FreeBSD/Linux Kernel Cross Reference
sys/fs/exec.c
1 /*
2 * linux/fs/exec.c
3 *
4 * Copyright (C) 1991, 1992 Linus Torvalds
5 */
6
7 /*
8 * #!-checking implemented by tytso.
9 */
10 /*
11 * Demand-loading implemented 01.12.91 - no need to read anything but
12 * the header into memory. The inode of the executable is put into
13 * "current->executable", and page faults do the actual loading. Clean.
14 *
15 * Once more I can proudly say that linux stood up to being changed: it
16 * was less than 2 hours work to get demand-loading completely implemented.
17 *
18 * Demand loading changed July 1993 by Eric Youngdale. Use mmap instead,
19 * current->executable is only used by the procfs. This allows a dispatch
20 * table to check for several different types of binary formats. We keep
21 * trying until we recognize the file or we run out of supported binary
22 * formats.
23 */
24
25 #include <linux/config.h>
26 #include <linux/slab.h>
27 #include <linux/file.h>
28 #include <linux/mman.h>
29 #include <linux/a.out.h>
30 #include <linux/stat.h>
31 #include <linux/fcntl.h>
32 #include <linux/smp_lock.h>
33 #include <linux/init.h>
34 #include <linux/pagemap.h>
35 #include <linux/highmem.h>
36 #include <linux/spinlock.h>
37 #include <linux/personality.h>
38 #include <linux/swap.h>
39 #include <linux/utsname.h>
40 #define __NO_VERSION__
41 #include <linux/module.h>
42
43 #include <asm/uaccess.h>
44 #include <asm/pgalloc.h>
45 #include <asm/mmu_context.h>
46
47 #ifdef CONFIG_KMOD
48 #include <linux/kmod.h>
49 #endif
50
51 int core_uses_pid;
52 char core_pattern[65] = "core";
53 /* The maximal length of core_pattern is also specified in sysctl.c */
54
55 static struct linux_binfmt *formats;
56 static rwlock_t binfmt_lock = RW_LOCK_UNLOCKED;
57
58 int register_binfmt(struct linux_binfmt * fmt)
59 {
60 struct linux_binfmt ** tmp = &formats;
61
62 if (!fmt)
63 return -EINVAL;
64 if (fmt->next)
65 return -EBUSY;
66 write_lock(&binfmt_lock);
67 while (*tmp) {
68 if (fmt == *tmp) {
69 write_unlock(&binfmt_lock);
70 return -EBUSY;
71 }
72 tmp = &(*tmp)->next;
73 }
74 fmt->next = formats;
75 formats = fmt;
76 write_unlock(&binfmt_lock);
77 return 0;
78 }
79
80 int unregister_binfmt(struct linux_binfmt * fmt)
81 {
82 struct linux_binfmt ** tmp = &formats;
83
84 write_lock(&binfmt_lock);
85 while (*tmp) {
86 if (fmt == *tmp) {
87 *tmp = fmt->next;
88 write_unlock(&binfmt_lock);
89 return 0;
90 }
91 tmp = &(*tmp)->next;
92 }
93 write_unlock(&binfmt_lock);
94 return -EINVAL;
95 }
96
97 static inline void put_binfmt(struct linux_binfmt * fmt)
98 {
99 if (fmt->module)
100 __MOD_DEC_USE_COUNT(fmt->module);
101 }
102
103 /*
104 * Note that a shared library must be both readable and executable due to
105 * security reasons.
106 *
107 * Also note that we take the address to load from from the file itself.
108 */
109 asmlinkage long sys_uselib(const char * library)
110 {
111 struct file * file;
112 struct nameidata nd;
113 int error;
114
115 error = user_path_walk(library, &nd);
116 if (error)
117 goto out;
118
119 error = -EINVAL;
120 if (!S_ISREG(nd.dentry->d_inode->i_mode))
121 goto exit;
122
123 error = permission(nd.dentry->d_inode, MAY_READ | MAY_EXEC);
124 if (error)
125 goto exit;
126
127 file = dentry_open(nd.dentry, nd.mnt, O_RDONLY);
128 error = PTR_ERR(file);
129 if (IS_ERR(file))
130 goto out;
131
132 error = -ENOEXEC;
133 if(file->f_op && file->f_op->read) {
134 struct linux_binfmt * fmt;
135
136 read_lock(&binfmt_lock);
137 for (fmt = formats ; fmt ; fmt = fmt->next) {
138 if (!fmt->load_shlib)
139 continue;
140 if (!try_inc_mod_count(fmt->module))
141 continue;
142 read_unlock(&binfmt_lock);
143 error = fmt->load_shlib(file);
144 read_lock(&binfmt_lock);
145 put_binfmt(fmt);
146 if (error != -ENOEXEC)
147 break;
148 }
149 read_unlock(&binfmt_lock);
150 }
151 fput(file);
152 out:
153 return error;
154 exit:
155 path_release(&nd);
156 goto out;
157 }
158
159 /*
160 * count() counts the number of arguments/envelopes
161 */
162 static int count(char ** argv, int max)
163 {
164 int i = 0;
165
166 if (argv != NULL) {
167 for (;;) {
168 char * p;
169
170 if (get_user(p, argv))
171 return -EFAULT;
172 if (!p)
173 break;
174 argv++;
175 if(++i > max)
176 return -E2BIG;
177 }
178 }
179 return i;
180 }
181
182 /*
183 * 'copy_strings()' copies argument/envelope strings from user
184 * memory to free pages in kernel mem. These are in a format ready
185 * to be put directly into the top of new user memory.
186 */
187 int copy_strings(int argc,char ** argv, struct linux_binprm *bprm)
188 {
189 struct page *kmapped_page = NULL;
190 char *kaddr = NULL;
191 int ret;
192
193 while (argc-- > 0) {
194 char *str;
195 int len;
196 unsigned long pos;
197
198 if (get_user(str, argv+argc) ||
199 !(len = strnlen_user(str, bprm->p))) {
200 ret = -EFAULT;
201 goto out;
202 }
203
204 if (bprm->p < len) {
205 ret = -E2BIG;
206 goto out;
207 }
208
209 bprm->p -= len;
210 /* XXX: add architecture specific overflow check here. */
211 pos = bprm->p;
212
213 while (len > 0) {
214 int i, new, err;
215 int offset, bytes_to_copy;
216 struct page *page;
217
218 offset = pos % PAGE_SIZE;
219 i = pos/PAGE_SIZE;
220 page = bprm->page[i];
221 new = 0;
222 if (!page) {
223 page = alloc_page(GFP_HIGHUSER);
224 bprm->page[i] = page;
225 if (!page) {
226 ret = -ENOMEM;
227 goto out;
228 }
229 new = 1;
230 }
231
232 if (page != kmapped_page) {
233 if (kmapped_page)
234 kunmap(kmapped_page);
235 kmapped_page = page;
236 kaddr = kmap(kmapped_page);
237 }
238 if (new && offset)
239 memset(kaddr, 0, offset);
240 bytes_to_copy = PAGE_SIZE - offset;
241 if (bytes_to_copy > len) {
242 bytes_to_copy = len;
243 if (new)
244 memset(kaddr+offset+len, 0,
245 PAGE_SIZE-offset-len);
246 }
247 err = copy_from_user(kaddr+offset, str, bytes_to_copy);
248 if (err) {
249 ret = -EFAULT;
250 goto out;
251 }
252
253 pos += bytes_to_copy;
254 str += bytes_to_copy;
255 len -= bytes_to_copy;
256 }
257 }
258 ret = 0;
259 out:
260 if (kmapped_page)
261 kunmap(kmapped_page);
262 return ret;
263 }
264
265 /*
266 * Like copy_strings, but get argv and its values from kernel memory.
267 */
268 int copy_strings_kernel(int argc,char ** argv, struct linux_binprm *bprm)
269 {
270 int r;
271 mm_segment_t oldfs = get_fs();
272 set_fs(KERNEL_DS);
273 r = copy_strings(argc, argv, bprm);
274 set_fs(oldfs);
275 return r;
276 }
277
278 /*
279 * This routine is used to map in a page into an address space: needed by
280 * execve() for the initial stack and environment pages.
281 *
282 * tsk->mmap_sem is held for writing.
283 */
284 void put_dirty_page(struct task_struct * tsk, struct page *page, unsigned long address)
285 {
286 pgd_t * pgd;
287 pmd_t * pmd;
288 pte_t * pte;
289 struct vm_area_struct *vma;
290 pgprot_t prot = PAGE_COPY;
291
292 if (page_count(page) != 1)
293 printk(KERN_ERR "mem_map disagrees with %p at %08lx\n", page, address);
294 pgd = pgd_offset(tsk->mm, address);
295
296 spin_lock(&tsk->mm->page_table_lock);
297 pmd = pmd_alloc(tsk->mm, pgd, address);
298 if (!pmd)
299 goto out;
300 pte = pte_alloc(tsk->mm, pmd, address);
301 if (!pte)
302 goto out;
303 if (!pte_none(*pte))
304 goto out;
305 lru_cache_add(page);
306 flush_dcache_page(page);
307 flush_page_to_ram(page);
308 /* lookup is cheap because there is only a single entry in the list */
309 vma = find_vma(tsk->mm, address);
310 if (vma)
311 prot = vma->vm_page_prot;
312 set_pte(pte, pte_mkdirty(pte_mkwrite(mk_pte(page, prot))));
313 tsk->mm->rss++;
314 spin_unlock(&tsk->mm->page_table_lock);
315
316 /* no need for flush_tlb */
317 return;
318 out:
319 spin_unlock(&tsk->mm->page_table_lock);
320 __free_page(page);
321 force_sig(SIGKILL, tsk);
322 return;
323 }
324
325 int setup_arg_pages(struct linux_binprm *bprm)
326 {
327 unsigned long stack_base;
328 struct vm_area_struct *mpnt;
329 int i;
330
331 stack_base = STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
332
333 bprm->p += stack_base;
334 if (bprm->loader)
335 bprm->loader += stack_base;
336 bprm->exec += stack_base;
337
338 mpnt = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL);
339 if (!mpnt)
340 return -ENOMEM;
341
342 down_write(¤t->mm->mmap_sem);
343 {
344 mpnt->vm_mm = current->mm;
345 mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p;
346 mpnt->vm_end = STACK_TOP;
347 mpnt->vm_flags = VM_STACK_FLAGS;
348 mpnt->vm_page_prot = protection_map[VM_STACK_FLAGS & 0x7];
349 mpnt->vm_ops = NULL;
350 mpnt->vm_pgoff = 0;
351 mpnt->vm_file = NULL;
352 mpnt->vm_private_data = (void *) 0;
353 insert_vm_struct(current->mm, mpnt);
354 current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
355 }
356
357 for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
358 struct page *page = bprm->page[i];
359 if (page) {
360 bprm->page[i] = NULL;
361 put_dirty_page(current,page,stack_base);
362 }
363 stack_base += PAGE_SIZE;
364 }
365 up_write(¤t->mm->mmap_sem);
366
367 return 0;
368 }
369
370 struct file *open_exec(const char *name)
371 {
372 struct nameidata nd;
373 struct inode *inode;
374 struct file *file;
375 int err = 0;
376
377 err = path_lookup(name, LOOKUP_FOLLOW|LOOKUP_POSITIVE, &nd);
378 file = ERR_PTR(err);
379 if (!err) {
380 inode = nd.dentry->d_inode;
381 file = ERR_PTR(-EACCES);
382 if (!(nd.mnt->mnt_flags & MNT_NOEXEC) &&
383 S_ISREG(inode->i_mode)) {
384 int err = permission(inode, MAY_EXEC);
385 if (!err && !(inode->i_mode & 0111))
386 err = -EACCES;
387 file = ERR_PTR(err);
388 if (!err) {
389 file = dentry_open(nd.dentry, nd.mnt, O_RDONLY);
390 if (!IS_ERR(file)) {
391 err = deny_write_access(file);
392 if (err) {
393 fput(file);
394 file = ERR_PTR(err);
395 }
396 }
397 out:
398 return file;
399 }
400 }
401 path_release(&nd);
402 }
403 goto out;
404 }
405
406 int kernel_read(struct file *file, unsigned long offset,
407 char * addr, unsigned long count)
408 {
409 mm_segment_t old_fs;
410 loff_t pos = offset;
411 int result = -ENOSYS;
412
413 if (!file->f_op->read)
414 goto fail;
415 old_fs = get_fs();
416 set_fs(get_ds());
417 result = file->f_op->read(file, addr, count, &pos);
418 set_fs(old_fs);
419 fail:
420 return result;
421 }
422
423 static int exec_mmap(void)
424 {
425 struct mm_struct * mm, * old_mm;
426
427 old_mm = current->mm;
428 if (old_mm && atomic_read(&old_mm->mm_users) == 1) {
429 mm_release();
430 exit_mmap(old_mm);
431 return 0;
432 }
433
434 mm = mm_alloc();
435 if (mm) {
436 struct mm_struct *active_mm;
437
438 if (init_new_context(current, mm)) {
439 mmdrop(mm);
440 return -ENOMEM;
441 }
442
443 /* Add it to the list of mm's */
444 spin_lock(&mmlist_lock);
445 list_add(&mm->mmlist, &init_mm.mmlist);
446 mmlist_nr++;
447 spin_unlock(&mmlist_lock);
448
449 task_lock(current);
450 active_mm = current->active_mm;
451 current->mm = mm;
452 current->active_mm = mm;
453 task_unlock(current);
454 activate_mm(active_mm, mm);
455 mm_release();
456 if (old_mm) {
457 if (active_mm != old_mm) BUG();
458 mmput(old_mm);
459 return 0;
460 }
461 mmdrop(active_mm);
462 return 0;
463 }
464 return -ENOMEM;
465 }
466
467 /*
468 * This function makes sure the current process has its own signal table,
469 * so that flush_signal_handlers can later reset the handlers without
470 * disturbing other processes. (Other processes might share the signal
471 * table via the CLONE_SIGNAL option to clone().)
472 */
473
474 static inline int make_private_signals(void)
475 {
476 struct signal_struct * newsig;
477
478 if (atomic_read(¤t->sig->count) <= 1)
479 return 0;
480 newsig = kmem_cache_alloc(sigact_cachep, GFP_KERNEL);
481 if (newsig == NULL)
482 return -ENOMEM;
483 spin_lock_init(&newsig->siglock);
484 atomic_set(&newsig->count, 1);
485 memcpy(newsig->action, current->sig->action, sizeof(newsig->action));
486 spin_lock_irq(¤t->sigmask_lock);
487 current->sig = newsig;
488 spin_unlock_irq(¤t->sigmask_lock);
489 return 0;
490 }
491
492 /*
493 * If make_private_signals() made a copy of the signal table, decrement the
494 * refcount of the original table, and free it if necessary.
495 * We don't do that in make_private_signals() so that we can back off
496 * in flush_old_exec() if an error occurs after calling make_private_signals().
497 */
498
499 static inline void release_old_signals(struct signal_struct * oldsig)
500 {
501 if (current->sig == oldsig)
502 return;
503 if (atomic_dec_and_test(&oldsig->count))
504 kmem_cache_free(sigact_cachep, oldsig);
505 }
506
507 /*
508 * These functions flushes out all traces of the currently running executable
509 * so that a new one can be started
510 */
511
512 static inline void flush_old_files(struct files_struct * files)
513 {
514 long j = -1;
515
516 write_lock(&files->file_lock);
517 for (;;) {
518 unsigned long set, i;
519
520 j++;
521 i = j * __NFDBITS;
522 if (i >= files->max_fds || i >= files->max_fdset)
523 break;
524 set = files->close_on_exec->fds_bits[j];
525 if (!set)
526 continue;
527 files->close_on_exec->fds_bits[j] = 0;
528 write_unlock(&files->file_lock);
529 for ( ; set ; i++,set >>= 1) {
530 if (set & 1) {
531 sys_close(i);
532 }
533 }
534 write_lock(&files->file_lock);
535
536 }
537 write_unlock(&files->file_lock);
538 }
539
540 /*
541 * An execve() will automatically "de-thread" the process.
542 * Note: we don't have to hold the tasklist_lock to test
543 * whether we migth need to do this. If we're not part of
544 * a thread group, there is no way we can become one
545 * dynamically. And if we are, we only need to protect the
546 * unlink - even if we race with the last other thread exit,
547 * at worst the list_del_init() might end up being a no-op.
548 */
549 static inline void de_thread(struct task_struct *tsk)
550 {
551 if (!list_empty(&tsk->thread_group)) {
552 write_lock_irq(&tasklist_lock);
553 list_del_init(&tsk->thread_group);
554 write_unlock_irq(&tasklist_lock);
555 }
556
557 /* Minor oddity: this might stay the same. */
558 tsk->tgid = tsk->pid;
559 }
560
561 int flush_old_exec(struct linux_binprm * bprm)
562 {
563 char * name;
564 int i, ch, retval;
565 struct signal_struct * oldsig;
566 struct files_struct * files;
567
568 /*
569 * Make sure we have a private signal table
570 */
571 oldsig = current->sig;
572 retval = make_private_signals();
573 if (retval) goto flush_failed;
574
575 /*
576 * Make sure we have private file handles. Ask the
577 * fork helper to do the work for us and the exit
578 * helper to do the cleanup of the old one.
579 */
580
581 files = current->files; /* refcounted so safe to hold */
582 retval = unshare_files();
583 if(retval)
584 goto flush_failed;
585
586 /*
587 * Release all of the old mmap stuff
588 */
589 retval = exec_mmap();
590 if (retval) goto mmap_failed;
591
592 /* This is the point of no return */
593 steal_locks(files);
594 put_files_struct(files);
595 release_old_signals(oldsig);
596
597 current->sas_ss_sp = current->sas_ss_size = 0;
598
599 if (current->euid == current->uid && current->egid == current->gid) {
600 current->mm->dumpable = 1;
601 current->task_dumpable = 1;
602 }
603 name = bprm->filename;
604 for (i=0; (ch = *(name++)) != '\0';) {
605 if (ch == '/')
606 i = 0;
607 else
608 if (i < 15)
609 current->comm[i++] = ch;
610 }
611 current->comm[i] = '\0';
612
613 flush_thread();
614
615 de_thread(current);
616
617 if (bprm->e_uid != current->euid || bprm->e_gid != current->egid ||
618 permission(bprm->file->f_dentry->d_inode,MAY_READ))
619 current->mm->dumpable = 0;
620
621 /* An exec changes our domain. We are no longer part of the thread
622 group */
623
624 current->self_exec_id++;
625
626 flush_signal_handlers(current);
627 flush_old_files(current->files);
628
629 return 0;
630
631 mmap_failed:
632 put_files_struct(current->files);
633 current->files = files;
634 flush_failed:
635 spin_lock_irq(¤t->sigmask_lock);
636 if (current->sig != oldsig) {
637 kmem_cache_free(sigact_cachep, current->sig);
638 current->sig = oldsig;
639 }
640 spin_unlock_irq(¤t->sigmask_lock);
641 return retval;
642 }
643
644 /*
645 * We mustn't allow tracing of suid binaries, unless
646 * the tracer has the capability to trace anything..
647 */
648 static inline int must_not_trace_exec(struct task_struct * p)
649 {
650 return (p->ptrace & PT_PTRACED) && !(p->ptrace & PT_PTRACE_CAP);
651 }
652
653 /*
654 * Fill the binprm structure from the inode.
655 * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
656 */
657 int prepare_binprm(struct linux_binprm *bprm)
658 {
659 int mode;
660 struct inode * inode = bprm->file->f_dentry->d_inode;
661
662 mode = inode->i_mode;
663 /*
664 * Check execute perms again - if the caller has CAP_DAC_OVERRIDE,
665 * vfs_permission lets a non-executable through
666 */
667 if (!(mode & 0111)) /* with at least _one_ execute bit set */
668 return -EACCES;
669 if (bprm->file->f_op == NULL)
670 return -EACCES;
671
672 bprm->e_uid = current->euid;
673 bprm->e_gid = current->egid;
674
675 if(!(bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)) {
676 /* Set-uid? */
677 if (mode & S_ISUID)
678 bprm->e_uid = inode->i_uid;
679
680 /* Set-gid? */
681 /*
682 * If setgid is set but no group execute bit then this
683 * is a candidate for mandatory locking, not a setgid
684 * executable.
685 */
686 if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
687 bprm->e_gid = inode->i_gid;
688 }
689
690 /* We don't have VFS support for capabilities yet */
691 cap_clear(bprm->cap_inheritable);
692 cap_clear(bprm->cap_permitted);
693 cap_clear(bprm->cap_effective);
694
695 /* To support inheritance of root-permissions and suid-root
696 * executables under compatibility mode, we raise all three
697 * capability sets for the file.
698 *
699 * If only the real uid is 0, we only raise the inheritable
700 * and permitted sets of the executable file.
701 */
702
703 if (!issecure(SECURE_NOROOT)) {
704 if (bprm->e_uid == 0 || current->uid == 0) {
705 cap_set_full(bprm->cap_inheritable);
706 cap_set_full(bprm->cap_permitted);
707 }
708 if (bprm->e_uid == 0)
709 cap_set_full(bprm->cap_effective);
710 }
711
712 memset(bprm->buf,0,BINPRM_BUF_SIZE);
713 return kernel_read(bprm->file,0,bprm->buf,BINPRM_BUF_SIZE);
714 }
715
716 /*
717 * This function is used to produce the new IDs and capabilities
718 * from the old ones and the file's capabilities.
719 *
720 * The formula used for evolving capabilities is:
721 *
722 * pI' = pI
723 * (***) pP' = (fP & X) | (fI & pI)
724 * pE' = pP' & fE [NB. fE is 0 or ~0]
725 *
726 * I=Inheritable, P=Permitted, E=Effective // p=process, f=file
727 * ' indicates post-exec(), and X is the global 'cap_bset'.
728 *
729 */
730
731 void compute_creds(struct linux_binprm *bprm)
732 {
733 kernel_cap_t new_permitted, working;
734 int do_unlock = 0;
735
736 new_permitted = cap_intersect(bprm->cap_permitted, cap_bset);
737 working = cap_intersect(bprm->cap_inheritable,
738 current->cap_inheritable);
739 new_permitted = cap_combine(new_permitted, working);
740
741 if (bprm->e_uid != current->uid || bprm->e_gid != current->gid ||
742 !cap_issubset(new_permitted, current->cap_permitted)) {
743 current->mm->dumpable = 0;
744
745 lock_kernel();
746 if (must_not_trace_exec(current)
747 || atomic_read(¤t->fs->count) > 1
748 || atomic_read(¤t->files->count) > 1
749 || atomic_read(¤t->sig->count) > 1) {
750 if(!capable(CAP_SETUID)) {
751 bprm->e_uid = current->uid;
752 bprm->e_gid = current->gid;
753 }
754 if(!capable(CAP_SETPCAP)) {
755 new_permitted = cap_intersect(new_permitted,
756 current->cap_permitted);
757 }
758 }
759 do_unlock = 1;
760 }
761
762
763 /* For init, we want to retain the capabilities set
764 * in the init_task struct. Thus we skip the usual
765 * capability rules */
766 if (current->pid != 1) {
767 current->cap_permitted = new_permitted;
768 current->cap_effective =
769 cap_intersect(new_permitted, bprm->cap_effective);
770 }
771
772 /* AUD: Audit candidate if current->cap_effective is set */
773
774 current->suid = current->euid = current->fsuid = bprm->e_uid;
775 current->sgid = current->egid = current->fsgid = bprm->e_gid;
776
777 if(do_unlock)
778 unlock_kernel();
779 current->keep_capabilities = 0;
780 }
781
782
783 void remove_arg_zero(struct linux_binprm *bprm)
784 {
785 if (bprm->argc) {
786 unsigned long offset;
787 char * kaddr;
788 struct page *page;
789
790 offset = bprm->p % PAGE_SIZE;
791 goto inside;
792
793 while (bprm->p++, *(kaddr+offset++)) {
794 if (offset != PAGE_SIZE)
795 continue;
796 offset = 0;
797 kunmap(page);
798 inside:
799 page = bprm->page[bprm->p/PAGE_SIZE];
800 kaddr = kmap(page);
801 }
802 kunmap(page);
803 bprm->argc--;
804 }
805 }
806
807 /*
808 * cycle the list of binary formats handler, until one recognizes the image
809 */
810 int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
811 {
812 int try,retval=0;
813 struct linux_binfmt *fmt;
814 #ifdef __alpha__
815 /* handle /sbin/loader.. */
816 {
817 struct exec * eh = (struct exec *) bprm->buf;
818
819 if (!bprm->loader && eh->fh.f_magic == 0x183 &&
820 (eh->fh.f_flags & 0x3000) == 0x3000)
821 {
822 struct file * file;
823 unsigned long loader;
824
825 allow_write_access(bprm->file);
826 fput(bprm->file);
827 bprm->file = NULL;
828
829 loader = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
830
831 file = open_exec("/sbin/loader");
832 retval = PTR_ERR(file);
833 if (IS_ERR(file))
834 return retval;
835
836 /* Remember if the application is TASO. */
837 bprm->sh_bang = eh->ah.entry < 0x100000000;
838
839 bprm->file = file;
840 bprm->loader = loader;
841 retval = prepare_binprm(bprm);
842 if (retval<0)
843 return retval;
844 /* should call search_binary_handler recursively here,
845 but it does not matter */
846 }
847 }
848 #endif
849 /* kernel module loader fixup */
850 /* so we don't try to load run modprobe in kernel space. */
851 set_fs(USER_DS);
852 for (try=0; try<2; try++) {
853 read_lock(&binfmt_lock);
854 for (fmt = formats ; fmt ; fmt = fmt->next) {
855 int (*fn)(struct linux_binprm *, struct pt_regs *) = fmt->load_binary;
856 if (!fn)
857 continue;
858 if (!try_inc_mod_count(fmt->module))
859 continue;
860 read_unlock(&binfmt_lock);
861 retval = fn(bprm, regs);
862 if (retval >= 0) {
863 put_binfmt(fmt);
864 allow_write_access(bprm->file);
865 if (bprm->file)
866 fput(bprm->file);
867 bprm->file = NULL;
868 current->did_exec = 1;
869 return retval;
870 }
871 read_lock(&binfmt_lock);
872 put_binfmt(fmt);
873 if (retval != -ENOEXEC)
874 break;
875 if (!bprm->file) {
876 read_unlock(&binfmt_lock);
877 return retval;
878 }
879 }
880 read_unlock(&binfmt_lock);
881 if (retval != -ENOEXEC) {
882 break;
883 #ifdef CONFIG_KMOD
884 }else{
885 #define printable(c) (((c)=='\t') || ((c)=='\n') || (0x20<=(c) && (c)<=0x7e))
886 char modname[20];
887 if (printable(bprm->buf[0]) &&
888 printable(bprm->buf[1]) &&
889 printable(bprm->buf[2]) &&
890 printable(bprm->buf[3]))
891 break; /* -ENOEXEC */
892 sprintf(modname, "binfmt-%04x", *(unsigned short *)(&bprm->buf[2]));
893 request_module(modname);
894 #endif
895 }
896 }
897 return retval;
898 }
899
900
901 /*
902 * sys_execve() executes a new program.
903 */
904 int do_execve(char * filename, char ** argv, char ** envp, struct pt_regs * regs)
905 {
906 struct linux_binprm bprm;
907 struct file *file;
908 int retval;
909 int i;
910
911 file = open_exec(filename);
912
913 retval = PTR_ERR(file);
914 if (IS_ERR(file))
915 return retval;
916
917 bprm.p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
918 memset(bprm.page, 0, MAX_ARG_PAGES*sizeof(bprm.page[0]));
919
920 bprm.file = file;
921 bprm.filename = filename;
922 bprm.sh_bang = 0;
923 bprm.loader = 0;
924 bprm.exec = 0;
925 if ((bprm.argc = count(argv, bprm.p / sizeof(void *))) < 0) {
926 allow_write_access(file);
927 fput(file);
928 return bprm.argc;
929 }
930
931 if ((bprm.envc = count(envp, bprm.p / sizeof(void *))) < 0) {
932 allow_write_access(file);
933 fput(file);
934 return bprm.envc;
935 }
936
937 retval = prepare_binprm(&bprm);
938 if (retval < 0)
939 goto out;
940
941 retval = copy_strings_kernel(1, &bprm.filename, &bprm);
942 if (retval < 0)
943 goto out;
944
945 bprm.exec = bprm.p;
946 retval = copy_strings(bprm.envc, envp, &bprm);
947 if (retval < 0)
948 goto out;
949
950 retval = copy_strings(bprm.argc, argv, &bprm);
951 if (retval < 0)
952 goto out;
953
954 retval = search_binary_handler(&bprm,regs);
955 if (retval >= 0)
956 /* execve success */
957 return retval;
958
959 out:
960 /* Something went wrong, return the inode and free the argument pages*/
961 allow_write_access(bprm.file);
962 if (bprm.file)
963 fput(bprm.file);
964
965 for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
966 struct page * page = bprm.page[i];
967 if (page)
968 __free_page(page);
969 }
970
971 return retval;
972 }
973
974 void set_binfmt(struct linux_binfmt *new)
975 {
976 struct linux_binfmt *old = current->binfmt;
977 if (new && new->module)
978 __MOD_INC_USE_COUNT(new->module);
979 current->binfmt = new;
980 if (old && old->module)
981 __MOD_DEC_USE_COUNT(old->module);
982 }
983
984 #define CORENAME_MAX_SIZE 64
985
986 /* format_corename will inspect the pattern parameter, and output a
987 * name into corename, which must have space for at least
988 * CORENAME_MAX_SIZE bytes plus one byte for the zero terminator.
989 */
990 void format_corename(char *corename, const char *pattern, long signr)
991 {
992 const char *pat_ptr = pattern;
993 char *out_ptr = corename;
994 char *const out_end = corename + CORENAME_MAX_SIZE;
995 int rc;
996 int pid_in_pattern = 0;
997
998 /* Repeat as long as we have more pattern to process and more output
999 space */
1000 while (*pat_ptr) {
1001 if (*pat_ptr != '%') {
1002 if (out_ptr == out_end)
1003 goto out;
1004 *out_ptr++ = *pat_ptr++;
1005 } else {
1006 switch (*++pat_ptr) {
1007 case 0:
1008 goto out;
1009 /* Double percent, output one percent */
1010 case '%':
1011 if (out_ptr == out_end)
1012 goto out;
1013 *out_ptr++ = '%';
1014 break;
1015 /* pid */
1016 case 'p':
1017 pid_in_pattern = 1;
1018 rc = snprintf(out_ptr, out_end - out_ptr,
1019 "%d", current->pid);
1020 if (rc > out_end - out_ptr)
1021 goto out;
1022 out_ptr += rc;
1023 break;
1024 /* uid */
1025 case 'u':
1026 rc = snprintf(out_ptr, out_end - out_ptr,
1027 "%d", current->uid);
1028 if (rc > out_end - out_ptr)
1029 goto out;
1030 out_ptr += rc;
1031 break;
1032 /* gid */
1033 case 'g':
1034 rc = snprintf(out_ptr, out_end - out_ptr,
1035 "%d", current->gid);
1036 if (rc > out_end - out_ptr)
1037 goto out;
1038 out_ptr += rc;
1039 break;
1040 /* signal that caused the coredump */
1041 case 's':
1042 rc = snprintf(out_ptr, out_end - out_ptr,
1043 "%ld", signr);
1044 if (rc > out_end - out_ptr)
1045 goto out;
1046 out_ptr += rc;
1047 break;
1048 /* UNIX time of coredump */
1049 case 't': {
1050 struct timeval tv;
1051 do_gettimeofday(&tv);
1052 rc = snprintf(out_ptr, out_end - out_ptr,
1053 "%ld", tv.tv_sec);
1054 if (rc > out_end - out_ptr)
1055 goto out;
1056 out_ptr += rc;
1057 break;
1058 }
1059 /* hostname */
1060 case 'h':
1061 down_read(&uts_sem);
1062 rc = snprintf(out_ptr, out_end - out_ptr,
1063 "%s", system_utsname.nodename);
1064 up_read(&uts_sem);
1065 if (rc > out_end - out_ptr)
1066 goto out;
1067 out_ptr += rc;
1068 break;
1069 /* executable */
1070 case 'e':
1071 rc = snprintf(out_ptr, out_end - out_ptr,
1072 "%s", current->comm);
1073 if (rc > out_end - out_ptr)
1074 goto out;
1075 out_ptr += rc;
1076 break;
1077 default:
1078 break;
1079 }
1080 ++pat_ptr;
1081 }
1082 }
1083 /* Backward compatibility with core_uses_pid:
1084 *
1085 * If core_pattern does not include a %p (as is the default)
1086 * and core_uses_pid is set, then .%pid will be appended to
1087 * the filename */
1088 if (!pid_in_pattern
1089 && (core_uses_pid || atomic_read(¤t->mm->mm_users) != 1)) {
1090 rc = snprintf(out_ptr, out_end - out_ptr,
1091 ".%d", current->pid);
1092 if (rc > out_end - out_ptr)
1093 goto out;
1094 out_ptr += rc;
1095 }
1096 out:
1097 *out_ptr = 0;
1098 }
1099
1100 int do_coredump(long signr, struct pt_regs * regs)
1101 {
1102 struct linux_binfmt * binfmt;
1103 char corename[CORENAME_MAX_SIZE + 1];
1104 struct file * file;
1105 struct inode * inode;
1106 int retval = 0;
1107
1108 lock_kernel();
1109 binfmt = current->binfmt;
1110 if (!binfmt || !binfmt->core_dump)
1111 goto fail;
1112 if (!is_dumpable(current))
1113 goto fail;
1114 current->mm->dumpable = 0;
1115 if (current->rlim[RLIMIT_CORE].rlim_cur < binfmt->min_coredump)
1116 goto fail;
1117
1118 format_corename(corename, core_pattern, signr);
1119 file = filp_open(corename, O_CREAT | 2 | O_NOFOLLOW, 0600);
1120 if (IS_ERR(file))
1121 goto fail;
1122 inode = file->f_dentry->d_inode;
1123 if (inode->i_nlink > 1)
1124 goto close_fail; /* multiple links - don't dump */
1125 if (d_unhashed(file->f_dentry))
1126 goto close_fail;
1127
1128 if (!S_ISREG(inode->i_mode))
1129 goto close_fail;
1130 if (!file->f_op)
1131 goto close_fail;
1132 if (!file->f_op->write)
1133 goto close_fail;
1134 if (do_truncate(file->f_dentry, 0) != 0)
1135 goto close_fail;
1136
1137 retval = binfmt->core_dump(signr, regs, file);
1138
1139 close_fail:
1140 filp_close(file, NULL);
1141 fail:
1142 unlock_kernel();
1143 return retval;
1144 }
Cache object: 8952c06e103b4bc5f2e361e432cc36d7
|