1 // SPDX-License-Identifier: GPL-2.0 2 /****************************************************************************/ 3 /* 4 * linux/fs/binfmt_flat.c 5 * 6 * Copyright (C) 2000-2003 David McCullough <davidm@snapgear.com> 7 * Copyright (C) 2002 Greg Ungerer <gerg@snapgear.com> 8 * Copyright (C) 2002 SnapGear, by Paul Dale <pauli@snapgear.com> 9 * Copyright (C) 2000, 2001 Lineo, by David McCullough <davidm@lineo.com> 10 * based heavily on: 11 * 12 * linux/fs/binfmt_aout.c: 13 * Copyright (C) 1991, 1992, 1996 Linus Torvalds 14 * linux/fs/binfmt_flat.c for 2.0 kernel 15 * Copyright (C) 1998 Kenneth Albanowski <kjahds@kjahds.com> 16 * JAN/99 -- coded full program relocation (gerg@snapgear.com) 17 */ 18 19 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 20 21 #include <linux/kernel.h> 22 #include <linux/sched.h> 23 #include <linux/sched/task_stack.h> 24 #include <linux/mm.h> 25 #include <linux/mman.h> 26 #include <linux/errno.h> 27 #include <linux/signal.h> 28 #include <linux/string.h> 29 #include <linux/fs.h> 30 #include <linux/file.h> 31 #include <linux/ptrace.h> 32 #include <linux/user.h> 33 #include <linux/slab.h> 34 #include <linux/binfmts.h> 35 #include <linux/personality.h> 36 #include <linux/init.h> 37 #include <linux/flat.h> 38 #include <linux/uaccess.h> 39 #include <linux/vmalloc.h> 40 41 #include <asm/byteorder.h> 42 #include <asm/unaligned.h> 43 #include <asm/cacheflush.h> 44 #include <asm/page.h> 45 46 /****************************************************************************/ 47 48 /* 49 * User data (data section and bss) needs to be aligned. 50 * We pick 0x20 here because it is the max value elf2flt has always 51 * used in producing FLAT files, and because it seems to be large 52 * enough to make all the gcc alignment related tests happy. 53 */ 54 #define FLAT_DATA_ALIGN (0x20) 55 56 /* 57 * User data (stack) also needs to be aligned. 58 * Here we can be a bit looser than the data sections since this 59 * needs to only meet arch ABI requirements. 60 */ 61 #define FLAT_STACK_ALIGN max_t(unsigned long, sizeof(void *), ARCH_SLAB_MINALIGN) 62 63 #define RELOC_FAILED 0xff00ff01 /* Relocation incorrect somewhere */ 64 #define UNLOADED_LIB 0x7ff000ff /* Placeholder for unused library */ 65 66 struct lib_info { 67 struct { 68 unsigned long start_code; /* Start of text segment */ 69 unsigned long start_data; /* Start of data segment */ 70 unsigned long start_brk; /* End of data segment */ 71 unsigned long text_len; /* Length of text segment */ 72 unsigned long entry; /* Start address for this module */ 73 unsigned long build_date; /* When this one was compiled */ 74 bool loaded; /* Has this library been loaded? */ 75 } lib_list[MAX_SHARED_LIBS]; 76 }; 77 78 #ifdef CONFIG_BINFMT_SHARED_FLAT 79 static int load_flat_shared_library(int id, struct lib_info *p); 80 #endif 81 82 static int load_flat_binary(struct linux_binprm *); 83 static int flat_core_dump(struct coredump_params *cprm); 84 85 static struct linux_binfmt flat_format = { 86 .module = THIS_MODULE, 87 .load_binary = load_flat_binary, 88 .core_dump = flat_core_dump, 89 .min_coredump = PAGE_SIZE 90 }; 91 92 /****************************************************************************/ 93 /* 94 * Routine writes a core dump image in the current directory. 95 * Currently only a stub-function. 96 */ 97 98 static int flat_core_dump(struct coredump_params *cprm) 99 { 100 pr_warn("Process %s:%d received signr %d and should have core dumped\n", 101 current->comm, current->pid, cprm->siginfo->si_signo); 102 return 1; 103 } 104 105 /****************************************************************************/ 106 /* 107 * create_flat_tables() parses the env- and arg-strings in new user 108 * memory and creates the pointer tables from them, and puts their 109 * addresses on the "stack", recording the new stack pointer value. 110 */ 111 112 static int create_flat_tables(struct linux_binprm *bprm, unsigned long arg_start) 113 { 114 char __user *p; 115 unsigned long __user *sp; 116 long i, len; 117 118 p = (char __user *)arg_start; 119 sp = (unsigned long __user *)current->mm->start_stack; 120 121 sp -= bprm->envc + 1; 122 sp -= bprm->argc + 1; 123 sp -= flat_argvp_envp_on_stack() ? 2 : 0; 124 sp -= 1; /* &argc */ 125 126 current->mm->start_stack = (unsigned long)sp & -FLAT_STACK_ALIGN; 127 sp = (unsigned long __user *)current->mm->start_stack; 128 129 __put_user(bprm->argc, sp++); 130 if (flat_argvp_envp_on_stack()) { 131 unsigned long argv, envp; 132 argv = (unsigned long)(sp + 2); 133 envp = (unsigned long)(sp + 2 + bprm->argc + 1); 134 __put_user(argv, sp++); 135 __put_user(envp, sp++); 136 } 137 138 current->mm->arg_start = (unsigned long)p; 139 for (i = bprm->argc; i > 0; i--) { 140 __put_user((unsigned long)p, sp++); 141 len = strnlen_user(p, MAX_ARG_STRLEN); 142 if (!len || len > MAX_ARG_STRLEN) 143 return -EINVAL; 144 p += len; 145 } 146 __put_user(0, sp++); 147 current->mm->arg_end = (unsigned long)p; 148 149 current->mm->env_start = (unsigned long) p; 150 for (i = bprm->envc; i > 0; i--) { 151 __put_user((unsigned long)p, sp++); 152 len = strnlen_user(p, MAX_ARG_STRLEN); 153 if (!len || len > MAX_ARG_STRLEN) 154 return -EINVAL; 155 p += len; 156 } 157 __put_user(0, sp++); 158 current->mm->env_end = (unsigned long)p; 159 160 return 0; 161 } 162 163 /****************************************************************************/ 164 165 #ifdef CONFIG_BINFMT_ZFLAT 166 167 #include <linux/zlib.h> 168 169 #define LBUFSIZE 4000 170 171 /* gzip flag byte */ 172 #define ASCII_FLAG 0x01 /* bit 0 set: file probably ASCII text */ 173 #define CONTINUATION 0x02 /* bit 1 set: continuation of multi-part gzip file */ 174 #define EXTRA_FIELD 0x04 /* bit 2 set: extra field present */ 175 #define ORIG_NAME 0x08 /* bit 3 set: original file name present */ 176 #define COMMENT 0x10 /* bit 4 set: file comment present */ 177 #define ENCRYPTED 0x20 /* bit 5 set: file is encrypted */ 178 #define RESERVED 0xC0 /* bit 6,7: reserved */ 179 180 static int decompress_exec(struct linux_binprm *bprm, loff_t fpos, char *dst, 181 long len, int fd) 182 { 183 unsigned char *buf; 184 z_stream strm; 185 int ret, retval; 186 187 pr_debug("decompress_exec(offset=%llx,buf=%p,len=%lx)\n", fpos, dst, len); 188 189 memset(&strm, 0, sizeof(strm)); 190 strm.workspace = kmalloc(zlib_inflate_workspacesize(), GFP_KERNEL); 191 if (!strm.workspace) 192 return -ENOMEM; 193 194 buf = kmalloc(LBUFSIZE, GFP_KERNEL); 195 if (!buf) { 196 retval = -ENOMEM; 197 goto out_free; 198 } 199 200 /* Read in first chunk of data and parse gzip header. */ 201 ret = kernel_read(bprm->file, buf, LBUFSIZE, &fpos); 202 203 strm.next_in = buf; 204 strm.avail_in = ret; 205 strm.total_in = 0; 206 207 retval = -ENOEXEC; 208 209 /* Check minimum size -- gzip header */ 210 if (ret < 10) { 211 pr_debug("file too small?\n"); 212 goto out_free_buf; 213 } 214 215 /* Check gzip magic number */ 216 if ((buf[0] != 037) || ((buf[1] != 0213) && (buf[1] != 0236))) { 217 pr_debug("unknown compression magic?\n"); 218 goto out_free_buf; 219 } 220 221 /* Check gzip method */ 222 if (buf[2] != 8) { 223 pr_debug("unknown compression method?\n"); 224 goto out_free_buf; 225 } 226 /* Check gzip flags */ 227 if ((buf[3] & ENCRYPTED) || (buf[3] & CONTINUATION) || 228 (buf[3] & RESERVED)) { 229 pr_debug("unknown flags?\n"); 230 goto out_free_buf; 231 } 232 233 ret = 10; 234 if (buf[3] & EXTRA_FIELD) { 235 ret += 2 + buf[10] + (buf[11] << 8); 236 if (unlikely(ret >= LBUFSIZE)) { 237 pr_debug("buffer overflow (EXTRA)?\n"); 238 goto out_free_buf; 239 } 240 } 241 if (buf[3] & ORIG_NAME) { 242 while (ret < LBUFSIZE && buf[ret++] != 0) 243 ; 244 if (unlikely(ret == LBUFSIZE)) { 245 pr_debug("buffer overflow (ORIG_NAME)?\n"); 246 goto out_free_buf; 247 } 248 } 249 if (buf[3] & COMMENT) { 250 while (ret < LBUFSIZE && buf[ret++] != 0) 251 ; 252 if (unlikely(ret == LBUFSIZE)) { 253 pr_debug("buffer overflow (COMMENT)?\n"); 254 goto out_free_buf; 255 } 256 } 257 258 strm.next_in += ret; 259 strm.avail_in -= ret; 260 261 strm.next_out = dst; 262 strm.avail_out = len; 263 strm.total_out = 0; 264 265 if (zlib_inflateInit2(&strm, -MAX_WBITS) != Z_OK) { 266 pr_debug("zlib init failed?\n"); 267 goto out_free_buf; 268 } 269 270 while ((ret = zlib_inflate(&strm, Z_NO_FLUSH)) == Z_OK) { 271 ret = kernel_read(bprm->file, buf, LBUFSIZE, &fpos); 272 if (ret <= 0) 273 break; 274 len -= ret; 275 276 strm.next_in = buf; 277 strm.avail_in = ret; 278 strm.total_in = 0; 279 } 280 281 if (ret < 0) { 282 pr_debug("decompression failed (%d), %s\n", 283 ret, strm.msg); 284 goto out_zlib; 285 } 286 287 retval = 0; 288 out_zlib: 289 zlib_inflateEnd(&strm); 290 out_free_buf: 291 kfree(buf); 292 out_free: 293 kfree(strm.workspace); 294 return retval; 295 } 296 297 #endif /* CONFIG_BINFMT_ZFLAT */ 298 299 /****************************************************************************/ 300 301 static unsigned long 302 calc_reloc(unsigned long r, struct lib_info *p, int curid, int internalp) 303 { 304 unsigned long addr; 305 int id; 306 unsigned long start_brk; 307 unsigned long start_data; 308 unsigned long text_len; 309 unsigned long start_code; 310 311 #ifdef CONFIG_BINFMT_SHARED_FLAT 312 if (r == 0) 313 id = curid; /* Relocs of 0 are always self referring */ 314 else { 315 id = (r >> 24) & 0xff; /* Find ID for this reloc */ 316 r &= 0x00ffffff; /* Trim ID off here */ 317 } 318 if (id >= MAX_SHARED_LIBS) { 319 pr_err("reference 0x%lx to shared library %d", r, id); 320 goto failed; 321 } 322 if (curid != id) { 323 if (internalp) { 324 pr_err("reloc address 0x%lx not in same module " 325 "(%d != %d)", r, curid, id); 326 goto failed; 327 } else if (!p->lib_list[id].loaded && 328 load_flat_shared_library(id, p) < 0) { 329 pr_err("failed to load library %d", id); 330 goto failed; 331 } 332 /* Check versioning information (i.e. time stamps) */ 333 if (p->lib_list[id].build_date && p->lib_list[curid].build_date && 334 p->lib_list[curid].build_date < p->lib_list[id].build_date) { 335 pr_err("library %d is younger than %d", id, curid); 336 goto failed; 337 } 338 } 339 #else 340 id = 0; 341 #endif 342 343 start_brk = p->lib_list[id].start_brk; 344 start_data = p->lib_list[id].start_data; 345 start_code = p->lib_list[id].start_code; 346 text_len = p->lib_list[id].text_len; 347 348 if (!flat_reloc_valid(r, start_brk - start_data + text_len)) { 349 pr_err("reloc outside program 0x%lx (0 - 0x%lx/0x%lx)", 350 r, start_brk-start_data+text_len, text_len); 351 goto failed; 352 } 353 354 if (r < text_len) /* In text segment */ 355 addr = r + start_code; 356 else /* In data segment */ 357 addr = r - text_len + start_data; 358 359 /* Range checked already above so doing the range tests is redundant...*/ 360 return addr; 361 362 failed: 363 pr_cont(", killing %s!\n", current->comm); 364 send_sig(SIGSEGV, current, 0); 365 366 return RELOC_FAILED; 367 } 368 369 /****************************************************************************/ 370 371 static void old_reloc(unsigned long rl) 372 { 373 static const char *segment[] = { "TEXT", "DATA", "BSS", "*UNKNOWN*" }; 374 flat_v2_reloc_t r; 375 unsigned long __user *ptr; 376 unsigned long val; 377 378 r.value = rl; 379 #if defined(CONFIG_COLDFIRE) 380 ptr = (unsigned long __user *)(current->mm->start_code + r.reloc.offset); 381 #else 382 ptr = (unsigned long __user *)(current->mm->start_data + r.reloc.offset); 383 #endif 384 get_user(val, ptr); 385 386 pr_debug("Relocation of variable at DATASEG+%x " 387 "(address %p, currently %lx) into segment %s\n", 388 r.reloc.offset, ptr, val, segment[r.reloc.type]); 389 390 switch (r.reloc.type) { 391 case OLD_FLAT_RELOC_TYPE_TEXT: 392 val += current->mm->start_code; 393 break; 394 case OLD_FLAT_RELOC_TYPE_DATA: 395 val += current->mm->start_data; 396 break; 397 case OLD_FLAT_RELOC_TYPE_BSS: 398 val += current->mm->end_data; 399 break; 400 default: 401 pr_err("Unknown relocation type=%x\n", r.reloc.type); 402 break; 403 } 404 put_user(val, ptr); 405 406 pr_debug("Relocation became %lx\n", val); 407 } 408 409 /****************************************************************************/ 410 411 static int load_flat_file(struct linux_binprm *bprm, 412 struct lib_info *libinfo, int id, unsigned long *extra_stack) 413 { 414 struct flat_hdr *hdr; 415 unsigned long textpos, datapos, realdatastart; 416 u32 text_len, data_len, bss_len, stack_len, full_data, flags; 417 unsigned long len, memp, memp_size, extra, rlim; 418 u32 __user *reloc, *rp; 419 struct inode *inode; 420 int i, rev, relocs; 421 loff_t fpos; 422 unsigned long start_code, end_code; 423 ssize_t result; 424 int ret; 425 426 hdr = ((struct flat_hdr *) bprm->buf); /* exec-header */ 427 inode = file_inode(bprm->file); 428 429 text_len = ntohl(hdr->data_start); 430 data_len = ntohl(hdr->data_end) - ntohl(hdr->data_start); 431 bss_len = ntohl(hdr->bss_end) - ntohl(hdr->data_end); 432 stack_len = ntohl(hdr->stack_size); 433 if (extra_stack) { 434 stack_len += *extra_stack; 435 *extra_stack = stack_len; 436 } 437 relocs = ntohl(hdr->reloc_count); 438 flags = ntohl(hdr->flags); 439 rev = ntohl(hdr->rev); 440 full_data = data_len + relocs * sizeof(unsigned long); 441 442 if (strncmp(hdr->magic, "bFLT", 4)) { 443 /* 444 * Previously, here was a printk to tell people 445 * "BINFMT_FLAT: bad header magic". 446 * But for the kernel which also use ELF FD-PIC format, this 447 * error message is confusing. 448 * because a lot of people do not manage to produce good 449 */ 450 ret = -ENOEXEC; 451 goto err; 452 } 453 454 if (flags & FLAT_FLAG_KTRACE) 455 pr_info("Loading file: %s\n", bprm->filename); 456 457 if (rev != FLAT_VERSION && rev != OLD_FLAT_VERSION) { 458 pr_err("bad flat file version 0x%x (supported 0x%lx and 0x%lx)\n", 459 rev, FLAT_VERSION, OLD_FLAT_VERSION); 460 ret = -ENOEXEC; 461 goto err; 462 } 463 464 /* Don't allow old format executables to use shared libraries */ 465 if (rev == OLD_FLAT_VERSION && id != 0) { 466 pr_err("shared libraries are not available before rev 0x%lx\n", 467 FLAT_VERSION); 468 ret = -ENOEXEC; 469 goto err; 470 } 471 472 /* 473 * Make sure the header params are sane. 474 * 28 bits (256 MB) is way more than reasonable in this case. 475 * If some top bits are set we have probable binary corruption. 476 */ 477 if ((text_len | data_len | bss_len | stack_len | full_data) >> 28) { 478 pr_err("bad header\n"); 479 ret = -ENOEXEC; 480 goto err; 481 } 482 483 /* 484 * fix up the flags for the older format, there were all kinds 485 * of endian hacks, this only works for the simple cases 486 */ 487 if (rev == OLD_FLAT_VERSION && flat_old_ram_flag(flags)) 488 flags = FLAT_FLAG_RAM; 489 490 #ifndef CONFIG_BINFMT_ZFLAT 491 if (flags & (FLAT_FLAG_GZIP|FLAT_FLAG_GZDATA)) { 492 pr_err("Support for ZFLAT executables is not enabled.\n"); 493 ret = -ENOEXEC; 494 goto err; 495 } 496 #endif 497 498 /* 499 * Check initial limits. This avoids letting people circumvent 500 * size limits imposed on them by creating programs with large 501 * arrays in the data or bss. 502 */ 503 rlim = rlimit(RLIMIT_DATA); 504 if (rlim >= RLIM_INFINITY) 505 rlim = ~0; 506 if (data_len + bss_len > rlim) { 507 ret = -ENOMEM; 508 goto err; 509 } 510 511 /* Flush all traces of the currently running executable */ 512 if (id == 0) { 513 ret = flush_old_exec(bprm); 514 if (ret) 515 goto err; 516 517 /* OK, This is the point of no return */ 518 set_personality(PER_LINUX_32BIT); 519 setup_new_exec(bprm); 520 } 521 522 /* 523 * calculate the extra space we need to map in 524 */ 525 extra = max_t(unsigned long, bss_len + stack_len, 526 relocs * sizeof(unsigned long)); 527 528 /* 529 * there are a couple of cases here, the separate code/data 530 * case, and then the fully copied to RAM case which lumps 531 * it all together. 532 */ 533 if (!IS_ENABLED(CONFIG_MMU) && !(flags & (FLAT_FLAG_RAM|FLAT_FLAG_GZIP))) { 534 /* 535 * this should give us a ROM ptr, but if it doesn't we don't 536 * really care 537 */ 538 pr_debug("ROM mapping of file (we hope)\n"); 539 540 textpos = vm_mmap(bprm->file, 0, text_len, PROT_READ|PROT_EXEC, 541 MAP_PRIVATE|MAP_EXECUTABLE, 0); 542 if (!textpos || IS_ERR_VALUE(textpos)) { 543 ret = textpos; 544 if (!textpos) 545 ret = -ENOMEM; 546 pr_err("Unable to mmap process text, errno %d\n", ret); 547 goto err; 548 } 549 550 len = data_len + extra + MAX_SHARED_LIBS * sizeof(unsigned long); 551 len = PAGE_ALIGN(len); 552 realdatastart = vm_mmap(NULL, 0, len, 553 PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 0); 554 555 if (realdatastart == 0 || IS_ERR_VALUE(realdatastart)) { 556 ret = realdatastart; 557 if (!realdatastart) 558 ret = -ENOMEM; 559 pr_err("Unable to allocate RAM for process data, " 560 "errno %d\n", ret); 561 vm_munmap(textpos, text_len); 562 goto err; 563 } 564 datapos = ALIGN(realdatastart + 565 MAX_SHARED_LIBS * sizeof(unsigned long), 566 FLAT_DATA_ALIGN); 567 568 pr_debug("Allocated data+bss+stack (%u bytes): %lx\n", 569 data_len + bss_len + stack_len, datapos); 570 571 fpos = ntohl(hdr->data_start); 572 #ifdef CONFIG_BINFMT_ZFLAT 573 if (flags & FLAT_FLAG_GZDATA) { 574 result = decompress_exec(bprm, fpos, (char *)datapos, 575 full_data, 0); 576 } else 577 #endif 578 { 579 result = read_code(bprm->file, datapos, fpos, 580 full_data); 581 } 582 if (IS_ERR_VALUE(result)) { 583 ret = result; 584 pr_err("Unable to read data+bss, errno %d\n", ret); 585 vm_munmap(textpos, text_len); 586 vm_munmap(realdatastart, len); 587 goto err; 588 } 589 590 reloc = (u32 __user *) 591 (datapos + (ntohl(hdr->reloc_start) - text_len)); 592 memp = realdatastart; 593 memp_size = len; 594 } else { 595 596 len = text_len + data_len + extra + MAX_SHARED_LIBS * sizeof(u32); 597 len = PAGE_ALIGN(len); 598 textpos = vm_mmap(NULL, 0, len, 599 PROT_READ | PROT_EXEC | PROT_WRITE, MAP_PRIVATE, 0); 600 601 if (!textpos || IS_ERR_VALUE(textpos)) { 602 ret = textpos; 603 if (!textpos) 604 ret = -ENOMEM; 605 pr_err("Unable to allocate RAM for process text/data, " 606 "errno %d\n", ret); 607 goto err; 608 } 609 610 realdatastart = textpos + ntohl(hdr->data_start); 611 datapos = ALIGN(realdatastart + 612 MAX_SHARED_LIBS * sizeof(u32), 613 FLAT_DATA_ALIGN); 614 615 reloc = (u32 __user *) 616 (datapos + (ntohl(hdr->reloc_start) - text_len)); 617 memp = textpos; 618 memp_size = len; 619 #ifdef CONFIG_BINFMT_ZFLAT 620 /* 621 * load it all in and treat it like a RAM load from now on 622 */ 623 if (flags & FLAT_FLAG_GZIP) { 624 #ifndef CONFIG_MMU 625 result = decompress_exec(bprm, sizeof(struct flat_hdr), 626 (((char *)textpos) + sizeof(struct flat_hdr)), 627 (text_len + full_data 628 - sizeof(struct flat_hdr)), 629 0); 630 memmove((void *) datapos, (void *) realdatastart, 631 full_data); 632 #else 633 /* 634 * This is used on MMU systems mainly for testing. 635 * Let's use a kernel buffer to simplify things. 636 */ 637 long unz_text_len = text_len - sizeof(struct flat_hdr); 638 long unz_len = unz_text_len + full_data; 639 char *unz_data = vmalloc(unz_len); 640 if (!unz_data) { 641 result = -ENOMEM; 642 } else { 643 result = decompress_exec(bprm, sizeof(struct flat_hdr), 644 unz_data, unz_len, 0); 645 if (result == 0 && 646 (copy_to_user((void __user *)textpos + sizeof(struct flat_hdr), 647 unz_data, unz_text_len) || 648 copy_to_user((void __user *)datapos, 649 unz_data + unz_text_len, full_data))) 650 result = -EFAULT; 651 vfree(unz_data); 652 } 653 #endif 654 } else if (flags & FLAT_FLAG_GZDATA) { 655 result = read_code(bprm->file, textpos, 0, text_len); 656 if (!IS_ERR_VALUE(result)) { 657 #ifndef CONFIG_MMU 658 result = decompress_exec(bprm, text_len, (char *) datapos, 659 full_data, 0); 660 #else 661 char *unz_data = vmalloc(full_data); 662 if (!unz_data) { 663 result = -ENOMEM; 664 } else { 665 result = decompress_exec(bprm, text_len, 666 unz_data, full_data, 0); 667 if (result == 0 && 668 copy_to_user((void __user *)datapos, 669 unz_data, full_data)) 670 result = -EFAULT; 671 vfree(unz_data); 672 } 673 #endif 674 } 675 } else 676 #endif /* CONFIG_BINFMT_ZFLAT */ 677 { 678 result = read_code(bprm->file, textpos, 0, text_len); 679 if (!IS_ERR_VALUE(result)) 680 result = read_code(bprm->file, datapos, 681 ntohl(hdr->data_start), 682 full_data); 683 } 684 if (IS_ERR_VALUE(result)) { 685 ret = result; 686 pr_err("Unable to read code+data+bss, errno %d\n", ret); 687 vm_munmap(textpos, text_len + data_len + extra + 688 MAX_SHARED_LIBS * sizeof(u32)); 689 goto err; 690 } 691 } 692 693 start_code = textpos + sizeof(struct flat_hdr); 694 end_code = textpos + text_len; 695 text_len -= sizeof(struct flat_hdr); /* the real code len */ 696 697 /* The main program needs a little extra setup in the task structure */ 698 if (id == 0) { 699 current->mm->start_code = start_code; 700 current->mm->end_code = end_code; 701 current->mm->start_data = datapos; 702 current->mm->end_data = datapos + data_len; 703 /* 704 * set up the brk stuff, uses any slack left in data/bss/stack 705 * allocation. We put the brk after the bss (between the bss 706 * and stack) like other platforms. 707 * Userspace code relies on the stack pointer starting out at 708 * an address right at the end of a page. 709 */ 710 current->mm->start_brk = datapos + data_len + bss_len; 711 current->mm->brk = (current->mm->start_brk + 3) & ~3; 712 #ifndef CONFIG_MMU 713 current->mm->context.end_brk = memp + memp_size - stack_len; 714 #endif 715 } 716 717 if (flags & FLAT_FLAG_KTRACE) { 718 pr_info("Mapping is %lx, Entry point is %x, data_start is %x\n", 719 textpos, 0x00ffffff&ntohl(hdr->entry), ntohl(hdr->data_start)); 720 pr_info("%s %s: TEXT=%lx-%lx DATA=%lx-%lx BSS=%lx-%lx\n", 721 id ? "Lib" : "Load", bprm->filename, 722 start_code, end_code, datapos, datapos + data_len, 723 datapos + data_len, (datapos + data_len + bss_len + 3) & ~3); 724 } 725 726 /* Store the current module values into the global library structure */ 727 libinfo->lib_list[id].start_code = start_code; 728 libinfo->lib_list[id].start_data = datapos; 729 libinfo->lib_list[id].start_brk = datapos + data_len + bss_len; 730 libinfo->lib_list[id].text_len = text_len; 731 libinfo->lib_list[id].loaded = 1; 732 libinfo->lib_list[id].entry = (0x00ffffff & ntohl(hdr->entry)) + textpos; 733 libinfo->lib_list[id].build_date = ntohl(hdr->build_date); 734 735 /* 736 * We just load the allocations into some temporary memory to 737 * help simplify all this mumbo jumbo 738 * 739 * We've got two different sections of relocation entries. 740 * The first is the GOT which resides at the beginning of the data segment 741 * and is terminated with a -1. This one can be relocated in place. 742 * The second is the extra relocation entries tacked after the image's 743 * data segment. These require a little more processing as the entry is 744 * really an offset into the image which contains an offset into the 745 * image. 746 */ 747 if (flags & FLAT_FLAG_GOTPIC) { 748 for (rp = (u32 __user *)datapos; ; rp++) { 749 u32 addr, rp_val; 750 if (get_user(rp_val, rp)) 751 return -EFAULT; 752 if (rp_val == 0xffffffff) 753 break; 754 if (rp_val) { 755 addr = calc_reloc(rp_val, libinfo, id, 0); 756 if (addr == RELOC_FAILED) { 757 ret = -ENOEXEC; 758 goto err; 759 } 760 if (put_user(addr, rp)) 761 return -EFAULT; 762 } 763 } 764 } 765 766 /* 767 * Now run through the relocation entries. 768 * We've got to be careful here as C++ produces relocatable zero 769 * entries in the constructor and destructor tables which are then 770 * tested for being not zero (which will always occur unless we're 771 * based from address zero). This causes an endless loop as __start 772 * is at zero. The solution used is to not relocate zero addresses. 773 * This has the negative side effect of not allowing a global data 774 * reference to be statically initialised to _stext (I've moved 775 * __start to address 4 so that is okay). 776 */ 777 if (rev > OLD_FLAT_VERSION) { 778 u32 __maybe_unused persistent = 0; 779 for (i = 0; i < relocs; i++) { 780 u32 addr, relval; 781 782 /* 783 * Get the address of the pointer to be 784 * relocated (of course, the address has to be 785 * relocated first). 786 */ 787 if (get_user(relval, reloc + i)) 788 return -EFAULT; 789 relval = ntohl(relval); 790 if (flat_set_persistent(relval, &persistent)) 791 continue; 792 addr = flat_get_relocate_addr(relval); 793 rp = (u32 __user *)calc_reloc(addr, libinfo, id, 1); 794 if (rp == (u32 __user *)RELOC_FAILED) { 795 ret = -ENOEXEC; 796 goto err; 797 } 798 799 /* Get the pointer's value. */ 800 ret = flat_get_addr_from_rp(rp, relval, flags, 801 &addr, &persistent); 802 if (unlikely(ret)) 803 goto err; 804 805 if (addr != 0) { 806 /* 807 * Do the relocation. PIC relocs in the data section are 808 * already in target order 809 */ 810 if ((flags & FLAT_FLAG_GOTPIC) == 0) 811 addr = ntohl(addr); 812 addr = calc_reloc(addr, libinfo, id, 0); 813 if (addr == RELOC_FAILED) { 814 ret = -ENOEXEC; 815 goto err; 816 } 817 818 /* Write back the relocated pointer. */ 819 ret = flat_put_addr_at_rp(rp, addr, relval); 820 if (unlikely(ret)) 821 goto err; 822 } 823 } 824 } else { 825 for (i = 0; i < relocs; i++) { 826 u32 relval; 827 if (get_user(relval, reloc + i)) 828 return -EFAULT; 829 relval = ntohl(relval); 830 old_reloc(relval); 831 } 832 } 833 834 flush_icache_range(start_code, end_code); 835 836 /* zero the BSS, BRK and stack areas */ 837 if (clear_user((void __user *)(datapos + data_len), bss_len + 838 (memp + memp_size - stack_len - /* end brk */ 839 libinfo->lib_list[id].start_brk) + /* start brk */ 840 stack_len)) 841 return -EFAULT; 842 843 return 0; 844 err: 845 return ret; 846 } 847 848 849 /****************************************************************************/ 850 #ifdef CONFIG_BINFMT_SHARED_FLAT 851 852 /* 853 * Load a shared library into memory. The library gets its own data 854 * segment (including bss) but not argv/argc/environ. 855 */ 856 857 static int load_flat_shared_library(int id, struct lib_info *libs) 858 { 859 /* 860 * This is a fake bprm struct; only the members "buf", "file" and 861 * "filename" are actually used. 862 */ 863 struct linux_binprm bprm; 864 int res; 865 char buf[16]; 866 loff_t pos = 0; 867 868 memset(&bprm, 0, sizeof(bprm)); 869 870 /* Create the file name */ 871 sprintf(buf, "/lib/lib%d.so", id); 872 873 /* Open the file up */ 874 bprm.filename = buf; 875 bprm.file = open_exec(bprm.filename); 876 res = PTR_ERR(bprm.file); 877 if (IS_ERR(bprm.file)) 878 return res; 879 880 res = kernel_read(bprm.file, bprm.buf, BINPRM_BUF_SIZE, &pos); 881 882 if (res >= 0) 883 res = load_flat_file(&bprm, libs, id, NULL); 884 885 allow_write_access(bprm.file); 886 fput(bprm.file); 887 888 return res; 889 } 890 891 #endif /* CONFIG_BINFMT_SHARED_FLAT */ 892 /****************************************************************************/ 893 894 /* 895 * These are the functions used to load flat style executables and shared 896 * libraries. There is no binary dependent code anywhere else. 897 */ 898 899 static int load_flat_binary(struct linux_binprm *bprm) 900 { 901 struct lib_info libinfo; 902 struct pt_regs *regs = current_pt_regs(); 903 unsigned long stack_len = 0; 904 unsigned long start_addr; 905 int res; 906 int i, j; 907 908 memset(&libinfo, 0, sizeof(libinfo)); 909 910 /* 911 * We have to add the size of our arguments to our stack size 912 * otherwise it's too easy for users to create stack overflows 913 * by passing in a huge argument list. And yes, we have to be 914 * pedantic and include space for the argv/envp array as it may have 915 * a lot of entries. 916 */ 917 #ifndef CONFIG_MMU 918 stack_len += PAGE_SIZE * MAX_ARG_PAGES - bprm->p; /* the strings */ 919 #endif 920 stack_len += (bprm->argc + 1) * sizeof(char *); /* the argv array */ 921 stack_len += (bprm->envc + 1) * sizeof(char *); /* the envp array */ 922 stack_len = ALIGN(stack_len, FLAT_STACK_ALIGN); 923 924 res = load_flat_file(bprm, &libinfo, 0, &stack_len); 925 if (res < 0) 926 return res; 927 928 /* Update data segment pointers for all libraries */ 929 for (i = 0; i < MAX_SHARED_LIBS; i++) { 930 if (!libinfo.lib_list[i].loaded) 931 continue; 932 for (j = 0; j < MAX_SHARED_LIBS; j++) { 933 unsigned long val = libinfo.lib_list[j].loaded ? 934 libinfo.lib_list[j].start_data : UNLOADED_LIB; 935 unsigned long __user *p = (unsigned long __user *) 936 libinfo.lib_list[i].start_data; 937 p -= j + 1; 938 if (put_user(val, p)) 939 return -EFAULT; 940 } 941 } 942 943 install_exec_creds(bprm); 944 945 set_binfmt(&flat_format); 946 947 #ifdef CONFIG_MMU 948 res = setup_arg_pages(bprm, STACK_TOP, EXSTACK_DEFAULT); 949 if (!res) 950 res = create_flat_tables(bprm, bprm->p); 951 #else 952 /* Stash our initial stack pointer into the mm structure */ 953 current->mm->start_stack = 954 ((current->mm->context.end_brk + stack_len + 3) & ~3) - 4; 955 pr_debug("sp=%lx\n", current->mm->start_stack); 956 957 /* copy the arg pages onto the stack */ 958 res = transfer_args_to_stack(bprm, ¤t->mm->start_stack); 959 if (!res) 960 res = create_flat_tables(bprm, current->mm->start_stack); 961 #endif 962 if (res) 963 return res; 964 965 /* Fake some return addresses to ensure the call chain will 966 * initialise library in order for us. We are required to call 967 * lib 1 first, then 2, ... and finally the main program (id 0). 968 */ 969 start_addr = libinfo.lib_list[0].entry; 970 971 #ifdef CONFIG_BINFMT_SHARED_FLAT 972 for (i = MAX_SHARED_LIBS-1; i > 0; i--) { 973 if (libinfo.lib_list[i].loaded) { 974 /* Push previos first to call address */ 975 unsigned long __user *sp; 976 current->mm->start_stack -= sizeof(unsigned long); 977 sp = (unsigned long __user *)current->mm->start_stack; 978 __put_user(start_addr, sp); 979 start_addr = libinfo.lib_list[i].entry; 980 } 981 } 982 #endif 983 984 #ifdef FLAT_PLAT_INIT 985 FLAT_PLAT_INIT(regs); 986 #endif 987 988 finalize_exec(bprm); 989 pr_debug("start_thread(regs=0x%p, entry=0x%lx, start_stack=0x%lx)\n", 990 regs, start_addr, current->mm->start_stack); 991 start_thread(regs, start_addr, current->mm->start_stack); 992 993 return 0; 994 } 995 996 /****************************************************************************/ 997 998 static int __init init_flat_binfmt(void) 999 { 1000 register_binfmt(&flat_format); 1001 return 0; 1002 } 1003 core_initcall(init_flat_binfmt); 1004 1005 /****************************************************************************/ 1006