read_lock();
1544 prstatus->pr_ppid = task_pid_vnr(rcu_dereference(p->real_parent));
1545 rcu_read_unlock();
1546 prstatus->pr_pid = task_pid_vnr(p);
1547 prstatus->pr_pgrp = task_pgrp_vnr(p);
1548 prstatus->pr_sid = task_session_vnr(p);
1549 if (thread_group_leader(p)) {
1550 struct task_cputime cputime;
1551
1552 /*
1553 * This is the record for the group leader. It shows the
1554 * group-wide total, not its individual thread total.
1555 */
1556 thread_group_cputime(p, &cputime);
1557 prstatus->pr_utime = ns_to_kernel_old_timeval(cputime.utime);
1558 prstatus->pr_stime = ns_to_kernel_old_timeval(cputime.stime);
1559 } else {
1560 u64 utime, stime;
1561
1562 task_cputime(p, &utime, &stime);
1563 prstatus->pr_utime = ns_to_kernel_old_timeval(utime);
1564 prstatus->pr_stime = ns_to_kernel_old_timeval(stime);
1565 }
1566
1567 prstatus->pr_cutime = ns_to_kernel_old_timeval(p->signal->cutime);
1568 prstatus->pr_cstime = ns_to_kernel_old_timeval(p->signal->cstime);
1569 }
1570
fill_psinfo(struct elf_prpsinfo * psinfo,struct task_struct * p,struct mm_struct * mm)1571 static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
1572 struct mm_struct *mm)
1573 {
1574 const struct cred *cred;
1575 unsigned int i, len;
1576 unsigned int state;
1577
1578 /* first copy the parameters from user space */
1579 memset(psinfo, 0, sizeof(struct elf_prpsinfo));
1580
1581 len = mm->arg_end - mm->arg_start;
1582 if (len >= ELF_PRARGSZ)
1583 len = ELF_PRARGSZ-1;
1584 if (copy_from_user(&psinfo->pr_psargs,
1585 (const char __user *)mm->arg_start, len))
1586 return -EFAULT;
1587 for(i = 0; i < len; i++)
1588 if (psinfo->pr_psargs[i] == 0)
1589 psinfo->pr_psargs[i] = ' ';
1590 psinfo->pr_psargs[len] = 0;
1591
1592 rcu_read_lock();
1593 psinfo->pr_ppid = task_pid_vnr(rcu_dereference(p->real_parent));
1594 rcu_read_unlock();
1595 psinfo->pr_pid = task_pid_vnr(p);
1596 psinfo->pr_pgrp = task_pgrp_vnr(p);
1597 psinfo->pr_sid = task_session_vnr(p);
1598
1599 state = READ_ONCE(p->__state);
1600 i = state ? ffz(~state) + 1 : 0;
1601 psinfo->pr_state = i;
1602 psinfo->pr_sname = (i > 5) ? '.' : "RSDTZW"[i];
1603 psinfo->pr_zomb = psinfo->pr_sname == 'Z';
1604 psinfo->pr_nice = task_nice(p);
1605 psinfo->pr_flag = p->flags;
1606 rcu_read_lock();
1607 cred = __task_cred(p);
1608 SET_UID(psinfo->pr_uid, from_kuid_munged(cred->user_ns, cred->uid));
1609 SET_GID(psinfo->pr_gid, from_kgid_munged(cred->user_ns, cred->gid));
1610 rcu_read_unlock();
1611 get_task_comm(psinfo->pr_fname, p);
1612
1613 return 0;
1614 }
1615
fill_auxv_note(struct memelfnote * note,struct mm_struct * mm)1616 static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
1617 {
1618 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
1619 int i = 0;
1620 do
1621 i += 2;
1622 while (auxv[i - 2] != AT_NULL);
1623 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
1624 }
1625
fill_siginfo_note(struct memelfnote * note,user_siginfo_t * csigdata,const kernel_siginfo_t * siginfo)1626 static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
1627 const kernel_siginfo_t *siginfo)
1628 {
1629 copy_siginfo_to_external(csigdata, siginfo);
1630 fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata);
1631 }
1632
1633 #define MAX_FILE_NOTE_SIZE (4*1024*1024)
1634 /*
1635 * Format of NT_FILE note:
1636 *
1637 * long count -- how many files are mapped
1638 * long page_size -- units for file_ofs
1639 * array of [COUNT] elements of
1640 * long start
1641 * long end
1642 * long file_ofs
1643 * followed by COUNT filenames in ASCII: "FILE1" NUL "FILE2" NUL...
1644 */
fill_files_note(struct memelfnote * note,struct coredump_params * cprm)1645 static int fill_files_note(struct memelfnote *note, struct coredump_params *cprm)
1646 {
1647 unsigned count, size, names_ofs, remaining, n;
1648 user_long_t *data;
1649 user_long_t *start_end_ofs;
1650 char *name_base, *name_curpos;
1651 int i;
1652
1653 /* *Estimated* file count and total data size needed */
1654 count = cprm->vma_count;
1655 if (count > UINT_MAX / 64)
1656 return -EINVAL;
1657 size = count * 64;
1658
1659 names_ofs = (2 + 3 * count) * sizeof(data[0]);
1660 alloc:
1661 if (size >= MAX_FILE_NOTE_SIZE) /* paranoia check */
1662 return -EINVAL;
1663 size = round_up(size, PAGE_SIZE);
1664 /*
1665 * "size" can be 0 here legitimately.
1666 * Let it ENOMEM and omit NT_FILE section which will be empty anyway.
1667 */
1668 data = kvmalloc(size, GFP_KERNEL);
1669 if (ZERO_OR_NULL_PTR(data))
1670 return -ENOMEM;
1671
1672 start_end_ofs = data + 2;
1673 name_base = name_curpos = ((char *)data) + names_ofs;
1674 remaining = size - names_ofs;
1675 count = 0;
1676 for (i = 0; i < cprm->vma_count; i++) {
1677 struct core_vma_metadata *m = &cprm->vma_meta[i];
1678 struct file *file;
1679 const char *filename;
1680
1681 file = m->file;
1682 if (!file)
1683 continue;
1684 filename = file_path(file, name_curpos, remaining);
1685 if (IS_ERR(filename)) {
1686 if (PTR_ERR(filename) == -ENAMETOOLONG) {
1687 kvfree(data);
1688 size = size * 5 / 4;
1689 goto alloc;
1690 }
1691 continue;
1692 }
1693
1694 /* file_path() fills at the end, move name down */
1695 /* n = strlen(filename) + 1: */
1696 n = (name_curpos + remaining) - filename;
1697 remaining = filename - name_curpos;
1698 memmove(name_curpos, filename, n);
1699 name_curpos += n;
1700
1701 *start_end_ofs++ = m->start;
1702 *start_end_ofs++ = m->end;
1703 *start_end_ofs++ = m->pgoff;
1704 count++;
1705 }
1706
1707 /* Now we know exact count of files, can store it */
1708 data[0] = count;
1709 data[1] = PAGE_SIZE;
1710 /*
1711 * Count usually is less than mm->map_count,
1712 * we need to move filenames down.
1713 */
1714 n = cprm->vma_count - count;
1715 if (n != 0) {
1716 unsigned shift_bytes = n * 3 * sizeof(data[0]);
1717 memmove(name_base - shift_bytes, name_base,
1718 name_curpos - name_base);
1719 name_curpos -= shift_bytes;
1720 }
1721
1722 size = name_curpos - (char *)data;
1723 fill_note(note, "CORE", NT_FILE, size, data);
1724 return 0;
1725 }
1726
1727 #include <linux/regset.h>
1728
1729 struct elf_thread_core_info {
1730 struct elf_thread_core_info *next;
1731 struct task_struct *task;
1732 struct elf_prstatus prstatus;
1733 struct memelfnote notes[];
1734 };
1735
1736 struct elf_note_info {
1737 struct elf_thread_core_info *thread;
1738 struct memelfnote psinfo;
1739 struct memelfnote signote;
1740 struct memelfnote auxv;
1741 struct memelfnote files;
1742 user_siginfo_t csigdata;
1743 size_t size;
1744 int thread_notes;
1745 };
1746
1747 #ifdef CORE_DUMP_USE_REGSET
1748 /*
1749 * When a regset has a writeback hook, we call it on each thread before
1750 * dumping user memory. On register window machines, this makes sure the
1751 * user memory backing the register data is up to date before we read it.
1752 */
do_thread_regset_writeback(struct task_struct * task,const struct user_regset * regset)1753 static void do_thread_regset_writeback(struct task_struct *task,
1754 const struct user_regset *regset)
1755 {
1756 if (regset->writeback)
1757 regset->writeback(task, regset, 1);
1758 }
1759
1760 #ifndef PRSTATUS_SIZE
1761 #define PRSTATUS_SIZE sizeof(struct elf_prstatus)
1762 #endif
1763
1764 #ifndef SET_PR_FPVALID
1765 #define SET_PR_FPVALID(S) ((S)->pr_fpvalid = 1)
1766 #endif
1767
fill_thread_core_info(struct elf_thread_core_info * t,const struct user_regset_view * view,long signr,struct elf_note_info * info)1768 static int fill_thread_core_info(struct elf_thread_core_info *t,
1769 const struct user_regset_view *view,
1770 long signr, struct elf_note_info *info)
1771 {
1772 unsigned int note_iter, view_iter;
1773
1774 /*
1775 * NT_PRSTATUS is the one special case, because the regset data
1776 * goes into the pr_reg field inside the note contents, rather
1777 * than being the whole note contents. We fill the regset in here.
1778 * We assume that regset 0 is NT_PRSTATUS.
1779 */
1780 fill_prstatus(&t->prstatus.common, t->task, signr);
1781 regset_get(t->task, &view->regsets[0],
1782 sizeof(t->prstatus.pr_reg), &t->prstatus.pr_reg);
1783
1784 fill_note(&t->notes[0], "CORE", NT_PRSTATUS,
1785 PRSTATUS_SIZE, &t->prstatus);
1786 info->size += notesize(&t->notes[0]);
1787
1788 do_thread_regset_writeback(t->task, &view->regsets[0]);
1789
1790 /*
1791 * Each other regset might generate a note too. For each regset
1792 * that has no core_note_type or is inactive, skip it.
1793 */
1794 note_iter = 1;
1795 for (view_iter = 1; view_iter < view->n; ++view_iter) {
1796 const struct user_regset *regset = &view->regsets[view_iter];
1797 int note_type = regset->core_note_type;
1798 bool is_fpreg = note_type == NT_PRFPREG;
1799 void *data;
1800 int ret;
1801
1802 do_thread_regset_writeback(t->task, regset);
1803 if (!note_type) // not for coredumps
1804 continue;
1805 if (regset->active && regset->active(t->task, regset) <= 0)
1806 continue;
1807
1808 ret = regset_get_alloc(t->task, regset, ~0U, &data);
1809 if (ret < 0)
1810 continue;
1811
1812 if (WARN_ON_ONCE(note_iter >= info->thread_notes))
1813 break;
1814
1815 if (is_fpreg)
1816 SET_PR_FPVALID(&t->prstatus);
1817
1818 fill_note(&t->notes[note_iter], is_fpreg ? "CORE" : "LINUX",
1819 note_type, ret, data);
1820
1821 info->size += notesize(&t->notes[note_iter]);
1822 note_iter++;
1823 }
1824
1825 return 1;
1826 }
1827 #else
fill_thread_core_info(struct elf_thread_core_info * t,const struct user_regset_view * view,long signr,struct elf_note_info * info)1828 static int fill_thread_core_info(struct elf_thread_core_info *t,
1829 const struct user_regset_view *view,
1830 long signr, struct elf_note_info *info)
1831 {
1832 struct task_struct *p = t->task;
1833 elf_fpregset_t *fpu;
1834
1835 fill_prstatus(&t->prstatus.common, p, signr);
1836 elf_core_copy_task_regs(p, &t->prstatus.pr_reg);
1837
1838 fill_note(&t->notes[0], "CORE", NT_PRSTATUS, sizeof(t->prstatus),
1839 &(t->prstatus));
1840 info->size += notesize(&t->notes[0]);
1841
1842 fpu = kzalloc(sizeof(elf_fpregset_t), GFP_KERNEL);
1843 if (!fpu || !elf_core_copy_task_fpregs(p, fpu)) {
1844 kfree(fpu);
1845 return 1;
1846 }
1847
1848 t->prstatus.pr_fpvalid = 1;
1849 fill_note(&t->notes[1], "CORE", NT_PRFPREG, sizeof(*fpu), fpu);
1850 info->size += notesize(&t->notes[1]);
1851
1852 return 1;
1853 }
1854 #endif
1855
fill_note_info(struct elfhdr * elf,int phdrs,struct elf_note_info * info,struct coredump_params * cprm)1856 static int fill_note_info(struct elfhdr *elf, int phdrs,
1857 struct elf_note_info *info,
1858 struct coredump_params *cprm)
1859 {
1860 struct task_struct *dump_task = current;
1861 const struct user_regset_view *view;
1862 struct elf_thread_core_info *t;
1863 struct elf_prpsinfo *psinfo;
1864 struct core_thread *ct;
1865
1866 psinfo = kmalloc(sizeof(*psinfo), GFP_KERNEL);
1867 if (!psinfo)
1868 return 0;
1869 fill_note(&info->psinfo, "CORE", NT_PRPSINFO, sizeof(*psinfo), psinfo);
1870
1871 #ifdef CORE_DUMP_USE_REGSET
1872 view = task_user_regset_view(dump_task);
1873
1874 /*
1875 * Figure out how many notes we're going to need for each thread.
1876 */
1877 info->thread_notes = 0;
1878 for (int i = 0; i < view->n; ++i)
1879 if (view->regsets[i].core_note_type != 0)
1880 ++info->thread_notes;
1881
1882 /*
1883 * Sanity check. We rely on regset 0 being in NT_PRSTATUS,
1884 * since it is our one special case.
1885 */
1886 if (unlikely(info->thread_notes == 0) ||
1887 unlikely(view->regsets[0].core_note_type != NT_PRSTATUS)) {
1888 WARN_ON(1);
1889 return 0;
1890 }
1891
1892 /*
1893 * Initialize the ELF file header.
1894 */
1895 fill_elf_header(elf, phdrs,
1896 view->e_machine, view->e_flags);
1897 #else
1898 view = NULL;
1899 info->thread_notes = 2;
1900 fill_elf_header(elf, phdrs, ELF_ARCH, ELF_CORE_EFLAGS);
1901 #endif
1902
1903 /*
1904 * Allocate a structure for each thread.
1905 */
1906 info->thread = kzalloc(offsetof(struct elf_thread_core_info,
1907 notes[info->thread_notes]),
1908 GFP_KERNEL);
1909 if (unlikely(!info->thread))
1910 return 0;
1911
1912 info->thread->task = dump_task;
1913 for (ct = dump_task->signal->core_state->dumper.next; ct; ct = ct->next) {
1914 t = kzalloc(offsetof(struct elf_thread_core_info,
1915 notes[info->thread_notes]),
1916 GFP_KERNEL);
1917 if (unlikely(!t))
1918 return 0;
1919
1920 t->task = ct->task;
1921 t->next = info->thread->next;
1922 info->thread->next = t;
1923 }
1924
1925 /*
1926 * Now fill in each thread's information.
1927 */
1928 for (t = info->thread; t != NULL; t = t->next)
1929 if (!fill_thread_core_info(t, view, cprm->siginfo->si_signo, info))
1930 return 0;
1931
1932 /*
1933 * Fill in the two process-wide notes.
1934 */
1935 fill_psinfo(psinfo, dump_task->group_leader, dump_task->mm);
1936 info->size += notesize(&info->psinfo);
1937
1938 fill_siginfo_note(&info->signote, &info->csigdata, cprm->siginfo);
1939 info->size += notesize(&info->signote);
1940
1941 fill_auxv_note(&info->auxv, current->mm);
1942 info->size += notesize(&info->auxv);
1943
1944 if (fill_files_note(&info->files, cprm) == 0)
1945 info->size += notesize(&info->files);
1946
1947 return 1;
1948 }
1949
1950 /*
1951 * Write all the notes for each thread. When writing the first thread, the
1952 * process-wide notes are interleaved after the first thread-specific note.
1953 */
write_note_info(struct elf_note_info * info,struct coredump_params * cprm)1954 static int write_note_info(struct elf_note_info *info,
1955 struct coredump_params *cprm)
1956 {
1957 bool first = true;
1958 struct elf_thread_core_info *t = info->thread;
1959
1960 do {
1961 int i;
1962
1963 if (!writenote(&t->notes[0], cprm))
1964 return 0;
1965
1966 if (first && !writenote(&info->psinfo, cprm))
1967 return 0;
1968 if (first && !writenote(&info->signote, cprm))
1969 return 0;
1970 if (first && !writenote(&info->auxv, cprm))
1971 return 0;
1972 if (first && info->files.data &&
1973 !writenote(&info->files, cprm))
1974 return 0;
1975
1976 for (i = 1; i < info->thread_notes; ++i)
1977 if (t->notes[i].data &&
1978 !writenote(&t->notes[i], cprm))
1979 return 0;
1980
1981 first = false;
1982 t = t->next;
1983 } while (t);
1984
1985 return 1;
1986 }
1987
free_note_info(struct elf_note_info * info)1988 static void free_note_info(struct elf_note_info *info)
1989 {
1990 struct elf_thread_core_info *threads = info->thread;
1991 while (threads) {
1992 unsigned int i;
1993 struct elf_thread_core_info *t = threads;
1994 threads = t->next;
1995 WARN_ON(t->notes[0].data && t->notes[0].data != &t->prstatus);
1996 for (i = 1; i < info->thread_notes; ++i)
1997 kfree(t->notes[i].data);
1998 kfree(t);
1999 }
2000 kfree(info->psinfo.data);
2001 kvfree(info->files.data);
2002 }
2003
fill_extnum_info(struct elfhdr * elf,struct elf_shdr * shdr4extnum,elf_addr_t e_shoff,int segs)2004 static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
2005 elf_addr_t e_shoff, int segs)
2006 {
2007 elf->e_shoff = e_shoff;
2008 elf->e_shentsize = sizeof(*shdr4extnum);
2009 elf->e_shnum = 1;
2010 elf->e_shstrndx = SHN_UNDEF;
2011
2012 memset(shdr4extnum, 0, sizeof(*shdr4extnum));
2013
2014 shdr4extnum->sh_type = SHT_NULL;
2015 shdr4extnum->sh_size = elf->e_shnum;
2016 shdr4extnum->sh_link = elf->e_shstrndx;
2017 shdr4extnum->sh_info = segs;
2018 }
2019
2020 /*
2021 * Actual dumper
2022 *
2023 * This is a two-pass process; first we find the offsets of the bits,
2024 * and then they are actually written out. If we run out of core limit
2025 * we just truncate.
2026 */
elf_core_dump(struct coredump_params * cprm)2027 static int elf_core_dump(struct coredump_params *cprm)
2028 {
2029 int has_dumped = 0;
2030 int segs, i;
2031 struct elfhdr elf;
2032 loff_t offset = 0, dataoff;
2033 struct elf_note_info info = { };
2034 struct elf_phdr *phdr4note = NULL;
2035 struct elf_shdr *shdr4extnum = NULL;
2036 Elf_Half e_phnum;
2037 elf_addr_t e_shoff;
2038
2039 /*
2040 * The number of segs are recored into ELF header as 16bit value.
2041 * Please check DEFAULT_MAX_MAP_COUNT definition when you modify here.
2042 */
2043 segs = cprm->vma_count + elf_core_extra_phdrs(cprm);
2044
2045 /* for notes section */
2046 segs++;
2047
2048 /* If segs > PN_XNUM(0xffff), then e_phnum overflows. To avoid
2049 * this, kernel supports extended numbering. Have a look at
2050 * include/linux/elf.h for further information. */
2051 e_phnum = segs > PN_XNUM ? PN_XNUM : segs;
2052
2053 /*
2054 * Collect all the non-memory information about the process for the
2055 * notes. This also sets up the file header.
2056 */
2057 if (!fill_note_info(&elf, e_phnum, &info, cprm))
2058 goto end_coredump;
2059
2060 has_dumped = 1;
2061
2062 offset += sizeof(elf); /* ELF header */
2063 offset += segs * sizeof(struct elf_phdr); /* Program headers */
2064
2065 /* Write notes phdr entry */
2066 {
2067 size_t sz = info.size;
2068
2069 /* For cell spufs */
2070 sz += elf_coredump_extra_notes_size();
2071
2072 phdr4note = kmalloc(sizeof(*phdr4note), GFP_KERNEL);
2073 if (!phdr4note)
2074 goto end_coredump;
2075
2076 fill_elf_note_phdr(phdr4note, sz, offset);
2077 offset += sz;
2078 }
2079
2080 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
2081
2082 offset += cprm->vma_data_size;
2083 offset += elf_core_extra_data_size(cprm);
2084 e_shoff = offset;
2085
2086 if (e_phnum == PN_XNUM) {
2087 shdr4extnum = kmalloc(sizeof(*shdr4extnum), GFP_KERNEL);
2088 if (!shdr4extnum)
2089 goto end_coredump;
2090 fill_extnum_info(&elf, shdr4extnum, e_shoff, segs);
2091 }
2092
2093 offset = dataoff;
2094
2095 if (!dump_emit(cprm, &elf, sizeof(elf)))
2096 goto end_coredump;
2097
2098 if (!dump_emit(cprm, phdr4note, sizeof(*phdr4note)))
2099 goto end_coredump;
2100
2101 /* Write program headers for segments dump */
2102 for (i = 0; i < cprm->vma_count; i++) {
2103 struct core_vma_metadata *meta = cprm->vma_meta + i;
2104 struct elf_phdr phdr;
2105
2106 phdr.p_type = PT_LOAD;
2107 phdr.p_offset = offset;
2108 phdr.p_vaddr = meta->start;
2109 phdr.p_paddr = 0;
2110 phdr.p_filesz = meta->dump_size;
2111 phdr.p_memsz = meta->end - meta->start;
2112 offset += phdr.p_filesz;
2113 phdr.p_flags = 0;
2114 if (meta->flags & VM_READ)
2115 phdr.p_flags |= PF_R;
2116 if (meta->flags & VM_WRITE)
2117 phdr.p_flags |= PF_W;
2118 if (meta->flags & VM_EXEC)
2119 phdr.p_flags |= PF_X;
2120 phdr.p_align = ELF_EXEC_PAGESIZE;
2121
2122 if (!dump_emit(cprm, &phdr, sizeof(phdr)))
2123 goto end_coredump;
2124 }
2125
2126 if (!elf_core_write_extra_phdrs(cprm, offset))
2127 goto end_coredump;
2128
2129 /* write out the notes section */
2130 if (!write_note_info(&info, cprm))
2131 goto end_coredump;
2132
2133 /* For cell spufs */
2134 if (elf_coredump_extra_notes_write(cprm))
2135 goto end_coredump;
2136
2137 /* Align to page */
2138 dump_skip_to(cprm, dataoff);
2139
2140 for (i = 0; i < cprm->vma_count; i++) {
2141 struct core_vma_metadata *meta = cprm->vma_meta + i;
2142
2143 if (!dump_user_range(cprm, meta->start, meta->dump_size))
2144 goto end_coredump;
2145 }
2146
2147 if (!elf_core_write_extra_data(cprm))
2148 goto end_coredump;
2149
2150 if (e_phnum == PN_XNUM) {
2151 if (!dump_emit(cprm, shdr4extnum, sizeof(*shdr4extnum)))
2152 goto end_coredump;
2153 }
2154
2155 end_coredump:
2156 free_note_info(&info);
2157 kfree(shdr4extnum);
2158 kfree(phdr4note);
2159 return has_dumped;
2160 }
2161
2162 #endif /* CONFIG_ELF_CORE */
2163
init_elf_binfmt(void)2164 static int __init init_elf_binfmt(void)
2165 {
2166 register_binfmt(&elf_format);
2167 return 0;
2168 }
2169
exit_elf_binfmt(void)2170 static void __exit exit_elf_binfmt(void)
2171 {
2172 /* Remove the COFF and ELF loaders. */
2173 unregister_binfmt(&elf_format);
2174 }
2175
2176 core_initcall(init_elf_binfmt);
2177 module_exit(exit_elf_binfmt);
2178
2179 #ifdef CONFIG_BINFMT_ELF_KUNIT_TEST
2180 #include "binfmt_elf_test.c"
2181 #endif
2182