xref: /openbmc/linux/fs/binfmt_flat.c (revision 22d55f02)
1 // SPDX-License-Identifier: GPL-2.0
2 /****************************************************************************/
3 /*
4  *  linux/fs/binfmt_flat.c
5  *
6  *	Copyright (C) 2000-2003 David McCullough <davidm@snapgear.com>
7  *	Copyright (C) 2002 Greg Ungerer <gerg@snapgear.com>
8  *	Copyright (C) 2002 SnapGear, by Paul Dale <pauli@snapgear.com>
9  *	Copyright (C) 2000, 2001 Lineo, by David McCullough <davidm@lineo.com>
10  *  based heavily on:
11  *
12  *  linux/fs/binfmt_aout.c:
13  *      Copyright (C) 1991, 1992, 1996  Linus Torvalds
14  *  linux/fs/binfmt_flat.c for 2.0 kernel
15  *	    Copyright (C) 1998  Kenneth Albanowski <kjahds@kjahds.com>
16  *	JAN/99 -- coded full program relocation (gerg@snapgear.com)
17  */
18 
19 #define pr_fmt(fmt)	KBUILD_MODNAME ": " fmt
20 
21 #include <linux/kernel.h>
22 #include <linux/sched.h>
23 #include <linux/sched/task_stack.h>
24 #include <linux/mm.h>
25 #include <linux/mman.h>
26 #include <linux/errno.h>
27 #include <linux/signal.h>
28 #include <linux/string.h>
29 #include <linux/fs.h>
30 #include <linux/file.h>
31 #include <linux/ptrace.h>
32 #include <linux/user.h>
33 #include <linux/slab.h>
34 #include <linux/binfmts.h>
35 #include <linux/personality.h>
36 #include <linux/init.h>
37 #include <linux/flat.h>
38 #include <linux/uaccess.h>
39 #include <linux/vmalloc.h>
40 
41 #include <asm/byteorder.h>
42 #include <asm/unaligned.h>
43 #include <asm/cacheflush.h>
44 #include <asm/page.h>
45 
46 /****************************************************************************/
47 
48 /*
49  * User data (data section and bss) needs to be aligned.
50  * We pick 0x20 here because it is the max value elf2flt has always
51  * used in producing FLAT files, and because it seems to be large
52  * enough to make all the gcc alignment related tests happy.
53  */
54 #define FLAT_DATA_ALIGN	(0x20)
55 
56 /*
57  * User data (stack) also needs to be aligned.
58  * Here we can be a bit looser than the data sections since this
59  * needs to only meet arch ABI requirements.
60  */
61 #define FLAT_STACK_ALIGN	max_t(unsigned long, sizeof(void *), ARCH_SLAB_MINALIGN)
62 
63 #define RELOC_FAILED 0xff00ff01		/* Relocation incorrect somewhere */
64 #define UNLOADED_LIB 0x7ff000ff		/* Placeholder for unused library */
65 
66 struct lib_info {
67 	struct {
68 		unsigned long start_code;		/* Start of text segment */
69 		unsigned long start_data;		/* Start of data segment */
70 		unsigned long start_brk;		/* End of data segment */
71 		unsigned long text_len;			/* Length of text segment */
72 		unsigned long entry;			/* Start address for this module */
73 		unsigned long build_date;		/* When this one was compiled */
74 		bool loaded;				/* Has this library been loaded? */
75 	} lib_list[MAX_SHARED_LIBS];
76 };
77 
78 #ifdef CONFIG_BINFMT_SHARED_FLAT
79 static int load_flat_shared_library(int id, struct lib_info *p);
80 #endif
81 
82 static int load_flat_binary(struct linux_binprm *);
83 static int flat_core_dump(struct coredump_params *cprm);
84 
85 static struct linux_binfmt flat_format = {
86 	.module		= THIS_MODULE,
87 	.load_binary	= load_flat_binary,
88 	.core_dump	= flat_core_dump,
89 	.min_coredump	= PAGE_SIZE
90 };
91 
92 /****************************************************************************/
93 /*
94  * Routine writes a core dump image in the current directory.
95  * Currently only a stub-function.
96  */
97 
98 static int flat_core_dump(struct coredump_params *cprm)
99 {
100 	pr_warn("Process %s:%d received signr %d and should have core dumped\n",
101 		current->comm, current->pid, cprm->siginfo->si_signo);
102 	return 1;
103 }
104 
105 /****************************************************************************/
106 /*
107  * create_flat_tables() parses the env- and arg-strings in new user
108  * memory and creates the pointer tables from them, and puts their
109  * addresses on the "stack", recording the new stack pointer value.
110  */
111 
112 static int create_flat_tables(struct linux_binprm *bprm, unsigned long arg_start)
113 {
114 	char __user *p;
115 	unsigned long __user *sp;
116 	long i, len;
117 
118 	p = (char __user *)arg_start;
119 	sp = (unsigned long __user *)current->mm->start_stack;
120 
121 	sp -= bprm->envc + 1;
122 	sp -= bprm->argc + 1;
123 	sp -= flat_argvp_envp_on_stack() ? 2 : 0;
124 	sp -= 1;  /* &argc */
125 
126 	current->mm->start_stack = (unsigned long)sp & -FLAT_STACK_ALIGN;
127 	sp = (unsigned long __user *)current->mm->start_stack;
128 
129 	__put_user(bprm->argc, sp++);
130 	if (flat_argvp_envp_on_stack()) {
131 		unsigned long argv, envp;
132 		argv = (unsigned long)(sp + 2);
133 		envp = (unsigned long)(sp + 2 + bprm->argc + 1);
134 		__put_user(argv, sp++);
135 		__put_user(envp, sp++);
136 	}
137 
138 	current->mm->arg_start = (unsigned long)p;
139 	for (i = bprm->argc; i > 0; i--) {
140 		__put_user((unsigned long)p, sp++);
141 		len = strnlen_user(p, MAX_ARG_STRLEN);
142 		if (!len || len > MAX_ARG_STRLEN)
143 			return -EINVAL;
144 		p += len;
145 	}
146 	__put_user(0, sp++);
147 	current->mm->arg_end = (unsigned long)p;
148 
149 	current->mm->env_start = (unsigned long) p;
150 	for (i = bprm->envc; i > 0; i--) {
151 		__put_user((unsigned long)p, sp++);
152 		len = strnlen_user(p, MAX_ARG_STRLEN);
153 		if (!len || len > MAX_ARG_STRLEN)
154 			return -EINVAL;
155 		p += len;
156 	}
157 	__put_user(0, sp++);
158 	current->mm->env_end = (unsigned long)p;
159 
160 	return 0;
161 }
162 
163 /****************************************************************************/
164 
165 #ifdef CONFIG_BINFMT_ZFLAT
166 
167 #include <linux/zlib.h>
168 
169 #define LBUFSIZE	4000
170 
171 /* gzip flag byte */
172 #define ASCII_FLAG   0x01 /* bit 0 set: file probably ASCII text */
173 #define CONTINUATION 0x02 /* bit 1 set: continuation of multi-part gzip file */
174 #define EXTRA_FIELD  0x04 /* bit 2 set: extra field present */
175 #define ORIG_NAME    0x08 /* bit 3 set: original file name present */
176 #define COMMENT      0x10 /* bit 4 set: file comment present */
177 #define ENCRYPTED    0x20 /* bit 5 set: file is encrypted */
178 #define RESERVED     0xC0 /* bit 6,7:   reserved */
179 
180 static int decompress_exec(struct linux_binprm *bprm, loff_t fpos, char *dst,
181 		long len, int fd)
182 {
183 	unsigned char *buf;
184 	z_stream strm;
185 	int ret, retval;
186 
187 	pr_debug("decompress_exec(offset=%llx,buf=%p,len=%lx)\n", fpos, dst, len);
188 
189 	memset(&strm, 0, sizeof(strm));
190 	strm.workspace = kmalloc(zlib_inflate_workspacesize(), GFP_KERNEL);
191 	if (!strm.workspace)
192 		return -ENOMEM;
193 
194 	buf = kmalloc(LBUFSIZE, GFP_KERNEL);
195 	if (!buf) {
196 		retval = -ENOMEM;
197 		goto out_free;
198 	}
199 
200 	/* Read in first chunk of data and parse gzip header. */
201 	ret = kernel_read(bprm->file, buf, LBUFSIZE, &fpos);
202 
203 	strm.next_in = buf;
204 	strm.avail_in = ret;
205 	strm.total_in = 0;
206 
207 	retval = -ENOEXEC;
208 
209 	/* Check minimum size -- gzip header */
210 	if (ret < 10) {
211 		pr_debug("file too small?\n");
212 		goto out_free_buf;
213 	}
214 
215 	/* Check gzip magic number */
216 	if ((buf[0] != 037) || ((buf[1] != 0213) && (buf[1] != 0236))) {
217 		pr_debug("unknown compression magic?\n");
218 		goto out_free_buf;
219 	}
220 
221 	/* Check gzip method */
222 	if (buf[2] != 8) {
223 		pr_debug("unknown compression method?\n");
224 		goto out_free_buf;
225 	}
226 	/* Check gzip flags */
227 	if ((buf[3] & ENCRYPTED) || (buf[3] & CONTINUATION) ||
228 	    (buf[3] & RESERVED)) {
229 		pr_debug("unknown flags?\n");
230 		goto out_free_buf;
231 	}
232 
233 	ret = 10;
234 	if (buf[3] & EXTRA_FIELD) {
235 		ret += 2 + buf[10] + (buf[11] << 8);
236 		if (unlikely(ret >= LBUFSIZE)) {
237 			pr_debug("buffer overflow (EXTRA)?\n");
238 			goto out_free_buf;
239 		}
240 	}
241 	if (buf[3] & ORIG_NAME) {
242 		while (ret < LBUFSIZE && buf[ret++] != 0)
243 			;
244 		if (unlikely(ret == LBUFSIZE)) {
245 			pr_debug("buffer overflow (ORIG_NAME)?\n");
246 			goto out_free_buf;
247 		}
248 	}
249 	if (buf[3] & COMMENT) {
250 		while (ret < LBUFSIZE && buf[ret++] != 0)
251 			;
252 		if (unlikely(ret == LBUFSIZE)) {
253 			pr_debug("buffer overflow (COMMENT)?\n");
254 			goto out_free_buf;
255 		}
256 	}
257 
258 	strm.next_in += ret;
259 	strm.avail_in -= ret;
260 
261 	strm.next_out = dst;
262 	strm.avail_out = len;
263 	strm.total_out = 0;
264 
265 	if (zlib_inflateInit2(&strm, -MAX_WBITS) != Z_OK) {
266 		pr_debug("zlib init failed?\n");
267 		goto out_free_buf;
268 	}
269 
270 	while ((ret = zlib_inflate(&strm, Z_NO_FLUSH)) == Z_OK) {
271 		ret = kernel_read(bprm->file, buf, LBUFSIZE, &fpos);
272 		if (ret <= 0)
273 			break;
274 		len -= ret;
275 
276 		strm.next_in = buf;
277 		strm.avail_in = ret;
278 		strm.total_in = 0;
279 	}
280 
281 	if (ret < 0) {
282 		pr_debug("decompression failed (%d), %s\n",
283 			ret, strm.msg);
284 		goto out_zlib;
285 	}
286 
287 	retval = 0;
288 out_zlib:
289 	zlib_inflateEnd(&strm);
290 out_free_buf:
291 	kfree(buf);
292 out_free:
293 	kfree(strm.workspace);
294 	return retval;
295 }
296 
297 #endif /* CONFIG_BINFMT_ZFLAT */
298 
299 /****************************************************************************/
300 
301 static unsigned long
302 calc_reloc(unsigned long r, struct lib_info *p, int curid, int internalp)
303 {
304 	unsigned long addr;
305 	int id;
306 	unsigned long start_brk;
307 	unsigned long start_data;
308 	unsigned long text_len;
309 	unsigned long start_code;
310 
311 #ifdef CONFIG_BINFMT_SHARED_FLAT
312 	if (r == 0)
313 		id = curid;	/* Relocs of 0 are always self referring */
314 	else {
315 		id = (r >> 24) & 0xff;	/* Find ID for this reloc */
316 		r &= 0x00ffffff;	/* Trim ID off here */
317 	}
318 	if (id >= MAX_SHARED_LIBS) {
319 		pr_err("reference 0x%lx to shared library %d", r, id);
320 		goto failed;
321 	}
322 	if (curid != id) {
323 		if (internalp) {
324 			pr_err("reloc address 0x%lx not in same module "
325 			       "(%d != %d)", r, curid, id);
326 			goto failed;
327 		} else if (!p->lib_list[id].loaded &&
328 			   load_flat_shared_library(id, p) < 0) {
329 			pr_err("failed to load library %d", id);
330 			goto failed;
331 		}
332 		/* Check versioning information (i.e. time stamps) */
333 		if (p->lib_list[id].build_date && p->lib_list[curid].build_date &&
334 				p->lib_list[curid].build_date < p->lib_list[id].build_date) {
335 			pr_err("library %d is younger than %d", id, curid);
336 			goto failed;
337 		}
338 	}
339 #else
340 	id = 0;
341 #endif
342 
343 	start_brk = p->lib_list[id].start_brk;
344 	start_data = p->lib_list[id].start_data;
345 	start_code = p->lib_list[id].start_code;
346 	text_len = p->lib_list[id].text_len;
347 
348 	if (!flat_reloc_valid(r, start_brk - start_data + text_len)) {
349 		pr_err("reloc outside program 0x%lx (0 - 0x%lx/0x%lx)",
350 		       r, start_brk-start_data+text_len, text_len);
351 		goto failed;
352 	}
353 
354 	if (r < text_len)			/* In text segment */
355 		addr = r + start_code;
356 	else					/* In data segment */
357 		addr = r - text_len + start_data;
358 
359 	/* Range checked already above so doing the range tests is redundant...*/
360 	return addr;
361 
362 failed:
363 	pr_cont(", killing %s!\n", current->comm);
364 	send_sig(SIGSEGV, current, 0);
365 
366 	return RELOC_FAILED;
367 }
368 
369 /****************************************************************************/
370 
371 static void old_reloc(unsigned long rl)
372 {
373 	static const char *segment[] = { "TEXT", "DATA", "BSS", "*UNKNOWN*" };
374 	flat_v2_reloc_t	r;
375 	unsigned long __user *ptr;
376 	unsigned long val;
377 
378 	r.value = rl;
379 #if defined(CONFIG_COLDFIRE)
380 	ptr = (unsigned long __user *)(current->mm->start_code + r.reloc.offset);
381 #else
382 	ptr = (unsigned long __user *)(current->mm->start_data + r.reloc.offset);
383 #endif
384 	get_user(val, ptr);
385 
386 	pr_debug("Relocation of variable at DATASEG+%x "
387 		 "(address %p, currently %lx) into segment %s\n",
388 		 r.reloc.offset, ptr, val, segment[r.reloc.type]);
389 
390 	switch (r.reloc.type) {
391 	case OLD_FLAT_RELOC_TYPE_TEXT:
392 		val += current->mm->start_code;
393 		break;
394 	case OLD_FLAT_RELOC_TYPE_DATA:
395 		val += current->mm->start_data;
396 		break;
397 	case OLD_FLAT_RELOC_TYPE_BSS:
398 		val += current->mm->end_data;
399 		break;
400 	default:
401 		pr_err("Unknown relocation type=%x\n", r.reloc.type);
402 		break;
403 	}
404 	put_user(val, ptr);
405 
406 	pr_debug("Relocation became %lx\n", val);
407 }
408 
409 /****************************************************************************/
410 
411 static int load_flat_file(struct linux_binprm *bprm,
412 		struct lib_info *libinfo, int id, unsigned long *extra_stack)
413 {
414 	struct flat_hdr *hdr;
415 	unsigned long textpos, datapos, realdatastart;
416 	u32 text_len, data_len, bss_len, stack_len, full_data, flags;
417 	unsigned long len, memp, memp_size, extra, rlim;
418 	u32 __user *reloc, *rp;
419 	struct inode *inode;
420 	int i, rev, relocs;
421 	loff_t fpos;
422 	unsigned long start_code, end_code;
423 	ssize_t result;
424 	int ret;
425 
426 	hdr = ((struct flat_hdr *) bprm->buf);		/* exec-header */
427 	inode = file_inode(bprm->file);
428 
429 	text_len  = ntohl(hdr->data_start);
430 	data_len  = ntohl(hdr->data_end) - ntohl(hdr->data_start);
431 	bss_len   = ntohl(hdr->bss_end) - ntohl(hdr->data_end);
432 	stack_len = ntohl(hdr->stack_size);
433 	if (extra_stack) {
434 		stack_len += *extra_stack;
435 		*extra_stack = stack_len;
436 	}
437 	relocs    = ntohl(hdr->reloc_count);
438 	flags     = ntohl(hdr->flags);
439 	rev       = ntohl(hdr->rev);
440 	full_data = data_len + relocs * sizeof(unsigned long);
441 
442 	if (strncmp(hdr->magic, "bFLT", 4)) {
443 		/*
444 		 * Previously, here was a printk to tell people
445 		 *   "BINFMT_FLAT: bad header magic".
446 		 * But for the kernel which also use ELF FD-PIC format, this
447 		 * error message is confusing.
448 		 * because a lot of people do not manage to produce good
449 		 */
450 		ret = -ENOEXEC;
451 		goto err;
452 	}
453 
454 	if (flags & FLAT_FLAG_KTRACE)
455 		pr_info("Loading file: %s\n", bprm->filename);
456 
457 	if (rev != FLAT_VERSION && rev != OLD_FLAT_VERSION) {
458 		pr_err("bad flat file version 0x%x (supported 0x%lx and 0x%lx)\n",
459 		       rev, FLAT_VERSION, OLD_FLAT_VERSION);
460 		ret = -ENOEXEC;
461 		goto err;
462 	}
463 
464 	/* Don't allow old format executables to use shared libraries */
465 	if (rev == OLD_FLAT_VERSION && id != 0) {
466 		pr_err("shared libraries are not available before rev 0x%lx\n",
467 		       FLAT_VERSION);
468 		ret = -ENOEXEC;
469 		goto err;
470 	}
471 
472 	/*
473 	 * Make sure the header params are sane.
474 	 * 28 bits (256 MB) is way more than reasonable in this case.
475 	 * If some top bits are set we have probable binary corruption.
476 	*/
477 	if ((text_len | data_len | bss_len | stack_len | full_data) >> 28) {
478 		pr_err("bad header\n");
479 		ret = -ENOEXEC;
480 		goto err;
481 	}
482 
483 	/*
484 	 * fix up the flags for the older format,  there were all kinds
485 	 * of endian hacks,  this only works for the simple cases
486 	 */
487 	if (rev == OLD_FLAT_VERSION && flat_old_ram_flag(flags))
488 		flags = FLAT_FLAG_RAM;
489 
490 #ifndef CONFIG_BINFMT_ZFLAT
491 	if (flags & (FLAT_FLAG_GZIP|FLAT_FLAG_GZDATA)) {
492 		pr_err("Support for ZFLAT executables is not enabled.\n");
493 		ret = -ENOEXEC;
494 		goto err;
495 	}
496 #endif
497 
498 	/*
499 	 * Check initial limits. This avoids letting people circumvent
500 	 * size limits imposed on them by creating programs with large
501 	 * arrays in the data or bss.
502 	 */
503 	rlim = rlimit(RLIMIT_DATA);
504 	if (rlim >= RLIM_INFINITY)
505 		rlim = ~0;
506 	if (data_len + bss_len > rlim) {
507 		ret = -ENOMEM;
508 		goto err;
509 	}
510 
511 	/* Flush all traces of the currently running executable */
512 	if (id == 0) {
513 		ret = flush_old_exec(bprm);
514 		if (ret)
515 			goto err;
516 
517 		/* OK, This is the point of no return */
518 		set_personality(PER_LINUX_32BIT);
519 		setup_new_exec(bprm);
520 	}
521 
522 	/*
523 	 * calculate the extra space we need to map in
524 	 */
525 	extra = max_t(unsigned long, bss_len + stack_len,
526 			relocs * sizeof(unsigned long));
527 
528 	/*
529 	 * there are a couple of cases here,  the separate code/data
530 	 * case,  and then the fully copied to RAM case which lumps
531 	 * it all together.
532 	 */
533 	if (!IS_ENABLED(CONFIG_MMU) && !(flags & (FLAT_FLAG_RAM|FLAT_FLAG_GZIP))) {
534 		/*
535 		 * this should give us a ROM ptr,  but if it doesn't we don't
536 		 * really care
537 		 */
538 		pr_debug("ROM mapping of file (we hope)\n");
539 
540 		textpos = vm_mmap(bprm->file, 0, text_len, PROT_READ|PROT_EXEC,
541 				  MAP_PRIVATE|MAP_EXECUTABLE, 0);
542 		if (!textpos || IS_ERR_VALUE(textpos)) {
543 			ret = textpos;
544 			if (!textpos)
545 				ret = -ENOMEM;
546 			pr_err("Unable to mmap process text, errno %d\n", ret);
547 			goto err;
548 		}
549 
550 		len = data_len + extra + MAX_SHARED_LIBS * sizeof(unsigned long);
551 		len = PAGE_ALIGN(len);
552 		realdatastart = vm_mmap(NULL, 0, len,
553 			PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 0);
554 
555 		if (realdatastart == 0 || IS_ERR_VALUE(realdatastart)) {
556 			ret = realdatastart;
557 			if (!realdatastart)
558 				ret = -ENOMEM;
559 			pr_err("Unable to allocate RAM for process data, "
560 			       "errno %d\n", ret);
561 			vm_munmap(textpos, text_len);
562 			goto err;
563 		}
564 		datapos = ALIGN(realdatastart +
565 				MAX_SHARED_LIBS * sizeof(unsigned long),
566 				FLAT_DATA_ALIGN);
567 
568 		pr_debug("Allocated data+bss+stack (%u bytes): %lx\n",
569 			 data_len + bss_len + stack_len, datapos);
570 
571 		fpos = ntohl(hdr->data_start);
572 #ifdef CONFIG_BINFMT_ZFLAT
573 		if (flags & FLAT_FLAG_GZDATA) {
574 			result = decompress_exec(bprm, fpos, (char *)datapos,
575 						 full_data, 0);
576 		} else
577 #endif
578 		{
579 			result = read_code(bprm->file, datapos, fpos,
580 					full_data);
581 		}
582 		if (IS_ERR_VALUE(result)) {
583 			ret = result;
584 			pr_err("Unable to read data+bss, errno %d\n", ret);
585 			vm_munmap(textpos, text_len);
586 			vm_munmap(realdatastart, len);
587 			goto err;
588 		}
589 
590 		reloc = (u32 __user *)
591 			(datapos + (ntohl(hdr->reloc_start) - text_len));
592 		memp = realdatastart;
593 		memp_size = len;
594 	} else {
595 
596 		len = text_len + data_len + extra + MAX_SHARED_LIBS * sizeof(u32);
597 		len = PAGE_ALIGN(len);
598 		textpos = vm_mmap(NULL, 0, len,
599 			PROT_READ | PROT_EXEC | PROT_WRITE, MAP_PRIVATE, 0);
600 
601 		if (!textpos || IS_ERR_VALUE(textpos)) {
602 			ret = textpos;
603 			if (!textpos)
604 				ret = -ENOMEM;
605 			pr_err("Unable to allocate RAM for process text/data, "
606 			       "errno %d\n", ret);
607 			goto err;
608 		}
609 
610 		realdatastart = textpos + ntohl(hdr->data_start);
611 		datapos = ALIGN(realdatastart +
612 				MAX_SHARED_LIBS * sizeof(u32),
613 				FLAT_DATA_ALIGN);
614 
615 		reloc = (u32 __user *)
616 			(datapos + (ntohl(hdr->reloc_start) - text_len));
617 		memp = textpos;
618 		memp_size = len;
619 #ifdef CONFIG_BINFMT_ZFLAT
620 		/*
621 		 * load it all in and treat it like a RAM load from now on
622 		 */
623 		if (flags & FLAT_FLAG_GZIP) {
624 #ifndef CONFIG_MMU
625 			result = decompress_exec(bprm, sizeof(struct flat_hdr),
626 					 (((char *)textpos) + sizeof(struct flat_hdr)),
627 					 (text_len + full_data
628 						  - sizeof(struct flat_hdr)),
629 					 0);
630 			memmove((void *) datapos, (void *) realdatastart,
631 					full_data);
632 #else
633 			/*
634 			 * This is used on MMU systems mainly for testing.
635 			 * Let's use a kernel buffer to simplify things.
636 			 */
637 			long unz_text_len = text_len - sizeof(struct flat_hdr);
638 			long unz_len = unz_text_len + full_data;
639 			char *unz_data = vmalloc(unz_len);
640 			if (!unz_data) {
641 				result = -ENOMEM;
642 			} else {
643 				result = decompress_exec(bprm, sizeof(struct flat_hdr),
644 							 unz_data, unz_len, 0);
645 				if (result == 0 &&
646 				    (copy_to_user((void __user *)textpos + sizeof(struct flat_hdr),
647 						  unz_data, unz_text_len) ||
648 				     copy_to_user((void __user *)datapos,
649 						  unz_data + unz_text_len, full_data)))
650 					result = -EFAULT;
651 				vfree(unz_data);
652 			}
653 #endif
654 		} else if (flags & FLAT_FLAG_GZDATA) {
655 			result = read_code(bprm->file, textpos, 0, text_len);
656 			if (!IS_ERR_VALUE(result)) {
657 #ifndef CONFIG_MMU
658 				result = decompress_exec(bprm, text_len, (char *) datapos,
659 						 full_data, 0);
660 #else
661 				char *unz_data = vmalloc(full_data);
662 				if (!unz_data) {
663 					result = -ENOMEM;
664 				} else {
665 					result = decompress_exec(bprm, text_len,
666 						       unz_data, full_data, 0);
667 					if (result == 0 &&
668 					    copy_to_user((void __user *)datapos,
669 							 unz_data, full_data))
670 						result = -EFAULT;
671 					vfree(unz_data);
672 				}
673 #endif
674 			}
675 		} else
676 #endif /* CONFIG_BINFMT_ZFLAT */
677 		{
678 			result = read_code(bprm->file, textpos, 0, text_len);
679 			if (!IS_ERR_VALUE(result))
680 				result = read_code(bprm->file, datapos,
681 						   ntohl(hdr->data_start),
682 						   full_data);
683 		}
684 		if (IS_ERR_VALUE(result)) {
685 			ret = result;
686 			pr_err("Unable to read code+data+bss, errno %d\n", ret);
687 			vm_munmap(textpos, text_len + data_len + extra +
688 				MAX_SHARED_LIBS * sizeof(u32));
689 			goto err;
690 		}
691 	}
692 
693 	start_code = textpos + sizeof(struct flat_hdr);
694 	end_code = textpos + text_len;
695 	text_len -= sizeof(struct flat_hdr); /* the real code len */
696 
697 	/* The main program needs a little extra setup in the task structure */
698 	if (id == 0) {
699 		current->mm->start_code = start_code;
700 		current->mm->end_code = end_code;
701 		current->mm->start_data = datapos;
702 		current->mm->end_data = datapos + data_len;
703 		/*
704 		 * set up the brk stuff, uses any slack left in data/bss/stack
705 		 * allocation.  We put the brk after the bss (between the bss
706 		 * and stack) like other platforms.
707 		 * Userspace code relies on the stack pointer starting out at
708 		 * an address right at the end of a page.
709 		 */
710 		current->mm->start_brk = datapos + data_len + bss_len;
711 		current->mm->brk = (current->mm->start_brk + 3) & ~3;
712 #ifndef CONFIG_MMU
713 		current->mm->context.end_brk = memp + memp_size - stack_len;
714 #endif
715 	}
716 
717 	if (flags & FLAT_FLAG_KTRACE) {
718 		pr_info("Mapping is %lx, Entry point is %x, data_start is %x\n",
719 			textpos, 0x00ffffff&ntohl(hdr->entry), ntohl(hdr->data_start));
720 		pr_info("%s %s: TEXT=%lx-%lx DATA=%lx-%lx BSS=%lx-%lx\n",
721 			id ? "Lib" : "Load", bprm->filename,
722 			start_code, end_code, datapos, datapos + data_len,
723 			datapos + data_len, (datapos + data_len + bss_len + 3) & ~3);
724 	}
725 
726 	/* Store the current module values into the global library structure */
727 	libinfo->lib_list[id].start_code = start_code;
728 	libinfo->lib_list[id].start_data = datapos;
729 	libinfo->lib_list[id].start_brk = datapos + data_len + bss_len;
730 	libinfo->lib_list[id].text_len = text_len;
731 	libinfo->lib_list[id].loaded = 1;
732 	libinfo->lib_list[id].entry = (0x00ffffff & ntohl(hdr->entry)) + textpos;
733 	libinfo->lib_list[id].build_date = ntohl(hdr->build_date);
734 
735 	/*
736 	 * We just load the allocations into some temporary memory to
737 	 * help simplify all this mumbo jumbo
738 	 *
739 	 * We've got two different sections of relocation entries.
740 	 * The first is the GOT which resides at the beginning of the data segment
741 	 * and is terminated with a -1.  This one can be relocated in place.
742 	 * The second is the extra relocation entries tacked after the image's
743 	 * data segment. These require a little more processing as the entry is
744 	 * really an offset into the image which contains an offset into the
745 	 * image.
746 	 */
747 	if (flags & FLAT_FLAG_GOTPIC) {
748 		for (rp = (u32 __user *)datapos; ; rp++) {
749 			u32 addr, rp_val;
750 			if (get_user(rp_val, rp))
751 				return -EFAULT;
752 			if (rp_val == 0xffffffff)
753 				break;
754 			if (rp_val) {
755 				addr = calc_reloc(rp_val, libinfo, id, 0);
756 				if (addr == RELOC_FAILED) {
757 					ret = -ENOEXEC;
758 					goto err;
759 				}
760 				if (put_user(addr, rp))
761 					return -EFAULT;
762 			}
763 		}
764 	}
765 
766 	/*
767 	 * Now run through the relocation entries.
768 	 * We've got to be careful here as C++ produces relocatable zero
769 	 * entries in the constructor and destructor tables which are then
770 	 * tested for being not zero (which will always occur unless we're
771 	 * based from address zero).  This causes an endless loop as __start
772 	 * is at zero.  The solution used is to not relocate zero addresses.
773 	 * This has the negative side effect of not allowing a global data
774 	 * reference to be statically initialised to _stext (I've moved
775 	 * __start to address 4 so that is okay).
776 	 */
777 	if (rev > OLD_FLAT_VERSION) {
778 		u32 __maybe_unused persistent = 0;
779 		for (i = 0; i < relocs; i++) {
780 			u32 addr, relval;
781 
782 			/*
783 			 * Get the address of the pointer to be
784 			 * relocated (of course, the address has to be
785 			 * relocated first).
786 			 */
787 			if (get_user(relval, reloc + i))
788 				return -EFAULT;
789 			relval = ntohl(relval);
790 			if (flat_set_persistent(relval, &persistent))
791 				continue;
792 			addr = flat_get_relocate_addr(relval);
793 			rp = (u32 __user *)calc_reloc(addr, libinfo, id, 1);
794 			if (rp == (u32 __user *)RELOC_FAILED) {
795 				ret = -ENOEXEC;
796 				goto err;
797 			}
798 
799 			/* Get the pointer's value.  */
800 			ret = flat_get_addr_from_rp(rp, relval, flags,
801 							&addr, &persistent);
802 			if (unlikely(ret))
803 				goto err;
804 
805 			if (addr != 0) {
806 				/*
807 				 * Do the relocation.  PIC relocs in the data section are
808 				 * already in target order
809 				 */
810 				if ((flags & FLAT_FLAG_GOTPIC) == 0)
811 					addr = ntohl(addr);
812 				addr = calc_reloc(addr, libinfo, id, 0);
813 				if (addr == RELOC_FAILED) {
814 					ret = -ENOEXEC;
815 					goto err;
816 				}
817 
818 				/* Write back the relocated pointer.  */
819 				ret = flat_put_addr_at_rp(rp, addr, relval);
820 				if (unlikely(ret))
821 					goto err;
822 			}
823 		}
824 	} else {
825 		for (i = 0; i < relocs; i++) {
826 			u32 relval;
827 			if (get_user(relval, reloc + i))
828 				return -EFAULT;
829 			relval = ntohl(relval);
830 			old_reloc(relval);
831 		}
832 	}
833 
834 	flush_icache_range(start_code, end_code);
835 
836 	/* zero the BSS,  BRK and stack areas */
837 	if (clear_user((void __user *)(datapos + data_len), bss_len +
838 		       (memp + memp_size - stack_len -		/* end brk */
839 		       libinfo->lib_list[id].start_brk) +	/* start brk */
840 		       stack_len))
841 		return -EFAULT;
842 
843 	return 0;
844 err:
845 	return ret;
846 }
847 
848 
849 /****************************************************************************/
850 #ifdef CONFIG_BINFMT_SHARED_FLAT
851 
852 /*
853  * Load a shared library into memory.  The library gets its own data
854  * segment (including bss) but not argv/argc/environ.
855  */
856 
857 static int load_flat_shared_library(int id, struct lib_info *libs)
858 {
859 	/*
860 	 * This is a fake bprm struct; only the members "buf", "file" and
861 	 * "filename" are actually used.
862 	 */
863 	struct linux_binprm bprm;
864 	int res;
865 	char buf[16];
866 	loff_t pos = 0;
867 
868 	memset(&bprm, 0, sizeof(bprm));
869 
870 	/* Create the file name */
871 	sprintf(buf, "/lib/lib%d.so", id);
872 
873 	/* Open the file up */
874 	bprm.filename = buf;
875 	bprm.file = open_exec(bprm.filename);
876 	res = PTR_ERR(bprm.file);
877 	if (IS_ERR(bprm.file))
878 		return res;
879 
880 	res = kernel_read(bprm.file, bprm.buf, BINPRM_BUF_SIZE, &pos);
881 
882 	if (res >= 0)
883 		res = load_flat_file(&bprm, libs, id, NULL);
884 
885 	allow_write_access(bprm.file);
886 	fput(bprm.file);
887 
888 	return res;
889 }
890 
891 #endif /* CONFIG_BINFMT_SHARED_FLAT */
892 /****************************************************************************/
893 
894 /*
895  * These are the functions used to load flat style executables and shared
896  * libraries.  There is no binary dependent code anywhere else.
897  */
898 
899 static int load_flat_binary(struct linux_binprm *bprm)
900 {
901 	struct lib_info libinfo;
902 	struct pt_regs *regs = current_pt_regs();
903 	unsigned long stack_len = 0;
904 	unsigned long start_addr;
905 	int res;
906 	int i, j;
907 
908 	memset(&libinfo, 0, sizeof(libinfo));
909 
910 	/*
911 	 * We have to add the size of our arguments to our stack size
912 	 * otherwise it's too easy for users to create stack overflows
913 	 * by passing in a huge argument list.  And yes,  we have to be
914 	 * pedantic and include space for the argv/envp array as it may have
915 	 * a lot of entries.
916 	 */
917 #ifndef CONFIG_MMU
918 	stack_len += PAGE_SIZE * MAX_ARG_PAGES - bprm->p; /* the strings */
919 #endif
920 	stack_len += (bprm->argc + 1) * sizeof(char *);   /* the argv array */
921 	stack_len += (bprm->envc + 1) * sizeof(char *);   /* the envp array */
922 	stack_len = ALIGN(stack_len, FLAT_STACK_ALIGN);
923 
924 	res = load_flat_file(bprm, &libinfo, 0, &stack_len);
925 	if (res < 0)
926 		return res;
927 
928 	/* Update data segment pointers for all libraries */
929 	for (i = 0; i < MAX_SHARED_LIBS; i++) {
930 		if (!libinfo.lib_list[i].loaded)
931 			continue;
932 		for (j = 0; j < MAX_SHARED_LIBS; j++) {
933 			unsigned long val = libinfo.lib_list[j].loaded ?
934 				libinfo.lib_list[j].start_data : UNLOADED_LIB;
935 			unsigned long __user *p = (unsigned long __user *)
936 				libinfo.lib_list[i].start_data;
937 			p -= j + 1;
938 			if (put_user(val, p))
939 				return -EFAULT;
940 		}
941 	}
942 
943 	install_exec_creds(bprm);
944 
945 	set_binfmt(&flat_format);
946 
947 #ifdef CONFIG_MMU
948 	res = setup_arg_pages(bprm, STACK_TOP, EXSTACK_DEFAULT);
949 	if (!res)
950 		res = create_flat_tables(bprm, bprm->p);
951 #else
952 	/* Stash our initial stack pointer into the mm structure */
953 	current->mm->start_stack =
954 		((current->mm->context.end_brk + stack_len + 3) & ~3) - 4;
955 	pr_debug("sp=%lx\n", current->mm->start_stack);
956 
957 	/* copy the arg pages onto the stack */
958 	res = transfer_args_to_stack(bprm, &current->mm->start_stack);
959 	if (!res)
960 		res = create_flat_tables(bprm, current->mm->start_stack);
961 #endif
962 	if (res)
963 		return res;
964 
965 	/* Fake some return addresses to ensure the call chain will
966 	 * initialise library in order for us.  We are required to call
967 	 * lib 1 first, then 2, ... and finally the main program (id 0).
968 	 */
969 	start_addr = libinfo.lib_list[0].entry;
970 
971 #ifdef CONFIG_BINFMT_SHARED_FLAT
972 	for (i = MAX_SHARED_LIBS-1; i > 0; i--) {
973 		if (libinfo.lib_list[i].loaded) {
974 			/* Push previos first to call address */
975 			unsigned long __user *sp;
976 			current->mm->start_stack -= sizeof(unsigned long);
977 			sp = (unsigned long __user *)current->mm->start_stack;
978 			__put_user(start_addr, sp);
979 			start_addr = libinfo.lib_list[i].entry;
980 		}
981 	}
982 #endif
983 
984 #ifdef FLAT_PLAT_INIT
985 	FLAT_PLAT_INIT(regs);
986 #endif
987 
988 	finalize_exec(bprm);
989 	pr_debug("start_thread(regs=0x%p, entry=0x%lx, start_stack=0x%lx)\n",
990 		 regs, start_addr, current->mm->start_stack);
991 	start_thread(regs, start_addr, current->mm->start_stack);
992 
993 	return 0;
994 }
995 
996 /****************************************************************************/
997 
998 static int __init init_flat_binfmt(void)
999 {
1000 	register_binfmt(&flat_format);
1001 	return 0;
1002 }
1003 core_initcall(init_flat_binfmt);
1004 
1005 /****************************************************************************/
1006