1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25#include <linux/config.h>
26#include <linux/slab.h>
27#include <linux/file.h>
28#include <linux/mman.h>
29#include <linux/a.out.h>
30#include <linux/stat.h>
31#include <linux/fcntl.h>
32#include <linux/smp_lock.h>
33#include <linux/init.h>
34#include <linux/pagemap.h>
35#include <linux/highmem.h>
36#include <linux/spinlock.h>
37#include <linux/key.h>
38#include <linux/personality.h>
39#include <linux/binfmts.h>
40#include <linux/swap.h>
41#include <linux/utsname.h>
42#include <linux/module.h>
43#include <linux/namei.h>
44#include <linux/proc_fs.h>
45#include <linux/ptrace.h>
46#include <linux/mount.h>
47#include <linux/security.h>
48#include <linux/syscalls.h>
49#include <linux/rmap.h>
50#include <linux/acct.h>
51
52#include <asm/uaccess.h>
53#include <asm/mmu_context.h>
54
55#ifdef CONFIG_KMOD
56#include <linux/kmod.h>
57#endif
58
59int core_uses_pid;
60char core_pattern[65] = "core";
61
62
63static struct linux_binfmt *formats;
64static DEFINE_RWLOCK(binfmt_lock);
65
66int register_binfmt(struct linux_binfmt * fmt)
67{
68 struct linux_binfmt ** tmp = &formats;
69
70 if (!fmt)
71 return -EINVAL;
72 if (fmt->next)
73 return -EBUSY;
74 write_lock(&binfmt_lock);
75 while (*tmp) {
76 if (fmt == *tmp) {
77 write_unlock(&binfmt_lock);
78 return -EBUSY;
79 }
80 tmp = &(*tmp)->next;
81 }
82 fmt->next = formats;
83 formats = fmt;
84 write_unlock(&binfmt_lock);
85 return 0;
86}
87
88EXPORT_SYMBOL(register_binfmt);
89
90int unregister_binfmt(struct linux_binfmt * fmt)
91{
92 struct linux_binfmt ** tmp = &formats;
93
94 write_lock(&binfmt_lock);
95 while (*tmp) {
96 if (fmt == *tmp) {
97 *tmp = fmt->next;
98 write_unlock(&binfmt_lock);
99 return 0;
100 }
101 tmp = &(*tmp)->next;
102 }
103 write_unlock(&binfmt_lock);
104 return -EINVAL;
105}
106
107EXPORT_SYMBOL(unregister_binfmt);
108
109static inline void put_binfmt(struct linux_binfmt * fmt)
110{
111 module_put(fmt->module);
112}
113
114
115
116
117
118
119
120asmlinkage long sys_uselib(const char __user * library)
121{
122 struct file * file;
123 struct nameidata nd;
124 int error;
125
126 nd.intent.open.flags = FMODE_READ;
127 error = __user_walk(library, LOOKUP_FOLLOW|LOOKUP_OPEN, &nd);
128 if (error)
129 goto out;
130
131 error = -EINVAL;
132 if (!S_ISREG(nd.dentry->d_inode->i_mode))
133 goto exit;
134
135 error = permission(nd.dentry->d_inode, MAY_READ | MAY_EXEC, &nd);
136 if (error)
137 goto exit;
138
139 file = dentry_open(nd.dentry, nd.mnt, O_RDONLY);
140 error = PTR_ERR(file);
141 if (IS_ERR(file))
142 goto out;
143
144 error = -ENOEXEC;
145 if(file->f_op) {
146 struct linux_binfmt * fmt;
147
148 read_lock(&binfmt_lock);
149 for (fmt = formats ; fmt ; fmt = fmt->next) {
150 if (!fmt->load_shlib)
151 continue;
152 if (!try_module_get(fmt->module))
153 continue;
154 read_unlock(&binfmt_lock);
155 error = fmt->load_shlib(file);
156 read_lock(&binfmt_lock);
157 put_binfmt(fmt);
158 if (error != -ENOEXEC)
159 break;
160 }
161 read_unlock(&binfmt_lock);
162 }
163 fput(file);
164out:
165 return error;
166exit:
167 path_release(&nd);
168 goto out;
169}
170
171
172
173
174static int count(char __user * __user * argv, int max)
175{
176 int i = 0;
177
178 if (argv != NULL) {
179 for (;;) {
180 char __user * p;
181
182 if (get_user(p, argv))
183 return -EFAULT;
184 if (!p)
185 break;
186 argv++;
187 if(++i > max)
188 return -E2BIG;
189 cond_resched();
190 }
191 }
192 return i;
193}
194
195
196
197
198
199
200int copy_strings(int argc,char __user * __user * argv, struct linux_binprm *bprm)
201{
202 struct page *kmapped_page = NULL;
203 char *kaddr = NULL;
204 int ret;
205
206 while (argc-- > 0) {
207 char __user *str;
208 int len;
209 unsigned long pos;
210
211 if (get_user(str, argv+argc) ||
212 !(len = strnlen_user(str, bprm->p))) {
213 ret = -EFAULT;
214 goto out;
215 }
216
217 if (bprm->p < len) {
218 ret = -E2BIG;
219 goto out;
220 }
221
222 bprm->p -= len;
223
224 pos = bprm->p;
225
226 while (len > 0) {
227 int i, new, err;
228 int offset, bytes_to_copy;
229 struct page *page;
230
231 offset = pos % PAGE_SIZE;
232 i = pos/PAGE_SIZE;
233 page = bprm->page[i];
234 new = 0;
235 if (!page) {
236 page = alloc_page(GFP_HIGHUSER);
237 bprm->page[i] = page;
238 if (!page) {
239 ret = -ENOMEM;
240 goto out;
241 }
242 new = 1;
243 }
244
245 if (page != kmapped_page) {
246 if (kmapped_page)
247 kunmap(kmapped_page);
248 kmapped_page = page;
249 kaddr = kmap(kmapped_page);
250 }
251 if (new && offset)
252 memset(kaddr, 0, offset);
253 bytes_to_copy = PAGE_SIZE - offset;
254 if (bytes_to_copy > len) {
255 bytes_to_copy = len;
256 if (new)
257 memset(kaddr+offset+len, 0,
258 PAGE_SIZE-offset-len);
259 }
260 err = copy_from_user(kaddr+offset, str, bytes_to_copy);
261 if (err) {
262 ret = -EFAULT;
263 goto out;
264 }
265
266 pos += bytes_to_copy;
267 str += bytes_to_copy;
268 len -= bytes_to_copy;
269 }
270 }
271 ret = 0;
272out:
273 if (kmapped_page)
274 kunmap(kmapped_page);
275 return ret;
276}
277
278
279
280
281int copy_strings_kernel(int argc,char ** argv, struct linux_binprm *bprm)
282{
283 int r;
284 mm_segment_t oldfs = get_fs();
285 set_fs(KERNEL_DS);
286 r = copy_strings(argc, (char __user * __user *)argv, bprm);
287 set_fs(oldfs);
288 return r;
289}
290
291EXPORT_SYMBOL(copy_strings_kernel);
292
293#ifdef CONFIG_MMU
294
295
296
297
298
299
300void install_arg_page(struct vm_area_struct *vma,
301 struct page *page, unsigned long address)
302{
303 struct mm_struct *mm = vma->vm_mm;
304 pgd_t * pgd;
305 pud_t * pud;
306 pmd_t * pmd;
307 pte_t * pte;
308
309 if (unlikely(anon_vma_prepare(vma)))
310 goto out_sig;
311
312 flush_dcache_page(page);
313 pgd = pgd_offset(mm, address);
314
315 spin_lock(&mm->page_table_lock);
316 pud = pud_alloc(mm, pgd, address);
317 if (!pud)
318 goto out;
319 pmd = pmd_alloc(mm, pud, address);
320 if (!pmd)
321 goto out;
322 pte = pte_alloc_map(mm, pmd, address);
323 if (!pte)
324 goto out;
325 if (!pte_none(*pte)) {
326 pte_unmap(pte);
327 goto out;
328 }
329 mm->rss++;
330 lru_cache_add_active(page);
331 set_pte(pte, pte_mkdirty(pte_mkwrite(mk_pte(
332 page, vma->vm_page_prot))));
333 page_add_anon_rmap(page, vma, address);
334 pte_unmap(pte);
335 spin_unlock(&mm->page_table_lock);
336
337
338 return;
339out:
340 spin_unlock(&mm->page_table_lock);
341out_sig:
342 __free_page(page);
343 force_sig(SIGKILL, current);
344}
345
346#define EXTRA_STACK_VM_PAGES 20
347
348int setup_arg_pages(struct linux_binprm *bprm,
349 unsigned long stack_top,
350 int executable_stack)
351{
352 unsigned long stack_base;
353 struct vm_area_struct *mpnt;
354 struct mm_struct *mm = current->mm;
355 int i, ret;
356 long arg_size;
357
358#ifdef CONFIG_STACK_GROWSUP
359
360
361
362 int offset, j;
363 char *to, *from;
364
365
366 i = 0;
367 for (j = 0; j < MAX_ARG_PAGES; j++) {
368 struct page *page = bprm->page[j];
369 if (!page)
370 continue;
371 bprm->page[i++] = page;
372 }
373
374
375 offset = bprm->p % PAGE_SIZE;
376 to = kmap(bprm->page[0]);
377 for (j = 1; j < i; j++) {
378 memmove(to, to + offset, PAGE_SIZE - offset);
379 from = kmap(bprm->page[j]);
380 memcpy(to + PAGE_SIZE - offset, from, offset);
381 kunmap(bprm->page[j - 1]);
382 to = from;
383 }
384 memmove(to, to + offset, PAGE_SIZE - offset);
385 kunmap(bprm->page[j - 1]);
386
387
388 stack_base = current->signal->rlim[RLIMIT_STACK].rlim_max;
389 if (stack_base > (1 << 30))
390 stack_base = 1 << 30;
391 stack_base = PAGE_ALIGN(stack_top - stack_base);
392
393
394 bprm->p = stack_base + PAGE_SIZE * i - offset;
395
396 mm->arg_start = stack_base;
397 arg_size = i << PAGE_SHIFT;
398
399
400 while (i < MAX_ARG_PAGES)
401 bprm->page[i++] = NULL;
402#else
403 stack_base = stack_top - MAX_ARG_PAGES * PAGE_SIZE;
404 bprm->p += stack_base;
405 mm->arg_start = bprm->p;
406 arg_size = stack_top - (PAGE_MASK & (unsigned long) mm->arg_start);
407#endif
408
409 arg_size += EXTRA_STACK_VM_PAGES * PAGE_SIZE;
410
411 if (bprm->loader)
412 bprm->loader += stack_base;
413 bprm->exec += stack_base;
414
415 mpnt = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL);
416 if (!mpnt)
417 return -ENOMEM;
418
419 if (security_vm_enough_memory(arg_size >> PAGE_SHIFT)) {
420 kmem_cache_free(vm_area_cachep, mpnt);
421 return -ENOMEM;
422 }
423
424 memset(mpnt, 0, sizeof(*mpnt));
425
426 down_write(&mm->mmap_sem);
427 {
428 mpnt->vm_mm = mm;
429#ifdef CONFIG_STACK_GROWSUP
430 mpnt->vm_start = stack_base;
431 mpnt->vm_end = stack_base + arg_size;
432#else
433 mpnt->vm_end = stack_top;
434 mpnt->vm_start = mpnt->vm_end - arg_size;
435#endif
436
437
438
439 if (unlikely(executable_stack == EXSTACK_ENABLE_X))
440 mpnt->vm_flags = VM_STACK_FLAGS | VM_EXEC;
441 else if (executable_stack == EXSTACK_DISABLE_X)
442 mpnt->vm_flags = VM_STACK_FLAGS & ~VM_EXEC;
443 else
444 mpnt->vm_flags = VM_STACK_FLAGS;
445 mpnt->vm_flags |= mm->def_flags;
446 mpnt->vm_page_prot = protection_map[mpnt->vm_flags & 0x7];
447 if ((ret = insert_vm_struct(mm, mpnt))) {
448 up_write(&mm->mmap_sem);
449 kmem_cache_free(vm_area_cachep, mpnt);
450 return ret;
451 }
452 mm->stack_vm = mm->total_vm = vma_pages(mpnt);
453 }
454
455 for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
456 struct page *page = bprm->page[i];
457 if (page) {
458 bprm->page[i] = NULL;
459 install_arg_page(mpnt, page, stack_base);
460 }
461 stack_base += PAGE_SIZE;
462 }
463 up_write(&mm->mmap_sem);
464
465 return 0;
466}
467
468EXPORT_SYMBOL(setup_arg_pages);
469
470#define free_arg_pages(bprm) do { } while (0)
471
472#else
473
474static inline void free_arg_pages(struct linux_binprm *bprm)
475{
476 int i;
477
478 for (i = 0; i < MAX_ARG_PAGES; i++) {
479 if (bprm->page[i])
480 __free_page(bprm->page[i]);
481 bprm->page[i] = NULL;
482 }
483}
484
485#endif
486
487struct file *open_exec(const char *name)
488{
489 struct nameidata nd;
490 int err;
491 struct file *file;
492
493 nd.intent.open.flags = FMODE_READ;
494 err = path_lookup(name, LOOKUP_FOLLOW|LOOKUP_OPEN, &nd);
495 file = ERR_PTR(err);
496
497 if (!err) {
498 struct inode *inode = nd.dentry->d_inode;
499 file = ERR_PTR(-EACCES);
500 if (!(nd.mnt->mnt_flags & MNT_NOEXEC) &&
501 S_ISREG(inode->i_mode)) {
502 int err = permission(inode, MAY_EXEC, &nd);
503 if (!err && !(inode->i_mode & 0111))
504 err = -EACCES;
505 file = ERR_PTR(err);
506 if (!err) {
507 file = dentry_open(nd.dentry, nd.mnt, O_RDONLY);
508 if (!IS_ERR(file)) {
509 err = deny_write_access(file);
510 if (err) {
511 fput(file);
512 file = ERR_PTR(err);
513 }
514 }
515out:
516 return file;
517 }
518 }
519 path_release(&nd);
520 }
521 goto out;
522}
523
524EXPORT_SYMBOL(open_exec);
525
526int kernel_read(struct file *file, unsigned long offset,
527 char *addr, unsigned long count)
528{
529 mm_segment_t old_fs;
530 loff_t pos = offset;
531 int result;
532
533 old_fs = get_fs();
534 set_fs(get_ds());
535
536 result = vfs_read(file, (void __user *)addr, count, &pos);
537 set_fs(old_fs);
538 return result;
539}
540
541EXPORT_SYMBOL(kernel_read);
542
543static int exec_mmap(struct mm_struct *mm)
544{
545 struct task_struct *tsk;
546 struct mm_struct * old_mm, *active_mm;
547
548
549 tsk = current;
550 old_mm = current->mm;
551 mm_release(tsk, old_mm);
552
553 if (old_mm) {
554
555
556
557
558
559
560
561
562 down_read(&old_mm->mmap_sem);
563 if (unlikely(old_mm->core_waiters)) {
564 up_read(&old_mm->mmap_sem);
565 return -EINTR;
566 }
567 }
568 task_lock(tsk);
569 active_mm = tsk->active_mm;
570 tsk->mm = mm;
571 tsk->active_mm = mm;
572 activate_mm(active_mm, mm);
573 task_unlock(tsk);
574 arch_pick_mmap_layout(mm);
575 if (old_mm) {
576 up_read(&old_mm->mmap_sem);
577 if (active_mm != old_mm) BUG();
578 mmput(old_mm);
579 return 0;
580 }
581 mmdrop(active_mm);
582 return 0;
583}
584
585
586
587
588
589
590
591static inline int de_thread(struct task_struct *tsk)
592{
593 struct signal_struct *sig = tsk->signal;
594 struct sighand_struct *newsighand, *oldsighand = tsk->sighand;
595 spinlock_t *lock = &oldsighand->siglock;
596 int count;
597
598
599
600
601
602 if (atomic_read(&oldsighand->count) <= 1) {
603 BUG_ON(atomic_read(&sig->count) != 1);
604 exit_itimers(sig);
605 return 0;
606 }
607
608 newsighand = kmem_cache_alloc(sighand_cachep, GFP_KERNEL);
609 if (!newsighand)
610 return -ENOMEM;
611
612 if (thread_group_empty(current))
613 goto no_thread_group;
614
615
616
617
618
619 read_lock(&tasklist_lock);
620 spin_lock_irq(lock);
621 if (sig->flags & SIGNAL_GROUP_EXIT) {
622
623
624
625
626 spin_unlock_irq(lock);
627 read_unlock(&tasklist_lock);
628 kmem_cache_free(sighand_cachep, newsighand);
629 return -EAGAIN;
630 }
631 zap_other_threads(current);
632 read_unlock(&tasklist_lock);
633
634
635
636
637 count = 2;
638 if (thread_group_leader(current))
639 count = 1;
640 while (atomic_read(&sig->count) > count) {
641 sig->group_exit_task = current;
642 sig->notify_count = count;
643 __set_current_state(TASK_UNINTERRUPTIBLE);
644 spin_unlock_irq(lock);
645 schedule();
646 spin_lock_irq(lock);
647 }
648 sig->group_exit_task = NULL;
649 sig->notify_count = 0;
650 spin_unlock_irq(lock);
651
652
653
654
655
656
657 if (!thread_group_leader(current)) {
658 struct task_struct *leader = current->group_leader, *parent;
659 struct dentry *proc_dentry1, *proc_dentry2;
660 unsigned long exit_state, ptrace;
661
662
663
664
665
666
667 while (leader->exit_state != EXIT_ZOMBIE)
668 yield();
669
670 spin_lock(&leader->proc_lock);
671 spin_lock(¤t->proc_lock);
672 proc_dentry1 = proc_pid_unhash(current);
673 proc_dentry2 = proc_pid_unhash(leader);
674 write_lock_irq(&tasklist_lock);
675
676 if (leader->tgid != current->tgid)
677 BUG();
678 if (current->pid == current->tgid)
679 BUG();
680
681
682
683
684
685
686 ptrace = leader->ptrace;
687 parent = leader->parent;
688 if (unlikely(ptrace) && unlikely(parent == current)) {
689
690
691
692
693
694 ptrace = 0;
695 }
696
697 ptrace_unlink(current);
698 ptrace_unlink(leader);
699 remove_parent(current);
700 remove_parent(leader);
701
702 switch_exec_pids(leader, current);
703
704 current->parent = current->real_parent = leader->real_parent;
705 leader->parent = leader->real_parent = child_reaper;
706 current->group_leader = current;
707 leader->group_leader = leader;
708
709 add_parent(current, current->parent);
710 add_parent(leader, leader->parent);
711 if (ptrace) {
712 current->ptrace = ptrace;
713 __ptrace_link(current, parent);
714 }
715
716 list_del(¤t->tasks);
717 list_add_tail(¤t->tasks, &init_task.tasks);
718 current->exit_signal = SIGCHLD;
719 exit_state = leader->exit_state;
720
721 write_unlock_irq(&tasklist_lock);
722 spin_unlock(&leader->proc_lock);
723 spin_unlock(¤t->proc_lock);
724 proc_pid_flush(proc_dentry1);
725 proc_pid_flush(proc_dentry2);
726
727 if (exit_state != EXIT_ZOMBIE)
728 BUG();
729 release_task(leader);
730 }
731
732
733
734
735
736 sig->flags = 0;
737
738no_thread_group:
739 BUG_ON(atomic_read(&sig->count) != 1);
740 exit_itimers(sig);
741
742 if (atomic_read(&oldsighand->count) == 1) {
743
744
745
746
747
748 kmem_cache_free(sighand_cachep, newsighand);
749 } else {
750
751
752
753 spin_lock_init(&newsighand->siglock);
754 atomic_set(&newsighand->count, 1);
755 memcpy(newsighand->action, oldsighand->action,
756 sizeof(newsighand->action));
757
758 write_lock_irq(&tasklist_lock);
759 spin_lock(&oldsighand->siglock);
760 spin_lock(&newsighand->siglock);
761
762 current->sighand = newsighand;
763 recalc_sigpending();
764
765 spin_unlock(&newsighand->siglock);
766 spin_unlock(&oldsighand->siglock);
767 write_unlock_irq(&tasklist_lock);
768
769 if (atomic_dec_and_test(&oldsighand->count))
770 kmem_cache_free(sighand_cachep, oldsighand);
771 }
772
773 if (!thread_group_empty(current))
774 BUG();
775 if (!thread_group_leader(current))
776 BUG();
777 return 0;
778}
779
780
781
782
783
784
785static inline void flush_old_files(struct files_struct * files)
786{
787 long j = -1;
788
789 spin_lock(&files->file_lock);
790 for (;;) {
791 unsigned long set, i;
792
793 j++;
794 i = j * __NFDBITS;
795 if (i >= files->max_fds || i >= files->max_fdset)
796 break;
797 set = files->close_on_exec->fds_bits[j];
798 if (!set)
799 continue;
800 files->close_on_exec->fds_bits[j] = 0;
801 spin_unlock(&files->file_lock);
802 for ( ; set ; i++,set >>= 1) {
803 if (set & 1) {
804 sys_close(i);
805 }
806 }
807 spin_lock(&files->file_lock);
808
809 }
810 spin_unlock(&files->file_lock);
811}
812
813void get_task_comm(char *buf, struct task_struct *tsk)
814{
815
816 task_lock(tsk);
817 strncpy(buf, tsk->comm, sizeof(tsk->comm));
818 task_unlock(tsk);
819}
820
821void set_task_comm(struct task_struct *tsk, char *buf)
822{
823 task_lock(tsk);
824 strlcpy(tsk->comm, buf, sizeof(tsk->comm));
825 task_unlock(tsk);
826}
827
828int flush_old_exec(struct linux_binprm * bprm)
829{
830 char * name;
831 int i, ch, retval;
832 struct files_struct *files;
833 char tcomm[sizeof(current->comm)];
834
835
836
837
838
839 retval = de_thread(current);
840 if (retval)
841 goto out;
842
843
844
845
846
847
848 files = current->files;
849 retval = unshare_files();
850 if (retval)
851 goto out;
852
853
854
855 retval = exec_mmap(bprm->mm);
856 if (retval)
857 goto mmap_failed;
858
859 bprm->mm = NULL;
860
861
862 steal_locks(files);
863 put_files_struct(files);
864
865 current->sas_ss_sp = current->sas_ss_size = 0;
866
867 if (current->euid == current->uid && current->egid == current->gid)
868 current->mm->dumpable = 1;
869 name = bprm->filename;
870 for (i=0; (ch = *(name++)) != '\0';) {
871 if (ch == '/')
872 i = 0;
873 else
874 if (i < (sizeof(tcomm) - 1))
875 tcomm[i++] = ch;
876 }
877 tcomm[i] = '\0';
878 set_task_comm(current, tcomm);
879
880 flush_thread();
881
882 if (bprm->e_uid != current->euid || bprm->e_gid != current->egid ||
883 permission(bprm->file->f_dentry->d_inode,MAY_READ, NULL) ||
884 (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
885 suid_keys(current);
886 current->mm->dumpable = 0;
887 }
888
889
890
891
892 current->self_exec_id++;
893
894 flush_signal_handlers(current, 0);
895 flush_old_files(current->files);
896
897 return 0;
898
899mmap_failed:
900 put_files_struct(current->files);
901 current->files = files;
902out:
903 return retval;
904}
905
906EXPORT_SYMBOL(flush_old_exec);
907
908
909
910
911
912int prepare_binprm(struct linux_binprm *bprm)
913{
914 int mode;
915 struct inode * inode = bprm->file->f_dentry->d_inode;
916 int retval;
917
918 mode = inode->i_mode;
919
920
921
922
923 if (!(mode & 0111))
924 return -EACCES;
925 if (bprm->file->f_op == NULL)
926 return -EACCES;
927
928 bprm->e_uid = current->euid;
929 bprm->e_gid = current->egid;
930
931 if(!(bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)) {
932
933 if (mode & S_ISUID) {
934 current->personality &= ~PER_CLEAR_ON_SETID;
935 bprm->e_uid = inode->i_uid;
936 }
937
938
939
940
941
942
943
944 if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
945 current->personality &= ~PER_CLEAR_ON_SETID;
946 bprm->e_gid = inode->i_gid;
947 }
948 }
949
950
951 retval = security_bprm_set(bprm);
952 if (retval)
953 return retval;
954
955 memset(bprm->buf,0,BINPRM_BUF_SIZE);
956 return kernel_read(bprm->file,0,bprm->buf,BINPRM_BUF_SIZE);
957}
958
959EXPORT_SYMBOL(prepare_binprm);
960
961static inline int unsafe_exec(struct task_struct *p)
962{
963 int unsafe = 0;
964 if (p->ptrace & PT_PTRACED) {
965 if (p->ptrace & PT_PTRACE_CAP)
966 unsafe |= LSM_UNSAFE_PTRACE_CAP;
967 else
968 unsafe |= LSM_UNSAFE_PTRACE;
969 }
970 if (atomic_read(&p->fs->count) > 1 ||
971 atomic_read(&p->files->count) > 1 ||
972 atomic_read(&p->sighand->count) > 1)
973 unsafe |= LSM_UNSAFE_SHARE;
974
975 return unsafe;
976}
977
978void compute_creds(struct linux_binprm *bprm)
979{
980 int unsafe;
981
982 if (bprm->e_uid != current->uid)
983 suid_keys(current);
984 exec_keys(current);
985
986 task_lock(current);
987 unsafe = unsafe_exec(current);
988 security_bprm_apply_creds(bprm, unsafe);
989 task_unlock(current);
990 security_bprm_post_apply_creds(bprm);
991}
992
993EXPORT_SYMBOL(compute_creds);
994
995void remove_arg_zero(struct linux_binprm *bprm)
996{
997 if (bprm->argc) {
998 unsigned long offset;
999 char * kaddr;
1000 struct page *page;
1001
1002 offset = bprm->p % PAGE_SIZE;
1003 goto inside;
1004
1005 while (bprm->p++, *(kaddr+offset++)) {
1006 if (offset != PAGE_SIZE)
1007 continue;
1008 offset = 0;
1009 kunmap_atomic(kaddr, KM_USER0);
1010inside:
1011 page = bprm->page[bprm->p/PAGE_SIZE];
1012 kaddr = kmap_atomic(page, KM_USER0);
1013 }
1014 kunmap_atomic(kaddr, KM_USER0);
1015 bprm->argc--;
1016 }
1017}
1018
1019EXPORT_SYMBOL(remove_arg_zero);
1020
1021
1022
1023
1024int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
1025{
1026 int try,retval;
1027 struct linux_binfmt *fmt;
1028#ifdef __alpha__
1029
1030 {
1031 struct exec * eh = (struct exec *) bprm->buf;
1032
1033 if (!bprm->loader && eh->fh.f_magic == 0x183 &&
1034 (eh->fh.f_flags & 0x3000) == 0x3000)
1035 {
1036 struct file * file;
1037 unsigned long loader;
1038
1039 allow_write_access(bprm->file);
1040 fput(bprm->file);
1041 bprm->file = NULL;
1042
1043 loader = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
1044
1045 file = open_exec("/sbin/loader");
1046 retval = PTR_ERR(file);
1047 if (IS_ERR(file))
1048 return retval;
1049
1050
1051 bprm->sh_bang = eh->ah.entry < 0x100000000UL;
1052
1053 bprm->file = file;
1054 bprm->loader = loader;
1055 retval = prepare_binprm(bprm);
1056 if (retval<0)
1057 return retval;
1058
1059
1060 }
1061 }
1062#endif
1063 retval = security_bprm_check(bprm);
1064 if (retval)
1065 return retval;
1066
1067
1068
1069 set_fs(USER_DS);
1070 retval = -ENOENT;
1071 for (try=0; try<2; try++) {
1072 read_lock(&binfmt_lock);
1073 for (fmt = formats ; fmt ; fmt = fmt->next) {
1074 int (*fn)(struct linux_binprm *, struct pt_regs *) = fmt->load_binary;
1075 if (!fn)
1076 continue;
1077 if (!try_module_get(fmt->module))
1078 continue;
1079 read_unlock(&binfmt_lock);
1080 retval = fn(bprm, regs);
1081 if (retval >= 0) {
1082 put_binfmt(fmt);
1083 allow_write_access(bprm->file);
1084 if (bprm->file)
1085 fput(bprm->file);
1086 bprm->file = NULL;
1087 current->did_exec = 1;
1088 return retval;
1089 }
1090 read_lock(&binfmt_lock);
1091 put_binfmt(fmt);
1092 if (retval != -ENOEXEC || bprm->mm == NULL)
1093 break;
1094 if (!bprm->file) {
1095 read_unlock(&binfmt_lock);
1096 return retval;
1097 }
1098 }
1099 read_unlock(&binfmt_lock);
1100 if (retval != -ENOEXEC || bprm->mm == NULL) {
1101 break;
1102#ifdef CONFIG_KMOD
1103 }else{
1104#define printable(c) (((c)=='\t') || ((c)=='\n') || (0x20<=(c) && (c)<=0x7e))
1105 if (printable(bprm->buf[0]) &&
1106 printable(bprm->buf[1]) &&
1107 printable(bprm->buf[2]) &&
1108 printable(bprm->buf[3]))
1109 break;
1110 request_module("binfmt-%04x", *(unsigned short *)(&bprm->buf[2]));
1111#endif
1112 }
1113 }
1114 return retval;
1115}
1116
1117EXPORT_SYMBOL(search_binary_handler);
1118
1119
1120
1121
1122int do_execve(char * filename,
1123 char __user *__user *argv,
1124 char __user *__user *envp,
1125 struct pt_regs * regs)
1126{
1127 struct linux_binprm *bprm;
1128 struct file *file;
1129 int retval;
1130 int i;
1131
1132 retval = -ENOMEM;
1133 bprm = kmalloc(sizeof(*bprm), GFP_KERNEL);
1134 if (!bprm)
1135 goto out_ret;
1136 memset(bprm, 0, sizeof(*bprm));
1137
1138 file = open_exec(filename);
1139 retval = PTR_ERR(file);
1140 if (IS_ERR(file))
1141 goto out_kfree;
1142
1143 sched_exec();
1144
1145 bprm->p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
1146
1147 bprm->file = file;
1148 bprm->filename = filename;
1149 bprm->interp = filename;
1150 bprm->mm = mm_alloc();
1151 retval = -ENOMEM;
1152 if (!bprm->mm)
1153 goto out_file;
1154
1155 retval = init_new_context(current, bprm->mm);
1156 if (retval < 0)
1157 goto out_mm;
1158
1159 bprm->argc = count(argv, bprm->p / sizeof(void *));
1160 if ((retval = bprm->argc) < 0)
1161 goto out_mm;
1162
1163 bprm->envc = count(envp, bprm->p / sizeof(void *));
1164 if ((retval = bprm->envc) < 0)
1165 goto out_mm;
1166
1167 retval = security_bprm_alloc(bprm);
1168 if (retval)
1169 goto out;
1170
1171 retval = prepare_binprm(bprm);
1172 if (retval < 0)
1173 goto out;
1174
1175 retval = copy_strings_kernel(1, &bprm->filename, bprm);
1176 if (retval < 0)
1177 goto out;
1178
1179 bprm->exec = bprm->p;
1180 retval = copy_strings(bprm->envc, envp, bprm);
1181 if (retval < 0)
1182 goto out;
1183
1184 retval = copy_strings(bprm->argc, argv, bprm);
1185 if (retval < 0)
1186 goto out;
1187
1188 retval = search_binary_handler(bprm,regs);
1189 if (retval >= 0) {
1190 free_arg_pages(bprm);
1191
1192
1193 security_bprm_free(bprm);
1194 acct_update_integrals();
1195 update_mem_hiwater();
1196 kfree(bprm);
1197 return retval;
1198 }
1199
1200out:
1201
1202 for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
1203 struct page * page = bprm->page[i];
1204 if (page)
1205 __free_page(page);
1206 }
1207
1208 if (bprm->security)
1209 security_bprm_free(bprm);
1210
1211out_mm:
1212 if (bprm->mm)
1213 mmdrop(bprm->mm);
1214
1215out_file:
1216 if (bprm->file) {
1217 allow_write_access(bprm->file);
1218 fput(bprm->file);
1219 }
1220
1221out_kfree:
1222 kfree(bprm);
1223
1224out_ret:
1225 return retval;
1226}
1227
1228int set_binfmt(struct linux_binfmt *new)
1229{
1230 struct linux_binfmt *old = current->binfmt;
1231
1232 if (new) {
1233 if (!try_module_get(new->module))
1234 return -1;
1235 }
1236 current->binfmt = new;
1237 if (old)
1238 module_put(old->module);
1239 return 0;
1240}
1241
1242EXPORT_SYMBOL(set_binfmt);
1243
1244#define CORENAME_MAX_SIZE 64
1245
1246
1247
1248
1249
1250static void format_corename(char *corename, const char *pattern, long signr)
1251{
1252 const char *pat_ptr = pattern;
1253 char *out_ptr = corename;
1254 char *const out_end = corename + CORENAME_MAX_SIZE;
1255 int rc;
1256 int pid_in_pattern = 0;
1257
1258
1259
1260 while (*pat_ptr) {
1261 if (*pat_ptr != '%') {
1262 if (out_ptr == out_end)
1263 goto out;
1264 *out_ptr++ = *pat_ptr++;
1265 } else {
1266 switch (*++pat_ptr) {
1267 case 0:
1268 goto out;
1269
1270 case '%':
1271 if (out_ptr == out_end)
1272 goto out;
1273 *out_ptr++ = '%';
1274 break;
1275
1276 case 'p':
1277 pid_in_pattern = 1;
1278 rc = snprintf(out_ptr, out_end - out_ptr,
1279 "%d", current->tgid);
1280 if (rc > out_end - out_ptr)
1281 goto out;
1282 out_ptr += rc;
1283 break;
1284
1285 case 'u':
1286 rc = snprintf(out_ptr, out_end - out_ptr,
1287 "%d", current->uid);
1288 if (rc > out_end - out_ptr)
1289 goto out;
1290 out_ptr += rc;
1291 break;
1292
1293 case 'g':
1294 rc = snprintf(out_ptr, out_end - out_ptr,
1295 "%d", current->gid);
1296 if (rc > out_end - out_ptr)
1297 goto out;
1298 out_ptr += rc;
1299 break;
1300
1301 case 's':
1302 rc = snprintf(out_ptr, out_end - out_ptr,
1303 "%ld", signr);
1304 if (rc > out_end - out_ptr)
1305 goto out;
1306 out_ptr += rc;
1307 break;
1308
1309 case 't': {
1310 struct timeval tv;
1311 do_gettimeofday(&tv);
1312 rc = snprintf(out_ptr, out_end - out_ptr,
1313 "%lu", tv.tv_sec);
1314 if (rc > out_end - out_ptr)
1315 goto out;
1316 out_ptr += rc;
1317 break;
1318 }
1319
1320 case 'h':
1321 down_read(&uts_sem);
1322 rc = snprintf(out_ptr, out_end - out_ptr,
1323 "%s", system_utsname.nodename);
1324 up_read(&uts_sem);
1325 if (rc > out_end - out_ptr)
1326 goto out;
1327 out_ptr += rc;
1328 break;
1329
1330 case 'e':
1331 rc = snprintf(out_ptr, out_end - out_ptr,
1332 "%s", current->comm);
1333 if (rc > out_end - out_ptr)
1334 goto out;
1335 out_ptr += rc;
1336 break;
1337 default:
1338 break;
1339 }
1340 ++pat_ptr;
1341 }
1342 }
1343
1344
1345
1346
1347
1348 if (!pid_in_pattern
1349 && (core_uses_pid || atomic_read(¤t->mm->mm_users) != 1)) {
1350 rc = snprintf(out_ptr, out_end - out_ptr,
1351 ".%d", current->tgid);
1352 if (rc > out_end - out_ptr)
1353 goto out;
1354 out_ptr += rc;
1355 }
1356 out:
1357 *out_ptr = 0;
1358}
1359
1360static void zap_threads (struct mm_struct *mm)
1361{
1362 struct task_struct *g, *p;
1363 struct task_struct *tsk = current;
1364 struct completion *vfork_done = tsk->vfork_done;
1365 int traced = 0;
1366
1367
1368
1369
1370
1371 if (vfork_done) {
1372 tsk->vfork_done = NULL;
1373 complete(vfork_done);
1374 }
1375
1376 read_lock(&tasklist_lock);
1377 do_each_thread(g,p)
1378 if (mm == p->mm && p != tsk) {
1379 force_sig_specific(SIGKILL, p);
1380 mm->core_waiters++;
1381 if (unlikely(p->ptrace) &&
1382 unlikely(p->parent->mm == mm))
1383 traced = 1;
1384 }
1385 while_each_thread(g,p);
1386
1387 read_unlock(&tasklist_lock);
1388
1389 if (unlikely(traced)) {
1390
1391
1392
1393
1394
1395
1396 write_lock_irq(&tasklist_lock);
1397 do_each_thread(g,p) {
1398 if (mm == p->mm && p != tsk &&
1399 p->ptrace && p->parent->mm == mm) {
1400 __ptrace_unlink(p);
1401 }
1402 } while_each_thread(g,p);
1403 write_unlock_irq(&tasklist_lock);
1404 }
1405}
1406
1407static void coredump_wait(struct mm_struct *mm)
1408{
1409 DECLARE_COMPLETION(startup_done);
1410
1411 mm->core_waiters++;
1412 mm->core_startup_done = &startup_done;
1413
1414
1415 yield();
1416
1417 zap_threads(mm);
1418 if (--mm->core_waiters) {
1419 up_write(&mm->mmap_sem);
1420 wait_for_completion(&startup_done);
1421 } else
1422 up_write(&mm->mmap_sem);
1423 BUG_ON(mm->core_waiters);
1424}
1425
1426int do_coredump(long signr, int exit_code, struct pt_regs * regs)
1427{
1428 char corename[CORENAME_MAX_SIZE + 1];
1429 struct mm_struct *mm = current->mm;
1430 struct linux_binfmt * binfmt;
1431 struct inode * inode;
1432 struct file * file;
1433 int retval = 0;
1434
1435 binfmt = current->binfmt;
1436 if (!binfmt || !binfmt->core_dump)
1437 goto fail;
1438 down_write(&mm->mmap_sem);
1439 if (!mm->dumpable) {
1440 up_write(&mm->mmap_sem);
1441 goto fail;
1442 }
1443 mm->dumpable = 0;
1444 init_completion(&mm->core_done);
1445 spin_lock_irq(¤t->sighand->siglock);
1446 current->signal->flags = SIGNAL_GROUP_EXIT;
1447 current->signal->group_exit_code = exit_code;
1448 spin_unlock_irq(¤t->sighand->siglock);
1449 coredump_wait(mm);
1450
1451
1452
1453
1454
1455 current->signal->group_stop_count = 0;
1456 clear_thread_flag(TIF_SIGPENDING);
1457
1458 if (current->signal->rlim[RLIMIT_CORE].rlim_cur < binfmt->min_coredump)
1459 goto fail_unlock;
1460
1461
1462
1463
1464
1465 lock_kernel();
1466 format_corename(corename, core_pattern, signr);
1467 unlock_kernel();
1468 file = filp_open(corename, O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE, 0600);
1469 if (IS_ERR(file))
1470 goto fail_unlock;
1471 inode = file->f_dentry->d_inode;
1472 if (inode->i_nlink > 1)
1473 goto close_fail;
1474 if (d_unhashed(file->f_dentry))
1475 goto close_fail;
1476
1477 if (!S_ISREG(inode->i_mode))
1478 goto close_fail;
1479 if (!file->f_op)
1480 goto close_fail;
1481 if (!file->f_op->write)
1482 goto close_fail;
1483 if (do_truncate(file->f_dentry, 0) != 0)
1484 goto close_fail;
1485
1486 retval = binfmt->core_dump(signr, regs, file);
1487
1488 if (retval)
1489 current->signal->group_exit_code |= 0x80;
1490close_fail:
1491 filp_close(file, NULL);
1492fail_unlock:
1493 complete_all(&mm->core_done);
1494fail:
1495 return retval;
1496}
1497
