11da177e4SLinus Torvalds /* 21da177e4SLinus Torvalds * linux/fs/exec.c 31da177e4SLinus Torvalds * 41da177e4SLinus Torvalds * Copyright (C) 1991, 1992 Linus Torvalds 51da177e4SLinus Torvalds */ 61da177e4SLinus Torvalds 71da177e4SLinus Torvalds /* 81da177e4SLinus Torvalds * #!-checking implemented by tytso. 91da177e4SLinus Torvalds */ 101da177e4SLinus Torvalds /* 111da177e4SLinus Torvalds * Demand-loading implemented 01.12.91 - no need to read anything but 121da177e4SLinus Torvalds * the header into memory. The inode of the executable is put into 131da177e4SLinus Torvalds * "current->executable", and page faults do the actual loading. Clean. 141da177e4SLinus Torvalds * 151da177e4SLinus Torvalds * Once more I can proudly say that linux stood up to being changed: it 161da177e4SLinus Torvalds * was less than 2 hours work to get demand-loading completely implemented. 171da177e4SLinus Torvalds * 181da177e4SLinus Torvalds * Demand loading changed July 1993 by Eric Youngdale. Use mmap instead, 191da177e4SLinus Torvalds * current->executable is only used by the procfs. This allows a dispatch 201da177e4SLinus Torvalds * table to check for several different types of binary formats. We keep 211da177e4SLinus Torvalds * trying until we recognize the file or we run out of supported binary 221da177e4SLinus Torvalds * formats. 231da177e4SLinus Torvalds */ 241da177e4SLinus Torvalds 251da177e4SLinus Torvalds #include <linux/slab.h> 261da177e4SLinus Torvalds #include <linux/file.h> 279f3acc31SAl Viro #include <linux/fdtable.h> 28ba92a43dSHugh Dickins #include <linux/mm.h> 291da177e4SLinus Torvalds #include <linux/stat.h> 301da177e4SLinus Torvalds #include <linux/fcntl.h> 311da177e4SLinus Torvalds #include <linux/smp_lock.h> 32ba92a43dSHugh Dickins #include <linux/swap.h> 3374aadce9SNeil Horman #include <linux/string.h> 341da177e4SLinus Torvalds #include <linux/init.h> 35ca5b172bSHugh Dickins #include <linux/pagemap.h> 36cdd6c482SIngo Molnar #include <linux/perf_event.h> 371da177e4SLinus Torvalds #include <linux/highmem.h> 381da177e4SLinus Torvalds #include <linux/spinlock.h> 391da177e4SLinus Torvalds #include <linux/key.h> 401da177e4SLinus Torvalds #include <linux/personality.h> 411da177e4SLinus Torvalds #include <linux/binfmts.h> 421da177e4SLinus Torvalds #include <linux/utsname.h> 4384d73786SSukadev Bhattiprolu #include <linux/pid_namespace.h> 441da177e4SLinus Torvalds #include <linux/module.h> 451da177e4SLinus Torvalds #include <linux/namei.h> 461da177e4SLinus Torvalds #include <linux/proc_fs.h> 471da177e4SLinus Torvalds #include <linux/mount.h> 481da177e4SLinus Torvalds #include <linux/security.h> 491da177e4SLinus Torvalds #include <linux/syscalls.h> 508f0ab514SJay Lan #include <linux/tsacct_kern.h> 519f46080cSMatt Helsley #include <linux/cn_proc.h> 52473ae30bSAl Viro #include <linux/audit.h> 536341c393SRoland McGrath #include <linux/tracehook.h> 545f4123beSJohannes Berg #include <linux/kmod.h> 556110e3abSEric Paris #include <linux/fsnotify.h> 565ad4e53bSAl Viro #include <linux/fs_struct.h> 5761be228aSNeil Horman #include <linux/pipe_fs_i.h> 581da177e4SLinus Torvalds 591da177e4SLinus Torvalds #include <asm/uaccess.h> 601da177e4SLinus Torvalds #include <asm/mmu_context.h> 61b6a2fea3SOllie Wild #include <asm/tlb.h> 62a6f76f23SDavid Howells #include "internal.h" 631da177e4SLinus Torvalds 641da177e4SLinus Torvalds int core_uses_pid; 6571ce92f3SDan Aloni char core_pattern[CORENAME_MAX_SIZE] = "core"; 66a293980cSNeil Horman unsigned int core_pipe_limit; 67d6e71144SAlan Cox int suid_dumpable = 0; 68d6e71144SAlan Cox 691da177e4SLinus Torvalds /* The maximal length of core_pattern is also specified in sysctl.c */ 701da177e4SLinus Torvalds 71e4dc1b14SAlexey Dobriyan static LIST_HEAD(formats); 721da177e4SLinus Torvalds static DEFINE_RWLOCK(binfmt_lock); 731da177e4SLinus Torvalds 7474641f58SIvan Kokshaysky int __register_binfmt(struct linux_binfmt * fmt, int insert) 751da177e4SLinus Torvalds { 761da177e4SLinus Torvalds if (!fmt) 771da177e4SLinus Torvalds return -EINVAL; 781da177e4SLinus Torvalds write_lock(&binfmt_lock); 7974641f58SIvan Kokshaysky insert ? list_add(&fmt->lh, &formats) : 8074641f58SIvan Kokshaysky list_add_tail(&fmt->lh, &formats); 811da177e4SLinus Torvalds write_unlock(&binfmt_lock); 821da177e4SLinus Torvalds return 0; 831da177e4SLinus Torvalds } 841da177e4SLinus Torvalds 8574641f58SIvan Kokshaysky EXPORT_SYMBOL(__register_binfmt); 861da177e4SLinus Torvalds 87f6b450d4SAlexey Dobriyan void unregister_binfmt(struct linux_binfmt * fmt) 881da177e4SLinus Torvalds { 891da177e4SLinus Torvalds write_lock(&binfmt_lock); 90e4dc1b14SAlexey Dobriyan list_del(&fmt->lh); 911da177e4SLinus Torvalds write_unlock(&binfmt_lock); 921da177e4SLinus Torvalds } 931da177e4SLinus Torvalds 941da177e4SLinus Torvalds EXPORT_SYMBOL(unregister_binfmt); 951da177e4SLinus Torvalds 961da177e4SLinus Torvalds static inline void put_binfmt(struct linux_binfmt * fmt) 971da177e4SLinus Torvalds { 981da177e4SLinus Torvalds module_put(fmt->module); 991da177e4SLinus Torvalds } 1001da177e4SLinus Torvalds 1011da177e4SLinus Torvalds /* 1021da177e4SLinus Torvalds * Note that a shared library must be both readable and executable due to 1031da177e4SLinus Torvalds * security reasons. 1041da177e4SLinus Torvalds * 1051da177e4SLinus Torvalds * Also note that we take the address to load from from the file itself. 1061da177e4SLinus Torvalds */ 1071e7bfb21SHeiko Carstens SYSCALL_DEFINE1(uselib, const char __user *, library) 1081da177e4SLinus Torvalds { 1091da177e4SLinus Torvalds struct file *file; 110964bd183SAl Viro char *tmp = getname(library); 111964bd183SAl Viro int error = PTR_ERR(tmp); 1121da177e4SLinus Torvalds 1136e8341a1SAl Viro if (IS_ERR(tmp)) 1141da177e4SLinus Torvalds goto out; 1151da177e4SLinus Torvalds 1166e8341a1SAl Viro file = do_filp_open(AT_FDCWD, tmp, 1176e8341a1SAl Viro O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0, 118cb23beb5SChristoph Hellwig MAY_READ | MAY_EXEC | MAY_OPEN); 1196e8341a1SAl Viro putname(tmp); 1201da177e4SLinus Torvalds error = PTR_ERR(file); 1211da177e4SLinus Torvalds if (IS_ERR(file)) 1221da177e4SLinus Torvalds goto out; 1231da177e4SLinus Torvalds 1246e8341a1SAl Viro error = -EINVAL; 1256e8341a1SAl Viro if (!S_ISREG(file->f_path.dentry->d_inode->i_mode)) 1266e8341a1SAl Viro goto exit; 1276e8341a1SAl Viro 1286e8341a1SAl Viro error = -EACCES; 1296e8341a1SAl Viro if (file->f_path.mnt->mnt_flags & MNT_NOEXEC) 1306e8341a1SAl Viro goto exit; 1316e8341a1SAl Viro 1326110e3abSEric Paris fsnotify_open(file->f_path.dentry); 1336110e3abSEric Paris 1341da177e4SLinus Torvalds error = -ENOEXEC; 1351da177e4SLinus Torvalds if(file->f_op) { 1361da177e4SLinus Torvalds struct linux_binfmt * fmt; 1371da177e4SLinus Torvalds 1381da177e4SLinus Torvalds read_lock(&binfmt_lock); 139e4dc1b14SAlexey Dobriyan list_for_each_entry(fmt, &formats, lh) { 1401da177e4SLinus Torvalds if (!fmt->load_shlib) 1411da177e4SLinus Torvalds continue; 1421da177e4SLinus Torvalds if (!try_module_get(fmt->module)) 1431da177e4SLinus Torvalds continue; 1441da177e4SLinus Torvalds read_unlock(&binfmt_lock); 1451da177e4SLinus Torvalds error = fmt->load_shlib(file); 1461da177e4SLinus Torvalds read_lock(&binfmt_lock); 1471da177e4SLinus Torvalds put_binfmt(fmt); 1481da177e4SLinus Torvalds if (error != -ENOEXEC) 1491da177e4SLinus Torvalds break; 1501da177e4SLinus Torvalds } 1511da177e4SLinus Torvalds read_unlock(&binfmt_lock); 1521da177e4SLinus Torvalds } 1536e8341a1SAl Viro exit: 1541da177e4SLinus Torvalds fput(file); 1551da177e4SLinus Torvalds out: 1561da177e4SLinus Torvalds return error; 1571da177e4SLinus Torvalds } 1581da177e4SLinus Torvalds 159b6a2fea3SOllie Wild #ifdef CONFIG_MMU 160b6a2fea3SOllie Wild 161b6a2fea3SOllie Wild static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, 162b6a2fea3SOllie Wild int write) 163b6a2fea3SOllie Wild { 164b6a2fea3SOllie Wild struct page *page; 165b6a2fea3SOllie Wild int ret; 166b6a2fea3SOllie Wild 167b6a2fea3SOllie Wild #ifdef CONFIG_STACK_GROWSUP 168b6a2fea3SOllie Wild if (write) { 169b6a2fea3SOllie Wild ret = expand_stack_downwards(bprm->vma, pos); 170b6a2fea3SOllie Wild if (ret < 0) 171b6a2fea3SOllie Wild return NULL; 172b6a2fea3SOllie Wild } 173b6a2fea3SOllie Wild #endif 174b6a2fea3SOllie Wild ret = get_user_pages(current, bprm->mm, pos, 175b6a2fea3SOllie Wild 1, write, 1, &page, NULL); 176b6a2fea3SOllie Wild if (ret <= 0) 177b6a2fea3SOllie Wild return NULL; 178b6a2fea3SOllie Wild 179b6a2fea3SOllie Wild if (write) { 180b6a2fea3SOllie Wild unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start; 181a64e715fSLinus Torvalds struct rlimit *rlim; 182a64e715fSLinus Torvalds 183a64e715fSLinus Torvalds /* 184a64e715fSLinus Torvalds * We've historically supported up to 32 pages (ARG_MAX) 185a64e715fSLinus Torvalds * of argument strings even with small stacks 186a64e715fSLinus Torvalds */ 187a64e715fSLinus Torvalds if (size <= ARG_MAX) 188a64e715fSLinus Torvalds return page; 189b6a2fea3SOllie Wild 190b6a2fea3SOllie Wild /* 191b6a2fea3SOllie Wild * Limit to 1/4-th the stack size for the argv+env strings. 192b6a2fea3SOllie Wild * This ensures that: 193b6a2fea3SOllie Wild * - the remaining binfmt code will not run out of stack space, 194b6a2fea3SOllie Wild * - the program will have a reasonable amount of stack left 195b6a2fea3SOllie Wild * to work from. 196b6a2fea3SOllie Wild */ 197a64e715fSLinus Torvalds rlim = current->signal->rlim; 198d554ed89SJiri Slaby if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4) { 199b6a2fea3SOllie Wild put_page(page); 200b6a2fea3SOllie Wild return NULL; 201b6a2fea3SOllie Wild } 202b6a2fea3SOllie Wild } 203b6a2fea3SOllie Wild 204b6a2fea3SOllie Wild return page; 205b6a2fea3SOllie Wild } 206b6a2fea3SOllie Wild 207b6a2fea3SOllie Wild static void put_arg_page(struct page *page) 208b6a2fea3SOllie Wild { 209b6a2fea3SOllie Wild put_page(page); 210b6a2fea3SOllie Wild } 211b6a2fea3SOllie Wild 212b6a2fea3SOllie Wild static void free_arg_page(struct linux_binprm *bprm, int i) 213b6a2fea3SOllie Wild { 214b6a2fea3SOllie Wild } 215b6a2fea3SOllie Wild 216b6a2fea3SOllie Wild static void free_arg_pages(struct linux_binprm *bprm) 217b6a2fea3SOllie Wild { 218b6a2fea3SOllie Wild } 219b6a2fea3SOllie Wild 220b6a2fea3SOllie Wild static void flush_arg_page(struct linux_binprm *bprm, unsigned long pos, 221b6a2fea3SOllie Wild struct page *page) 222b6a2fea3SOllie Wild { 223b6a2fea3SOllie Wild flush_cache_page(bprm->vma, pos, page_to_pfn(page)); 224b6a2fea3SOllie Wild } 225b6a2fea3SOllie Wild 226b6a2fea3SOllie Wild static int __bprm_mm_init(struct linux_binprm *bprm) 227b6a2fea3SOllie Wild { 228eaccbfa5SLuiz Fernando N. Capitulino int err; 229b6a2fea3SOllie Wild struct vm_area_struct *vma = NULL; 230b6a2fea3SOllie Wild struct mm_struct *mm = bprm->mm; 231b6a2fea3SOllie Wild 232b6a2fea3SOllie Wild bprm->vma = vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); 233b6a2fea3SOllie Wild if (!vma) 234eaccbfa5SLuiz Fernando N. Capitulino return -ENOMEM; 235b6a2fea3SOllie Wild 236b6a2fea3SOllie Wild down_write(&mm->mmap_sem); 237b6a2fea3SOllie Wild vma->vm_mm = mm; 238b6a2fea3SOllie Wild 239b6a2fea3SOllie Wild /* 240b6a2fea3SOllie Wild * Place the stack at the largest stack address the architecture 241b6a2fea3SOllie Wild * supports. Later, we'll move this to an appropriate place. We don't 242b6a2fea3SOllie Wild * use STACK_TOP because that can depend on attributes which aren't 243b6a2fea3SOllie Wild * configured yet. 244b6a2fea3SOllie Wild */ 245a8bef8ffSMel Gorman BUG_ON(VM_STACK_FLAGS & VM_STACK_INCOMPLETE_SETUP); 246b6a2fea3SOllie Wild vma->vm_end = STACK_TOP_MAX; 247b6a2fea3SOllie Wild vma->vm_start = vma->vm_end - PAGE_SIZE; 248a8bef8ffSMel Gorman vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP; 2493ed75eb8SColy Li vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); 2505beb4930SRik van Riel INIT_LIST_HEAD(&vma->anon_vma_chain); 251b6a2fea3SOllie Wild err = insert_vm_struct(mm, vma); 252eaccbfa5SLuiz Fernando N. Capitulino if (err) 253b6a2fea3SOllie Wild goto err; 254b6a2fea3SOllie Wild 255b6a2fea3SOllie Wild mm->stack_vm = mm->total_vm = 1; 256b6a2fea3SOllie Wild up_write(&mm->mmap_sem); 257b6a2fea3SOllie Wild bprm->p = vma->vm_end - sizeof(void *); 258b6a2fea3SOllie Wild return 0; 259b6a2fea3SOllie Wild err: 260eaccbfa5SLuiz Fernando N. Capitulino up_write(&mm->mmap_sem); 261b6a2fea3SOllie Wild bprm->vma = NULL; 262b6a2fea3SOllie Wild kmem_cache_free(vm_area_cachep, vma); 263b6a2fea3SOllie Wild return err; 264b6a2fea3SOllie Wild } 265b6a2fea3SOllie Wild 266b6a2fea3SOllie Wild static bool valid_arg_len(struct linux_binprm *bprm, long len) 267b6a2fea3SOllie Wild { 268b6a2fea3SOllie Wild return len <= MAX_ARG_STRLEN; 269b6a2fea3SOllie Wild } 270b6a2fea3SOllie Wild 271b6a2fea3SOllie Wild #else 272b6a2fea3SOllie Wild 273b6a2fea3SOllie Wild static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, 274b6a2fea3SOllie Wild int write) 275b6a2fea3SOllie Wild { 276b6a2fea3SOllie Wild struct page *page; 277b6a2fea3SOllie Wild 278b6a2fea3SOllie Wild page = bprm->page[pos / PAGE_SIZE]; 279b6a2fea3SOllie Wild if (!page && write) { 280b6a2fea3SOllie Wild page = alloc_page(GFP_HIGHUSER|__GFP_ZERO); 281b6a2fea3SOllie Wild if (!page) 282b6a2fea3SOllie Wild return NULL; 283b6a2fea3SOllie Wild bprm->page[pos / PAGE_SIZE] = page; 284b6a2fea3SOllie Wild } 285b6a2fea3SOllie Wild 286b6a2fea3SOllie Wild return page; 287b6a2fea3SOllie Wild } 288b6a2fea3SOllie Wild 289b6a2fea3SOllie Wild static void put_arg_page(struct page *page) 290b6a2fea3SOllie Wild { 291b6a2fea3SOllie Wild } 292b6a2fea3SOllie Wild 293b6a2fea3SOllie Wild static void free_arg_page(struct linux_binprm *bprm, int i) 294b6a2fea3SOllie Wild { 295b6a2fea3SOllie Wild if (bprm->page[i]) { 296b6a2fea3SOllie Wild __free_page(bprm->page[i]); 297b6a2fea3SOllie Wild bprm->page[i] = NULL; 298b6a2fea3SOllie Wild } 299b6a2fea3SOllie Wild } 300b6a2fea3SOllie Wild 301b6a2fea3SOllie Wild static void free_arg_pages(struct linux_binprm *bprm) 302b6a2fea3SOllie Wild { 303b6a2fea3SOllie Wild int i; 304b6a2fea3SOllie Wild 305b6a2fea3SOllie Wild for (i = 0; i < MAX_ARG_PAGES; i++) 306b6a2fea3SOllie Wild free_arg_page(bprm, i); 307b6a2fea3SOllie Wild } 308b6a2fea3SOllie Wild 309b6a2fea3SOllie Wild static void flush_arg_page(struct linux_binprm *bprm, unsigned long pos, 310b6a2fea3SOllie Wild struct page *page) 311b6a2fea3SOllie Wild { 312b6a2fea3SOllie Wild } 313b6a2fea3SOllie Wild 314b6a2fea3SOllie Wild static int __bprm_mm_init(struct linux_binprm *bprm) 315b6a2fea3SOllie Wild { 316b6a2fea3SOllie Wild bprm->p = PAGE_SIZE * MAX_ARG_PAGES - sizeof(void *); 317b6a2fea3SOllie Wild return 0; 318b6a2fea3SOllie Wild } 319b6a2fea3SOllie Wild 320b6a2fea3SOllie Wild static bool valid_arg_len(struct linux_binprm *bprm, long len) 321b6a2fea3SOllie Wild { 322b6a2fea3SOllie Wild return len <= bprm->p; 323b6a2fea3SOllie Wild } 324b6a2fea3SOllie Wild 325b6a2fea3SOllie Wild #endif /* CONFIG_MMU */ 326b6a2fea3SOllie Wild 327b6a2fea3SOllie Wild /* 328b6a2fea3SOllie Wild * Create a new mm_struct and populate it with a temporary stack 329b6a2fea3SOllie Wild * vm_area_struct. We don't have enough context at this point to set the stack 330b6a2fea3SOllie Wild * flags, permissions, and offset, so we use temporary values. We'll update 331b6a2fea3SOllie Wild * them later in setup_arg_pages(). 332b6a2fea3SOllie Wild */ 333b6a2fea3SOllie Wild int bprm_mm_init(struct linux_binprm *bprm) 334b6a2fea3SOllie Wild { 335b6a2fea3SOllie Wild int err; 336b6a2fea3SOllie Wild struct mm_struct *mm = NULL; 337b6a2fea3SOllie Wild 338b6a2fea3SOllie Wild bprm->mm = mm = mm_alloc(); 339b6a2fea3SOllie Wild err = -ENOMEM; 340b6a2fea3SOllie Wild if (!mm) 341b6a2fea3SOllie Wild goto err; 342b6a2fea3SOllie Wild 343b6a2fea3SOllie Wild err = init_new_context(current, mm); 344b6a2fea3SOllie Wild if (err) 345b6a2fea3SOllie Wild goto err; 346b6a2fea3SOllie Wild 347b6a2fea3SOllie Wild err = __bprm_mm_init(bprm); 348b6a2fea3SOllie Wild if (err) 349b6a2fea3SOllie Wild goto err; 350b6a2fea3SOllie Wild 351b6a2fea3SOllie Wild return 0; 352b6a2fea3SOllie Wild 353b6a2fea3SOllie Wild err: 354b6a2fea3SOllie Wild if (mm) { 355b6a2fea3SOllie Wild bprm->mm = NULL; 356b6a2fea3SOllie Wild mmdrop(mm); 357b6a2fea3SOllie Wild } 358b6a2fea3SOllie Wild 359b6a2fea3SOllie Wild return err; 360b6a2fea3SOllie Wild } 361b6a2fea3SOllie Wild 3621da177e4SLinus Torvalds /* 3631da177e4SLinus Torvalds * count() counts the number of strings in array ARGV. 3641da177e4SLinus Torvalds */ 3651da177e4SLinus Torvalds static int count(char __user * __user * argv, int max) 3661da177e4SLinus Torvalds { 3671da177e4SLinus Torvalds int i = 0; 3681da177e4SLinus Torvalds 3691da177e4SLinus Torvalds if (argv != NULL) { 3701da177e4SLinus Torvalds for (;;) { 3711da177e4SLinus Torvalds char __user * p; 3721da177e4SLinus Torvalds 3731da177e4SLinus Torvalds if (get_user(p, argv)) 3741da177e4SLinus Torvalds return -EFAULT; 3751da177e4SLinus Torvalds if (!p) 3761da177e4SLinus Torvalds break; 3771da177e4SLinus Torvalds argv++; 378362e6663SJason Baron if (i++ >= max) 3791da177e4SLinus Torvalds return -E2BIG; 3801da177e4SLinus Torvalds cond_resched(); 3811da177e4SLinus Torvalds } 3821da177e4SLinus Torvalds } 3831da177e4SLinus Torvalds return i; 3841da177e4SLinus Torvalds } 3851da177e4SLinus Torvalds 3861da177e4SLinus Torvalds /* 387b6a2fea3SOllie Wild * 'copy_strings()' copies argument/environment strings from the old 388b6a2fea3SOllie Wild * processes's memory to the new process's stack. The call to get_user_pages() 389b6a2fea3SOllie Wild * ensures the destination page is created and not swapped out. 3901da177e4SLinus Torvalds */ 39175c96f85SAdrian Bunk static int copy_strings(int argc, char __user * __user * argv, 39275c96f85SAdrian Bunk struct linux_binprm *bprm) 3931da177e4SLinus Torvalds { 3941da177e4SLinus Torvalds struct page *kmapped_page = NULL; 3951da177e4SLinus Torvalds char *kaddr = NULL; 396b6a2fea3SOllie Wild unsigned long kpos = 0; 3971da177e4SLinus Torvalds int ret; 3981da177e4SLinus Torvalds 3991da177e4SLinus Torvalds while (argc-- > 0) { 4001da177e4SLinus Torvalds char __user *str; 4011da177e4SLinus Torvalds int len; 4021da177e4SLinus Torvalds unsigned long pos; 4031da177e4SLinus Torvalds 4041da177e4SLinus Torvalds if (get_user(str, argv+argc) || 405b6a2fea3SOllie Wild !(len = strnlen_user(str, MAX_ARG_STRLEN))) { 4061da177e4SLinus Torvalds ret = -EFAULT; 4071da177e4SLinus Torvalds goto out; 4081da177e4SLinus Torvalds } 4091da177e4SLinus Torvalds 410b6a2fea3SOllie Wild if (!valid_arg_len(bprm, len)) { 4111da177e4SLinus Torvalds ret = -E2BIG; 4121da177e4SLinus Torvalds goto out; 4131da177e4SLinus Torvalds } 4141da177e4SLinus Torvalds 415b6a2fea3SOllie Wild /* We're going to work our way backwords. */ 4161da177e4SLinus Torvalds pos = bprm->p; 417b6a2fea3SOllie Wild str += len; 418b6a2fea3SOllie Wild bprm->p -= len; 4191da177e4SLinus Torvalds 4201da177e4SLinus Torvalds while (len > 0) { 4211da177e4SLinus Torvalds int offset, bytes_to_copy; 4221da177e4SLinus Torvalds 4231da177e4SLinus Torvalds offset = pos % PAGE_SIZE; 424b6a2fea3SOllie Wild if (offset == 0) 425b6a2fea3SOllie Wild offset = PAGE_SIZE; 426b6a2fea3SOllie Wild 427b6a2fea3SOllie Wild bytes_to_copy = offset; 428b6a2fea3SOllie Wild if (bytes_to_copy > len) 429b6a2fea3SOllie Wild bytes_to_copy = len; 430b6a2fea3SOllie Wild 431b6a2fea3SOllie Wild offset -= bytes_to_copy; 432b6a2fea3SOllie Wild pos -= bytes_to_copy; 433b6a2fea3SOllie Wild str -= bytes_to_copy; 434b6a2fea3SOllie Wild len -= bytes_to_copy; 435b6a2fea3SOllie Wild 436b6a2fea3SOllie Wild if (!kmapped_page || kpos != (pos & PAGE_MASK)) { 437b6a2fea3SOllie Wild struct page *page; 438b6a2fea3SOllie Wild 439b6a2fea3SOllie Wild page = get_arg_page(bprm, pos, 1); 4401da177e4SLinus Torvalds if (!page) { 441b6a2fea3SOllie Wild ret = -E2BIG; 4421da177e4SLinus Torvalds goto out; 4431da177e4SLinus Torvalds } 4441da177e4SLinus Torvalds 445b6a2fea3SOllie Wild if (kmapped_page) { 446b6a2fea3SOllie Wild flush_kernel_dcache_page(kmapped_page); 4471da177e4SLinus Torvalds kunmap(kmapped_page); 448b6a2fea3SOllie Wild put_arg_page(kmapped_page); 449b6a2fea3SOllie Wild } 4501da177e4SLinus Torvalds kmapped_page = page; 4511da177e4SLinus Torvalds kaddr = kmap(kmapped_page); 452b6a2fea3SOllie Wild kpos = pos & PAGE_MASK; 453b6a2fea3SOllie Wild flush_arg_page(bprm, kpos, kmapped_page); 4541da177e4SLinus Torvalds } 455b6a2fea3SOllie Wild if (copy_from_user(kaddr+offset, str, bytes_to_copy)) { 4561da177e4SLinus Torvalds ret = -EFAULT; 4571da177e4SLinus Torvalds goto out; 4581da177e4SLinus Torvalds } 4591da177e4SLinus Torvalds } 4601da177e4SLinus Torvalds } 4611da177e4SLinus Torvalds ret = 0; 4621da177e4SLinus Torvalds out: 463b6a2fea3SOllie Wild if (kmapped_page) { 464b6a2fea3SOllie Wild flush_kernel_dcache_page(kmapped_page); 4651da177e4SLinus Torvalds kunmap(kmapped_page); 466b6a2fea3SOllie Wild put_arg_page(kmapped_page); 467b6a2fea3SOllie Wild } 4681da177e4SLinus Torvalds return ret; 4691da177e4SLinus Torvalds } 4701da177e4SLinus Torvalds 4711da177e4SLinus Torvalds /* 4721da177e4SLinus Torvalds * Like copy_strings, but get argv and its values from kernel memory. 4731da177e4SLinus Torvalds */ 4741da177e4SLinus Torvalds int copy_strings_kernel(int argc,char ** argv, struct linux_binprm *bprm) 4751da177e4SLinus Torvalds { 4761da177e4SLinus Torvalds int r; 4771da177e4SLinus Torvalds mm_segment_t oldfs = get_fs(); 4781da177e4SLinus Torvalds set_fs(KERNEL_DS); 4791da177e4SLinus Torvalds r = copy_strings(argc, (char __user * __user *)argv, bprm); 4801da177e4SLinus Torvalds set_fs(oldfs); 4811da177e4SLinus Torvalds return r; 4821da177e4SLinus Torvalds } 4831da177e4SLinus Torvalds EXPORT_SYMBOL(copy_strings_kernel); 4841da177e4SLinus Torvalds 4851da177e4SLinus Torvalds #ifdef CONFIG_MMU 486b6a2fea3SOllie Wild 4871da177e4SLinus Torvalds /* 488b6a2fea3SOllie Wild * During bprm_mm_init(), we create a temporary stack at STACK_TOP_MAX. Once 489b6a2fea3SOllie Wild * the binfmt code determines where the new stack should reside, we shift it to 490b6a2fea3SOllie Wild * its final location. The process proceeds as follows: 4911da177e4SLinus Torvalds * 492b6a2fea3SOllie Wild * 1) Use shift to calculate the new vma endpoints. 493b6a2fea3SOllie Wild * 2) Extend vma to cover both the old and new ranges. This ensures the 494b6a2fea3SOllie Wild * arguments passed to subsequent functions are consistent. 495b6a2fea3SOllie Wild * 3) Move vma's page tables to the new range. 496b6a2fea3SOllie Wild * 4) Free up any cleared pgd range. 497b6a2fea3SOllie Wild * 5) Shrink the vma to cover only the new range. 4981da177e4SLinus Torvalds */ 499b6a2fea3SOllie Wild static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) 5001da177e4SLinus Torvalds { 5011da177e4SLinus Torvalds struct mm_struct *mm = vma->vm_mm; 502b6a2fea3SOllie Wild unsigned long old_start = vma->vm_start; 503b6a2fea3SOllie Wild unsigned long old_end = vma->vm_end; 504b6a2fea3SOllie Wild unsigned long length = old_end - old_start; 505b6a2fea3SOllie Wild unsigned long new_start = old_start - shift; 506b6a2fea3SOllie Wild unsigned long new_end = old_end - shift; 507b6a2fea3SOllie Wild struct mmu_gather *tlb; 5081da177e4SLinus Torvalds 509b6a2fea3SOllie Wild BUG_ON(new_start > new_end); 5101da177e4SLinus Torvalds 511b6a2fea3SOllie Wild /* 512b6a2fea3SOllie Wild * ensure there are no vmas between where we want to go 513b6a2fea3SOllie Wild * and where we are 5141da177e4SLinus Torvalds */ 515b6a2fea3SOllie Wild if (vma != find_vma(mm, new_start)) 516b6a2fea3SOllie Wild return -EFAULT; 5171da177e4SLinus Torvalds 518b6a2fea3SOllie Wild /* 519b6a2fea3SOllie Wild * cover the whole range: [new_start, old_end) 520b6a2fea3SOllie Wild */ 5215beb4930SRik van Riel if (vma_adjust(vma, new_start, old_end, vma->vm_pgoff, NULL)) 5225beb4930SRik van Riel return -ENOMEM; 5231da177e4SLinus Torvalds 524b6a2fea3SOllie Wild /* 525b6a2fea3SOllie Wild * move the page tables downwards, on failure we rely on 526b6a2fea3SOllie Wild * process cleanup to remove whatever mess we made. 527b6a2fea3SOllie Wild */ 528b6a2fea3SOllie Wild if (length != move_page_tables(vma, old_start, 529b6a2fea3SOllie Wild vma, new_start, length)) 5301da177e4SLinus Torvalds return -ENOMEM; 5311da177e4SLinus Torvalds 532b6a2fea3SOllie Wild lru_add_drain(); 533b6a2fea3SOllie Wild tlb = tlb_gather_mmu(mm, 0); 534b6a2fea3SOllie Wild if (new_end > old_start) { 535b6a2fea3SOllie Wild /* 536b6a2fea3SOllie Wild * when the old and new regions overlap clear from new_end. 537b6a2fea3SOllie Wild */ 53842b77728SJan Beulich free_pgd_range(tlb, new_end, old_end, new_end, 539b6a2fea3SOllie Wild vma->vm_next ? vma->vm_next->vm_start : 0); 540b6a2fea3SOllie Wild } else { 541b6a2fea3SOllie Wild /* 542b6a2fea3SOllie Wild * otherwise, clean from old_start; this is done to not touch 543b6a2fea3SOllie Wild * the address space in [new_end, old_start) some architectures 544b6a2fea3SOllie Wild * have constraints on va-space that make this illegal (IA64) - 545b6a2fea3SOllie Wild * for the others its just a little faster. 546b6a2fea3SOllie Wild */ 54742b77728SJan Beulich free_pgd_range(tlb, old_start, old_end, new_end, 548b6a2fea3SOllie Wild vma->vm_next ? vma->vm_next->vm_start : 0); 5491da177e4SLinus Torvalds } 550b6a2fea3SOllie Wild tlb_finish_mmu(tlb, new_end, old_end); 5511da177e4SLinus Torvalds 552b6a2fea3SOllie Wild /* 5535beb4930SRik van Riel * Shrink the vma to just the new range. Always succeeds. 554b6a2fea3SOllie Wild */ 555b6a2fea3SOllie Wild vma_adjust(vma, new_start, new_end, vma->vm_pgoff, NULL); 5561da177e4SLinus Torvalds 5571da177e4SLinus Torvalds return 0; 5581da177e4SLinus Torvalds } 5591da177e4SLinus Torvalds 560b6a2fea3SOllie Wild /* 561b6a2fea3SOllie Wild * Finalizes the stack vm_area_struct. The flags and permissions are updated, 562b6a2fea3SOllie Wild * the stack is optionally relocated, and some extra space is added. 563b6a2fea3SOllie Wild */ 564b6a2fea3SOllie Wild int setup_arg_pages(struct linux_binprm *bprm, 565b6a2fea3SOllie Wild unsigned long stack_top, 566b6a2fea3SOllie Wild int executable_stack) 5671da177e4SLinus Torvalds { 568b6a2fea3SOllie Wild unsigned long ret; 569b6a2fea3SOllie Wild unsigned long stack_shift; 570b6a2fea3SOllie Wild struct mm_struct *mm = current->mm; 571b6a2fea3SOllie Wild struct vm_area_struct *vma = bprm->vma; 572b6a2fea3SOllie Wild struct vm_area_struct *prev = NULL; 573b6a2fea3SOllie Wild unsigned long vm_flags; 574b6a2fea3SOllie Wild unsigned long stack_base; 575803bf5ecSMichael Neuling unsigned long stack_size; 576803bf5ecSMichael Neuling unsigned long stack_expand; 577803bf5ecSMichael Neuling unsigned long rlim_stack; 5781da177e4SLinus Torvalds 579b6a2fea3SOllie Wild #ifdef CONFIG_STACK_GROWSUP 580b6a2fea3SOllie Wild /* Limit stack size to 1GB */ 581d554ed89SJiri Slaby stack_base = rlimit_max(RLIMIT_STACK); 582b6a2fea3SOllie Wild if (stack_base > (1 << 30)) 583b6a2fea3SOllie Wild stack_base = 1 << 30; 584b6a2fea3SOllie Wild 585b6a2fea3SOllie Wild /* Make sure we didn't let the argument array grow too large. */ 586b6a2fea3SOllie Wild if (vma->vm_end - vma->vm_start > stack_base) 587b6a2fea3SOllie Wild return -ENOMEM; 588b6a2fea3SOllie Wild 589b6a2fea3SOllie Wild stack_base = PAGE_ALIGN(stack_top - stack_base); 590b6a2fea3SOllie Wild 591b6a2fea3SOllie Wild stack_shift = vma->vm_start - stack_base; 592b6a2fea3SOllie Wild mm->arg_start = bprm->p - stack_shift; 593b6a2fea3SOllie Wild bprm->p = vma->vm_end - stack_shift; 594b6a2fea3SOllie Wild #else 595b6a2fea3SOllie Wild stack_top = arch_align_stack(stack_top); 596b6a2fea3SOllie Wild stack_top = PAGE_ALIGN(stack_top); 597b6a2fea3SOllie Wild stack_shift = vma->vm_end - stack_top; 598b6a2fea3SOllie Wild 599b6a2fea3SOllie Wild bprm->p -= stack_shift; 600b6a2fea3SOllie Wild mm->arg_start = bprm->p; 601b6a2fea3SOllie Wild #endif 602b6a2fea3SOllie Wild 603b6a2fea3SOllie Wild if (bprm->loader) 604b6a2fea3SOllie Wild bprm->loader -= stack_shift; 605b6a2fea3SOllie Wild bprm->exec -= stack_shift; 606b6a2fea3SOllie Wild 607b6a2fea3SOllie Wild down_write(&mm->mmap_sem); 60896a8e13eSHugh Dickins vm_flags = VM_STACK_FLAGS; 609b6a2fea3SOllie Wild 610b6a2fea3SOllie Wild /* 611b6a2fea3SOllie Wild * Adjust stack execute permissions; explicitly enable for 612b6a2fea3SOllie Wild * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone 613b6a2fea3SOllie Wild * (arch default) otherwise. 614b6a2fea3SOllie Wild */ 615b6a2fea3SOllie Wild if (unlikely(executable_stack == EXSTACK_ENABLE_X)) 616b6a2fea3SOllie Wild vm_flags |= VM_EXEC; 617b6a2fea3SOllie Wild else if (executable_stack == EXSTACK_DISABLE_X) 618b6a2fea3SOllie Wild vm_flags &= ~VM_EXEC; 619b6a2fea3SOllie Wild vm_flags |= mm->def_flags; 620a8bef8ffSMel Gorman vm_flags |= VM_STACK_INCOMPLETE_SETUP; 621b6a2fea3SOllie Wild 622b6a2fea3SOllie Wild ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end, 623b6a2fea3SOllie Wild vm_flags); 624b6a2fea3SOllie Wild if (ret) 625b6a2fea3SOllie Wild goto out_unlock; 626b6a2fea3SOllie Wild BUG_ON(prev != vma); 627b6a2fea3SOllie Wild 628b6a2fea3SOllie Wild /* Move stack pages down in memory. */ 629b6a2fea3SOllie Wild if (stack_shift) { 630b6a2fea3SOllie Wild ret = shift_arg_pages(vma, stack_shift); 631fc63cf23SAnton Blanchard if (ret) 632fc63cf23SAnton Blanchard goto out_unlock; 6331da177e4SLinus Torvalds } 6341da177e4SLinus Torvalds 635a8bef8ffSMel Gorman /* mprotect_fixup is overkill to remove the temporary stack flags */ 636a8bef8ffSMel Gorman vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP; 637a8bef8ffSMel Gorman 6385ef097ddSMichael Neuling stack_expand = 131072UL; /* randomly 32*4k (or 2*64k) pages */ 639803bf5ecSMichael Neuling stack_size = vma->vm_end - vma->vm_start; 640803bf5ecSMichael Neuling /* 641803bf5ecSMichael Neuling * Align this down to a page boundary as expand_stack 642803bf5ecSMichael Neuling * will align it up. 643803bf5ecSMichael Neuling */ 644803bf5ecSMichael Neuling rlim_stack = rlimit(RLIMIT_STACK) & PAGE_MASK; 645b6a2fea3SOllie Wild #ifdef CONFIG_STACK_GROWSUP 646803bf5ecSMichael Neuling if (stack_size + stack_expand > rlim_stack) 647803bf5ecSMichael Neuling stack_base = vma->vm_start + rlim_stack; 648803bf5ecSMichael Neuling else 649803bf5ecSMichael Neuling stack_base = vma->vm_end + stack_expand; 650b6a2fea3SOllie Wild #else 651803bf5ecSMichael Neuling if (stack_size + stack_expand > rlim_stack) 652803bf5ecSMichael Neuling stack_base = vma->vm_end - rlim_stack; 653803bf5ecSMichael Neuling else 654803bf5ecSMichael Neuling stack_base = vma->vm_start - stack_expand; 655b6a2fea3SOllie Wild #endif 656*3af9e859SEric B Munson current->mm->start_stack = bprm->p; 657b6a2fea3SOllie Wild ret = expand_stack(vma, stack_base); 658b6a2fea3SOllie Wild if (ret) 659b6a2fea3SOllie Wild ret = -EFAULT; 660b6a2fea3SOllie Wild 661b6a2fea3SOllie Wild out_unlock: 662b6a2fea3SOllie Wild up_write(&mm->mmap_sem); 663fc63cf23SAnton Blanchard return ret; 664b6a2fea3SOllie Wild } 665b6a2fea3SOllie Wild EXPORT_SYMBOL(setup_arg_pages); 666b6a2fea3SOllie Wild 6671da177e4SLinus Torvalds #endif /* CONFIG_MMU */ 6681da177e4SLinus Torvalds 6691da177e4SLinus Torvalds struct file *open_exec(const char *name) 6701da177e4SLinus Torvalds { 6711da177e4SLinus Torvalds struct file *file; 672e56b6a5dSChristoph Hellwig int err; 6731da177e4SLinus Torvalds 6746e8341a1SAl Viro file = do_filp_open(AT_FDCWD, name, 6756e8341a1SAl Viro O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0, 6766e8341a1SAl Viro MAY_EXEC | MAY_OPEN); 6776e8341a1SAl Viro if (IS_ERR(file)) 678e56b6a5dSChristoph Hellwig goto out; 6791da177e4SLinus Torvalds 680e56b6a5dSChristoph Hellwig err = -EACCES; 6816e8341a1SAl Viro if (!S_ISREG(file->f_path.dentry->d_inode->i_mode)) 6826e8341a1SAl Viro goto exit; 683e56b6a5dSChristoph Hellwig 6846e8341a1SAl Viro if (file->f_path.mnt->mnt_flags & MNT_NOEXEC) 6856e8341a1SAl Viro goto exit; 686e56b6a5dSChristoph Hellwig 6876110e3abSEric Paris fsnotify_open(file->f_path.dentry); 6886110e3abSEric Paris 6891da177e4SLinus Torvalds err = deny_write_access(file); 6906e8341a1SAl Viro if (err) 6916e8341a1SAl Viro goto exit; 6921da177e4SLinus Torvalds 6936e8341a1SAl Viro out: 694e56b6a5dSChristoph Hellwig return file; 695e56b6a5dSChristoph Hellwig 6966e8341a1SAl Viro exit: 6976e8341a1SAl Viro fput(file); 698e56b6a5dSChristoph Hellwig return ERR_PTR(err); 699e56b6a5dSChristoph Hellwig } 7001da177e4SLinus Torvalds EXPORT_SYMBOL(open_exec); 7011da177e4SLinus Torvalds 7026777d773SMimi Zohar int kernel_read(struct file *file, loff_t offset, 7031da177e4SLinus Torvalds char *addr, unsigned long count) 7041da177e4SLinus Torvalds { 7051da177e4SLinus Torvalds mm_segment_t old_fs; 7061da177e4SLinus Torvalds loff_t pos = offset; 7071da177e4SLinus Torvalds int result; 7081da177e4SLinus Torvalds 7091da177e4SLinus Torvalds old_fs = get_fs(); 7101da177e4SLinus Torvalds set_fs(get_ds()); 7111da177e4SLinus Torvalds /* The cast to a user pointer is valid due to the set_fs() */ 7121da177e4SLinus Torvalds result = vfs_read(file, (void __user *)addr, count, &pos); 7131da177e4SLinus Torvalds set_fs(old_fs); 7141da177e4SLinus Torvalds return result; 7151da177e4SLinus Torvalds } 7161da177e4SLinus Torvalds 7171da177e4SLinus Torvalds EXPORT_SYMBOL(kernel_read); 7181da177e4SLinus Torvalds 7191da177e4SLinus Torvalds static int exec_mmap(struct mm_struct *mm) 7201da177e4SLinus Torvalds { 7211da177e4SLinus Torvalds struct task_struct *tsk; 7221da177e4SLinus Torvalds struct mm_struct * old_mm, *active_mm; 7231da177e4SLinus Torvalds 7241da177e4SLinus Torvalds /* Notify parent that we're no longer interested in the old VM */ 7251da177e4SLinus Torvalds tsk = current; 7261da177e4SLinus Torvalds old_mm = current->mm; 72734e55232SKAMEZAWA Hiroyuki sync_mm_rss(tsk, old_mm); 7281da177e4SLinus Torvalds mm_release(tsk, old_mm); 7291da177e4SLinus Torvalds 7301da177e4SLinus Torvalds if (old_mm) { 7311da177e4SLinus Torvalds /* 7321da177e4SLinus Torvalds * Make sure that if there is a core dump in progress 7331da177e4SLinus Torvalds * for the old mm, we get out and die instead of going 7341da177e4SLinus Torvalds * through with the exec. We must hold mmap_sem around 735999d9fc1SOleg Nesterov * checking core_state and changing tsk->mm. 7361da177e4SLinus Torvalds */ 7371da177e4SLinus Torvalds down_read(&old_mm->mmap_sem); 738999d9fc1SOleg Nesterov if (unlikely(old_mm->core_state)) { 7391da177e4SLinus Torvalds up_read(&old_mm->mmap_sem); 7401da177e4SLinus Torvalds return -EINTR; 7411da177e4SLinus Torvalds } 7421da177e4SLinus Torvalds } 7431da177e4SLinus Torvalds task_lock(tsk); 7441da177e4SLinus Torvalds active_mm = tsk->active_mm; 7451da177e4SLinus Torvalds tsk->mm = mm; 7461da177e4SLinus Torvalds tsk->active_mm = mm; 7471da177e4SLinus Torvalds activate_mm(active_mm, mm); 7481da177e4SLinus Torvalds task_unlock(tsk); 7491da177e4SLinus Torvalds arch_pick_mmap_layout(mm); 7501da177e4SLinus Torvalds if (old_mm) { 7511da177e4SLinus Torvalds up_read(&old_mm->mmap_sem); 7527dddb12cSEric Sesterhenn BUG_ON(active_mm != old_mm); 75331a78f23SBalbir Singh mm_update_next_owner(old_mm); 7541da177e4SLinus Torvalds mmput(old_mm); 7551da177e4SLinus Torvalds return 0; 7561da177e4SLinus Torvalds } 7571da177e4SLinus Torvalds mmdrop(active_mm); 7581da177e4SLinus Torvalds return 0; 7591da177e4SLinus Torvalds } 7601da177e4SLinus Torvalds 7611da177e4SLinus Torvalds /* 7621da177e4SLinus Torvalds * This function makes sure the current process has its own signal table, 7631da177e4SLinus Torvalds * so that flush_signal_handlers can later reset the handlers without 7641da177e4SLinus Torvalds * disturbing other processes. (Other processes might share the signal 7651da177e4SLinus Torvalds * table via the CLONE_SIGHAND option to clone().) 7661da177e4SLinus Torvalds */ 767858119e1SArjan van de Ven static int de_thread(struct task_struct *tsk) 7681da177e4SLinus Torvalds { 7691da177e4SLinus Torvalds struct signal_struct *sig = tsk->signal; 770b2c903b8SOleg Nesterov struct sighand_struct *oldsighand = tsk->sighand; 7711da177e4SLinus Torvalds spinlock_t *lock = &oldsighand->siglock; 7721da177e4SLinus Torvalds 773aafe6c2aSEric W. Biederman if (thread_group_empty(tsk)) 7741da177e4SLinus Torvalds goto no_thread_group; 7751da177e4SLinus Torvalds 7761da177e4SLinus Torvalds /* 7771da177e4SLinus Torvalds * Kill all other threads in the thread group. 7781da177e4SLinus Torvalds */ 7791da177e4SLinus Torvalds spin_lock_irq(lock); 780ed5d2cacSOleg Nesterov if (signal_group_exit(sig)) { 7811da177e4SLinus Torvalds /* 7821da177e4SLinus Torvalds * Another group action in progress, just 7831da177e4SLinus Torvalds * return so that the signal is processed. 7841da177e4SLinus Torvalds */ 7851da177e4SLinus Torvalds spin_unlock_irq(lock); 7861da177e4SLinus Torvalds return -EAGAIN; 7871da177e4SLinus Torvalds } 7881da177e4SLinus Torvalds 789d344193aSOleg Nesterov sig->group_exit_task = tsk; 790d344193aSOleg Nesterov sig->notify_count = zap_other_threads(tsk); 791d344193aSOleg Nesterov if (!thread_group_leader(tsk)) 792d344193aSOleg Nesterov sig->notify_count--; 793d344193aSOleg Nesterov 794d344193aSOleg Nesterov while (sig->notify_count) { 7951da177e4SLinus Torvalds __set_current_state(TASK_UNINTERRUPTIBLE); 7961da177e4SLinus Torvalds spin_unlock_irq(lock); 7971da177e4SLinus Torvalds schedule(); 7981da177e4SLinus Torvalds spin_lock_irq(lock); 7991da177e4SLinus Torvalds } 8001da177e4SLinus Torvalds spin_unlock_irq(lock); 8011da177e4SLinus Torvalds 8021da177e4SLinus Torvalds /* 8031da177e4SLinus Torvalds * At this point all other threads have exited, all we have to 8041da177e4SLinus Torvalds * do is to wait for the thread group leader to become inactive, 8051da177e4SLinus Torvalds * and to assume its PID: 8061da177e4SLinus Torvalds */ 807aafe6c2aSEric W. Biederman if (!thread_group_leader(tsk)) { 8088187926bSOleg Nesterov struct task_struct *leader = tsk->group_leader; 8096db840faSOleg Nesterov 8102800d8d1SOleg Nesterov sig->notify_count = -1; /* for exit_notify() */ 8116db840faSOleg Nesterov for (;;) { 8126db840faSOleg Nesterov write_lock_irq(&tasklist_lock); 8136db840faSOleg Nesterov if (likely(leader->exit_state)) 8146db840faSOleg Nesterov break; 8156db840faSOleg Nesterov __set_current_state(TASK_UNINTERRUPTIBLE); 8166db840faSOleg Nesterov write_unlock_irq(&tasklist_lock); 8176db840faSOleg Nesterov schedule(); 8186db840faSOleg Nesterov } 8191da177e4SLinus Torvalds 820f5e90281SRoland McGrath /* 821f5e90281SRoland McGrath * The only record we have of the real-time age of a 822f5e90281SRoland McGrath * process, regardless of execs it's done, is start_time. 823f5e90281SRoland McGrath * All the past CPU time is accumulated in signal_struct 824f5e90281SRoland McGrath * from sister threads now dead. But in this non-leader 825f5e90281SRoland McGrath * exec, nothing survives from the original leader thread, 826f5e90281SRoland McGrath * whose birth marks the true age of this process now. 827f5e90281SRoland McGrath * When we take on its identity by switching to its PID, we 828f5e90281SRoland McGrath * also take its birthdate (always earlier than our own). 829f5e90281SRoland McGrath */ 830aafe6c2aSEric W. Biederman tsk->start_time = leader->start_time; 831f5e90281SRoland McGrath 832bac0abd6SPavel Emelyanov BUG_ON(!same_thread_group(leader, tsk)); 833bac0abd6SPavel Emelyanov BUG_ON(has_group_leader_pid(tsk)); 8341da177e4SLinus Torvalds /* 8351da177e4SLinus Torvalds * An exec() starts a new thread group with the 8361da177e4SLinus Torvalds * TGID of the previous thread group. Rehash the 8371da177e4SLinus Torvalds * two threads with a switched PID, and release 8381da177e4SLinus Torvalds * the former thread group leader: 8391da177e4SLinus Torvalds */ 840d73d6529SEric W. Biederman 841d73d6529SEric W. Biederman /* Become a process group leader with the old leader's pid. 842c18258c6SEric W. Biederman * The old leader becomes a thread of the this thread group. 843d73d6529SEric W. Biederman * Note: The old leader also uses this pid until release_task 844d73d6529SEric W. Biederman * is called. Odd but simple and correct. 845d73d6529SEric W. Biederman */ 846aafe6c2aSEric W. Biederman detach_pid(tsk, PIDTYPE_PID); 847aafe6c2aSEric W. Biederman tsk->pid = leader->pid; 8483743ca05SSukadev Bhattiprolu attach_pid(tsk, PIDTYPE_PID, task_pid(leader)); 849aafe6c2aSEric W. Biederman transfer_pid(leader, tsk, PIDTYPE_PGID); 850aafe6c2aSEric W. Biederman transfer_pid(leader, tsk, PIDTYPE_SID); 8519cd80bbbSOleg Nesterov 852aafe6c2aSEric W. Biederman list_replace_rcu(&leader->tasks, &tsk->tasks); 8539cd80bbbSOleg Nesterov list_replace_init(&leader->sibling, &tsk->sibling); 8541da177e4SLinus Torvalds 855aafe6c2aSEric W. Biederman tsk->group_leader = tsk; 856aafe6c2aSEric W. Biederman leader->group_leader = tsk; 857de12a787SEric W. Biederman 858aafe6c2aSEric W. Biederman tsk->exit_signal = SIGCHLD; 859962b564cSOleg Nesterov 860962b564cSOleg Nesterov BUG_ON(leader->exit_state != EXIT_ZOMBIE); 861962b564cSOleg Nesterov leader->exit_state = EXIT_DEAD; 8621da177e4SLinus Torvalds write_unlock_irq(&tasklist_lock); 8638187926bSOleg Nesterov 8648187926bSOleg Nesterov release_task(leader); 8651da177e4SLinus Torvalds } 8661da177e4SLinus Torvalds 8676db840faSOleg Nesterov sig->group_exit_task = NULL; 8686db840faSOleg Nesterov sig->notify_count = 0; 8691da177e4SLinus Torvalds 8701da177e4SLinus Torvalds no_thread_group: 8711f10206cSJiri Pirko if (current->mm) 8721f10206cSJiri Pirko setmax_mm_hiwater_rss(&sig->maxrss, current->mm); 8731f10206cSJiri Pirko 8741da177e4SLinus Torvalds exit_itimers(sig); 875cbaffba1SOleg Nesterov flush_itimer_signals(); 876329f7dbaSOleg Nesterov 877b2c903b8SOleg Nesterov if (atomic_read(&oldsighand->count) != 1) { 878b2c903b8SOleg Nesterov struct sighand_struct *newsighand; 8791da177e4SLinus Torvalds /* 880b2c903b8SOleg Nesterov * This ->sighand is shared with the CLONE_SIGHAND 881b2c903b8SOleg Nesterov * but not CLONE_THREAD task, switch to the new one. 8821da177e4SLinus Torvalds */ 883b2c903b8SOleg Nesterov newsighand = kmem_cache_alloc(sighand_cachep, GFP_KERNEL); 884b2c903b8SOleg Nesterov if (!newsighand) 885b2c903b8SOleg Nesterov return -ENOMEM; 886b2c903b8SOleg Nesterov 8871da177e4SLinus Torvalds atomic_set(&newsighand->count, 1); 8881da177e4SLinus Torvalds memcpy(newsighand->action, oldsighand->action, 8891da177e4SLinus Torvalds sizeof(newsighand->action)); 8901da177e4SLinus Torvalds 8911da177e4SLinus Torvalds write_lock_irq(&tasklist_lock); 8921da177e4SLinus Torvalds spin_lock(&oldsighand->siglock); 893aafe6c2aSEric W. Biederman rcu_assign_pointer(tsk->sighand, newsighand); 8941da177e4SLinus Torvalds spin_unlock(&oldsighand->siglock); 8951da177e4SLinus Torvalds write_unlock_irq(&tasklist_lock); 8961da177e4SLinus Torvalds 897fba2afaaSDavide Libenzi __cleanup_sighand(oldsighand); 8981da177e4SLinus Torvalds } 8991da177e4SLinus Torvalds 900aafe6c2aSEric W. Biederman BUG_ON(!thread_group_leader(tsk)); 9011da177e4SLinus Torvalds return 0; 9021da177e4SLinus Torvalds } 9031da177e4SLinus Torvalds 9041da177e4SLinus Torvalds /* 9051da177e4SLinus Torvalds * These functions flushes out all traces of the currently running executable 9061da177e4SLinus Torvalds * so that a new one can be started 9071da177e4SLinus Torvalds */ 908858119e1SArjan van de Ven static void flush_old_files(struct files_struct * files) 9091da177e4SLinus Torvalds { 9101da177e4SLinus Torvalds long j = -1; 911badf1662SDipankar Sarma struct fdtable *fdt; 9121da177e4SLinus Torvalds 9131da177e4SLinus Torvalds spin_lock(&files->file_lock); 9141da177e4SLinus Torvalds for (;;) { 9151da177e4SLinus Torvalds unsigned long set, i; 9161da177e4SLinus Torvalds 9171da177e4SLinus Torvalds j++; 9181da177e4SLinus Torvalds i = j * __NFDBITS; 919badf1662SDipankar Sarma fdt = files_fdtable(files); 920bbea9f69SVadim Lobanov if (i >= fdt->max_fds) 9211da177e4SLinus Torvalds break; 922badf1662SDipankar Sarma set = fdt->close_on_exec->fds_bits[j]; 9231da177e4SLinus Torvalds if (!set) 9241da177e4SLinus Torvalds continue; 925badf1662SDipankar Sarma fdt->close_on_exec->fds_bits[j] = 0; 9261da177e4SLinus Torvalds spin_unlock(&files->file_lock); 9271da177e4SLinus Torvalds for ( ; set ; i++,set >>= 1) { 9281da177e4SLinus Torvalds if (set & 1) { 9291da177e4SLinus Torvalds sys_close(i); 9301da177e4SLinus Torvalds } 9311da177e4SLinus Torvalds } 9321da177e4SLinus Torvalds spin_lock(&files->file_lock); 9331da177e4SLinus Torvalds 9341da177e4SLinus Torvalds } 9351da177e4SLinus Torvalds spin_unlock(&files->file_lock); 9361da177e4SLinus Torvalds } 9371da177e4SLinus Torvalds 93859714d65SAndrew Morton char *get_task_comm(char *buf, struct task_struct *tsk) 9391da177e4SLinus Torvalds { 9401da177e4SLinus Torvalds /* buf must be at least sizeof(tsk->comm) in size */ 9411da177e4SLinus Torvalds task_lock(tsk); 9421da177e4SLinus Torvalds strncpy(buf, tsk->comm, sizeof(tsk->comm)); 9431da177e4SLinus Torvalds task_unlock(tsk); 94459714d65SAndrew Morton return buf; 9451da177e4SLinus Torvalds } 9461da177e4SLinus Torvalds 9471da177e4SLinus Torvalds void set_task_comm(struct task_struct *tsk, char *buf) 9481da177e4SLinus Torvalds { 9491da177e4SLinus Torvalds task_lock(tsk); 9504614a696Sjohn stultz 9514614a696Sjohn stultz /* 9524614a696Sjohn stultz * Threads may access current->comm without holding 9534614a696Sjohn stultz * the task lock, so write the string carefully. 9544614a696Sjohn stultz * Readers without a lock may see incomplete new 9554614a696Sjohn stultz * names but are safe from non-terminating string reads. 9564614a696Sjohn stultz */ 9574614a696Sjohn stultz memset(tsk->comm, 0, TASK_COMM_LEN); 9584614a696Sjohn stultz wmb(); 9591da177e4SLinus Torvalds strlcpy(tsk->comm, buf, sizeof(tsk->comm)); 9601da177e4SLinus Torvalds task_unlock(tsk); 961cdd6c482SIngo Molnar perf_event_comm(tsk); 9621da177e4SLinus Torvalds } 9631da177e4SLinus Torvalds 9641da177e4SLinus Torvalds int flush_old_exec(struct linux_binprm * bprm) 9651da177e4SLinus Torvalds { 966221af7f8SLinus Torvalds int retval; 9671da177e4SLinus Torvalds 9681da177e4SLinus Torvalds /* 9691da177e4SLinus Torvalds * Make sure we have a private signal table and that 9701da177e4SLinus Torvalds * we are unassociated from the previous thread group. 9711da177e4SLinus Torvalds */ 9721da177e4SLinus Torvalds retval = de_thread(current); 9731da177e4SLinus Torvalds if (retval) 9741da177e4SLinus Torvalds goto out; 9751da177e4SLinus Torvalds 976925d1c40SMatt Helsley set_mm_exe_file(bprm->mm, bprm->file); 977925d1c40SMatt Helsley 9781da177e4SLinus Torvalds /* 9791da177e4SLinus Torvalds * Release all of the old mmap stuff 9801da177e4SLinus Torvalds */ 9811da177e4SLinus Torvalds retval = exec_mmap(bprm->mm); 9821da177e4SLinus Torvalds if (retval) 983fd8328beSAl Viro goto out; 9841da177e4SLinus Torvalds 9851da177e4SLinus Torvalds bprm->mm = NULL; /* We're using it now */ 9867ab02af4SLinus Torvalds 9877ab02af4SLinus Torvalds current->flags &= ~PF_RANDOMIZE; 9887ab02af4SLinus Torvalds flush_thread(); 9897ab02af4SLinus Torvalds current->personality &= ~bprm->per_clear; 9907ab02af4SLinus Torvalds 991221af7f8SLinus Torvalds return 0; 992221af7f8SLinus Torvalds 993221af7f8SLinus Torvalds out: 994221af7f8SLinus Torvalds return retval; 995221af7f8SLinus Torvalds } 996221af7f8SLinus Torvalds EXPORT_SYMBOL(flush_old_exec); 997221af7f8SLinus Torvalds 998221af7f8SLinus Torvalds void setup_new_exec(struct linux_binprm * bprm) 999221af7f8SLinus Torvalds { 1000221af7f8SLinus Torvalds int i, ch; 1001221af7f8SLinus Torvalds char * name; 1002221af7f8SLinus Torvalds char tcomm[sizeof(current->comm)]; 1003221af7f8SLinus Torvalds 1004221af7f8SLinus Torvalds arch_pick_mmap_layout(current->mm); 10051da177e4SLinus Torvalds 10061da177e4SLinus Torvalds /* This is the point of no return */ 10071da177e4SLinus Torvalds current->sas_ss_sp = current->sas_ss_size = 0; 10081da177e4SLinus Torvalds 1009da9592edSDavid Howells if (current_euid() == current_uid() && current_egid() == current_gid()) 10106c5d5238SKawai, Hidehiro set_dumpable(current->mm, 1); 1011d6e71144SAlan Cox else 10126c5d5238SKawai, Hidehiro set_dumpable(current->mm, suid_dumpable); 1013d6e71144SAlan Cox 10141da177e4SLinus Torvalds name = bprm->filename; 101536772092SPaolo 'Blaisorblade' Giarrusso 101636772092SPaolo 'Blaisorblade' Giarrusso /* Copies the binary name from after last slash */ 10171da177e4SLinus Torvalds for (i=0; (ch = *(name++)) != '\0';) { 10181da177e4SLinus Torvalds if (ch == '/') 101936772092SPaolo 'Blaisorblade' Giarrusso i = 0; /* overwrite what we wrote */ 10201da177e4SLinus Torvalds else 10211da177e4SLinus Torvalds if (i < (sizeof(tcomm) - 1)) 10221da177e4SLinus Torvalds tcomm[i++] = ch; 10231da177e4SLinus Torvalds } 10241da177e4SLinus Torvalds tcomm[i] = '\0'; 10251da177e4SLinus Torvalds set_task_comm(current, tcomm); 10261da177e4SLinus Torvalds 10270551fbd2SBenjamin Herrenschmidt /* Set the new mm task size. We have to do that late because it may 10280551fbd2SBenjamin Herrenschmidt * depend on TIF_32BIT which is only updated in flush_thread() on 10290551fbd2SBenjamin Herrenschmidt * some architectures like powerpc 10300551fbd2SBenjamin Herrenschmidt */ 10310551fbd2SBenjamin Herrenschmidt current->mm->task_size = TASK_SIZE; 10320551fbd2SBenjamin Herrenschmidt 1033a6f76f23SDavid Howells /* install the new credentials */ 1034a6f76f23SDavid Howells if (bprm->cred->uid != current_euid() || 1035a6f76f23SDavid Howells bprm->cred->gid != current_egid()) { 1036d2d56c5fSMarcel Holtmann current->pdeath_signal = 0; 1037d2d56c5fSMarcel Holtmann } else if (file_permission(bprm->file, MAY_READ) || 1038a6f76f23SDavid Howells bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP) { 10396c5d5238SKawai, Hidehiro set_dumpable(current->mm, suid_dumpable); 10401da177e4SLinus Torvalds } 10411da177e4SLinus Torvalds 1042f65cb45cSIngo Molnar /* 1043f65cb45cSIngo Molnar * Flush performance counters when crossing a 1044f65cb45cSIngo Molnar * security domain: 1045f65cb45cSIngo Molnar */ 1046f65cb45cSIngo Molnar if (!get_dumpable(current->mm)) 1047cdd6c482SIngo Molnar perf_event_exit_task(current); 1048f65cb45cSIngo Molnar 10491da177e4SLinus Torvalds /* An exec changes our domain. We are no longer part of the thread 10501da177e4SLinus Torvalds group */ 10511da177e4SLinus Torvalds 10521da177e4SLinus Torvalds current->self_exec_id++; 10531da177e4SLinus Torvalds 10541da177e4SLinus Torvalds flush_signal_handlers(current, 0); 10551da177e4SLinus Torvalds flush_old_files(current->files); 10561da177e4SLinus Torvalds } 1057221af7f8SLinus Torvalds EXPORT_SYMBOL(setup_new_exec); 10581da177e4SLinus Torvalds 10591da177e4SLinus Torvalds /* 1060a2a8474cSOleg Nesterov * Prepare credentials and lock ->cred_guard_mutex. 1061a2a8474cSOleg Nesterov * install_exec_creds() commits the new creds and drops the lock. 1062a2a8474cSOleg Nesterov * Or, if exec fails before, free_bprm() should release ->cred and 1063a2a8474cSOleg Nesterov * and unlock. 1064a2a8474cSOleg Nesterov */ 1065a2a8474cSOleg Nesterov int prepare_bprm_creds(struct linux_binprm *bprm) 1066a2a8474cSOleg Nesterov { 1067a2a8474cSOleg Nesterov if (mutex_lock_interruptible(¤t->cred_guard_mutex)) 1068a2a8474cSOleg Nesterov return -ERESTARTNOINTR; 1069a2a8474cSOleg Nesterov 1070a2a8474cSOleg Nesterov bprm->cred = prepare_exec_creds(); 1071a2a8474cSOleg Nesterov if (likely(bprm->cred)) 1072a2a8474cSOleg Nesterov return 0; 1073a2a8474cSOleg Nesterov 1074a2a8474cSOleg Nesterov mutex_unlock(¤t->cred_guard_mutex); 1075a2a8474cSOleg Nesterov return -ENOMEM; 1076a2a8474cSOleg Nesterov } 1077a2a8474cSOleg Nesterov 1078a2a8474cSOleg Nesterov void free_bprm(struct linux_binprm *bprm) 1079a2a8474cSOleg Nesterov { 1080a2a8474cSOleg Nesterov free_arg_pages(bprm); 1081a2a8474cSOleg Nesterov if (bprm->cred) { 1082a2a8474cSOleg Nesterov mutex_unlock(¤t->cred_guard_mutex); 1083a2a8474cSOleg Nesterov abort_creds(bprm->cred); 1084a2a8474cSOleg Nesterov } 1085a2a8474cSOleg Nesterov kfree(bprm); 1086a2a8474cSOleg Nesterov } 1087a2a8474cSOleg Nesterov 1088a2a8474cSOleg Nesterov /* 1089a6f76f23SDavid Howells * install the new credentials for this executable 1090a6f76f23SDavid Howells */ 1091a6f76f23SDavid Howells void install_exec_creds(struct linux_binprm *bprm) 1092a6f76f23SDavid Howells { 1093a6f76f23SDavid Howells security_bprm_committing_creds(bprm); 1094a6f76f23SDavid Howells 1095a6f76f23SDavid Howells commit_creds(bprm->cred); 1096a6f76f23SDavid Howells bprm->cred = NULL; 1097a2a8474cSOleg Nesterov /* 1098a2a8474cSOleg Nesterov * cred_guard_mutex must be held at least to this point to prevent 1099a6f76f23SDavid Howells * ptrace_attach() from altering our determination of the task's 1100a2a8474cSOleg Nesterov * credentials; any time after this it may be unlocked. 1101a2a8474cSOleg Nesterov */ 1102a6f76f23SDavid Howells security_bprm_committed_creds(bprm); 1103a2a8474cSOleg Nesterov mutex_unlock(¤t->cred_guard_mutex); 1104a6f76f23SDavid Howells } 1105a6f76f23SDavid Howells EXPORT_SYMBOL(install_exec_creds); 1106a6f76f23SDavid Howells 1107a6f76f23SDavid Howells /* 1108a6f76f23SDavid Howells * determine how safe it is to execute the proposed program 11095e751e99SDavid Howells * - the caller must hold current->cred_guard_mutex to protect against 1110a6f76f23SDavid Howells * PTRACE_ATTACH 1111a6f76f23SDavid Howells */ 1112498052bbSAl Viro int check_unsafe_exec(struct linux_binprm *bprm) 1113a6f76f23SDavid Howells { 11140bf2f3aeSDavid Howells struct task_struct *p = current, *t; 1115f1191b50SAl Viro unsigned n_fs; 1116498052bbSAl Viro int res = 0; 1117a6f76f23SDavid Howells 1118a6f76f23SDavid Howells bprm->unsafe = tracehook_unsafe_exec(p); 1119a6f76f23SDavid Howells 11200bf2f3aeSDavid Howells n_fs = 1; 1121498052bbSAl Viro write_lock(&p->fs->lock); 1122437f7fdbSOleg Nesterov rcu_read_lock(); 11230bf2f3aeSDavid Howells for (t = next_thread(p); t != p; t = next_thread(t)) { 11240bf2f3aeSDavid Howells if (t->fs == p->fs) 11250bf2f3aeSDavid Howells n_fs++; 11260bf2f3aeSDavid Howells } 1127437f7fdbSOleg Nesterov rcu_read_unlock(); 11280bf2f3aeSDavid Howells 1129f1191b50SAl Viro if (p->fs->users > n_fs) { 1130a6f76f23SDavid Howells bprm->unsafe |= LSM_UNSAFE_SHARE; 1131498052bbSAl Viro } else { 1132498052bbSAl Viro res = -EAGAIN; 11338c652f96SOleg Nesterov if (!p->fs->in_exec) { 1134498052bbSAl Viro p->fs->in_exec = 1; 11358c652f96SOleg Nesterov res = 1; 11368c652f96SOleg Nesterov } 1137498052bbSAl Viro } 1138498052bbSAl Viro write_unlock(&p->fs->lock); 1139498052bbSAl Viro 1140498052bbSAl Viro return res; 1141a6f76f23SDavid Howells } 1142a6f76f23SDavid Howells 1143a6f76f23SDavid Howells /* 11441da177e4SLinus Torvalds * Fill the binprm structure from the inode. 11451da177e4SLinus Torvalds * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes 1146a6f76f23SDavid Howells * 1147a6f76f23SDavid Howells * This may be called multiple times for binary chains (scripts for example). 11481da177e4SLinus Torvalds */ 11491da177e4SLinus Torvalds int prepare_binprm(struct linux_binprm *bprm) 11501da177e4SLinus Torvalds { 1151a6f76f23SDavid Howells umode_t mode; 11520f7fc9e4SJosef "Jeff" Sipek struct inode * inode = bprm->file->f_path.dentry->d_inode; 11531da177e4SLinus Torvalds int retval; 11541da177e4SLinus Torvalds 11551da177e4SLinus Torvalds mode = inode->i_mode; 11561da177e4SLinus Torvalds if (bprm->file->f_op == NULL) 11571da177e4SLinus Torvalds return -EACCES; 11581da177e4SLinus Torvalds 1159a6f76f23SDavid Howells /* clear any previous set[ug]id data from a previous binary */ 1160a6f76f23SDavid Howells bprm->cred->euid = current_euid(); 1161a6f76f23SDavid Howells bprm->cred->egid = current_egid(); 11621da177e4SLinus Torvalds 11630f7fc9e4SJosef "Jeff" Sipek if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) { 11641da177e4SLinus Torvalds /* Set-uid? */ 11651da177e4SLinus Torvalds if (mode & S_ISUID) { 1166a6f76f23SDavid Howells bprm->per_clear |= PER_CLEAR_ON_SETID; 1167a6f76f23SDavid Howells bprm->cred->euid = inode->i_uid; 11681da177e4SLinus Torvalds } 11691da177e4SLinus Torvalds 11701da177e4SLinus Torvalds /* Set-gid? */ 11711da177e4SLinus Torvalds /* 11721da177e4SLinus Torvalds * If setgid is set but no group execute bit then this 11731da177e4SLinus Torvalds * is a candidate for mandatory locking, not a setgid 11741da177e4SLinus Torvalds * executable. 11751da177e4SLinus Torvalds */ 11761da177e4SLinus Torvalds if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { 1177a6f76f23SDavid Howells bprm->per_clear |= PER_CLEAR_ON_SETID; 1178a6f76f23SDavid Howells bprm->cred->egid = inode->i_gid; 11791da177e4SLinus Torvalds } 11801da177e4SLinus Torvalds } 11811da177e4SLinus Torvalds 11821da177e4SLinus Torvalds /* fill in binprm security blob */ 1183a6f76f23SDavid Howells retval = security_bprm_set_creds(bprm); 11841da177e4SLinus Torvalds if (retval) 11851da177e4SLinus Torvalds return retval; 1186a6f76f23SDavid Howells bprm->cred_prepared = 1; 11871da177e4SLinus Torvalds 11881da177e4SLinus Torvalds memset(bprm->buf, 0, BINPRM_BUF_SIZE); 11891da177e4SLinus Torvalds return kernel_read(bprm->file, 0, bprm->buf, BINPRM_BUF_SIZE); 11901da177e4SLinus Torvalds } 11911da177e4SLinus Torvalds 11921da177e4SLinus Torvalds EXPORT_SYMBOL(prepare_binprm); 11931da177e4SLinus Torvalds 11944fc75ff4SNick Piggin /* 11954fc75ff4SNick Piggin * Arguments are '\0' separated strings found at the location bprm->p 11964fc75ff4SNick Piggin * points to; chop off the first by relocating brpm->p to right after 11974fc75ff4SNick Piggin * the first '\0' encountered. 11984fc75ff4SNick Piggin */ 1199b6a2fea3SOllie Wild int remove_arg_zero(struct linux_binprm *bprm) 12001da177e4SLinus Torvalds { 1201b6a2fea3SOllie Wild int ret = 0; 12021da177e4SLinus Torvalds unsigned long offset; 12031da177e4SLinus Torvalds char *kaddr; 12041da177e4SLinus Torvalds struct page *page; 12051da177e4SLinus Torvalds 1206b6a2fea3SOllie Wild if (!bprm->argc) 1207b6a2fea3SOllie Wild return 0; 12081da177e4SLinus Torvalds 1209b6a2fea3SOllie Wild do { 1210b6a2fea3SOllie Wild offset = bprm->p & ~PAGE_MASK; 1211b6a2fea3SOllie Wild page = get_arg_page(bprm, bprm->p, 0); 1212b6a2fea3SOllie Wild if (!page) { 1213b6a2fea3SOllie Wild ret = -EFAULT; 1214b6a2fea3SOllie Wild goto out; 1215b6a2fea3SOllie Wild } 12161da177e4SLinus Torvalds kaddr = kmap_atomic(page, KM_USER0); 12174fc75ff4SNick Piggin 1218b6a2fea3SOllie Wild for (; offset < PAGE_SIZE && kaddr[offset]; 1219b6a2fea3SOllie Wild offset++, bprm->p++) 1220b6a2fea3SOllie Wild ; 12214fc75ff4SNick Piggin 12221da177e4SLinus Torvalds kunmap_atomic(kaddr, KM_USER0); 1223b6a2fea3SOllie Wild put_arg_page(page); 12244fc75ff4SNick Piggin 1225b6a2fea3SOllie Wild if (offset == PAGE_SIZE) 1226b6a2fea3SOllie Wild free_arg_page(bprm, (bprm->p >> PAGE_SHIFT) - 1); 1227b6a2fea3SOllie Wild } while (offset == PAGE_SIZE); 12284fc75ff4SNick Piggin 1229b6a2fea3SOllie Wild bprm->p++; 12301da177e4SLinus Torvalds bprm->argc--; 1231b6a2fea3SOllie Wild ret = 0; 1232b6a2fea3SOllie Wild 1233b6a2fea3SOllie Wild out: 1234b6a2fea3SOllie Wild return ret; 12351da177e4SLinus Torvalds } 12361da177e4SLinus Torvalds EXPORT_SYMBOL(remove_arg_zero); 12371da177e4SLinus Torvalds 12381da177e4SLinus Torvalds /* 12391da177e4SLinus Torvalds * cycle the list of binary formats handler, until one recognizes the image 12401da177e4SLinus Torvalds */ 12411da177e4SLinus Torvalds int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) 12421da177e4SLinus Torvalds { 124385f33466SRoland McGrath unsigned int depth = bprm->recursion_depth; 12441da177e4SLinus Torvalds int try,retval; 12451da177e4SLinus Torvalds struct linux_binfmt *fmt; 12461da177e4SLinus Torvalds 12471da177e4SLinus Torvalds retval = security_bprm_check(bprm); 12481da177e4SLinus Torvalds if (retval) 12491da177e4SLinus Torvalds return retval; 12501da177e4SLinus Torvalds 12511da177e4SLinus Torvalds /* kernel module loader fixup */ 12521da177e4SLinus Torvalds /* so we don't try to load run modprobe in kernel space. */ 12531da177e4SLinus Torvalds set_fs(USER_DS); 1254473ae30bSAl Viro 1255473ae30bSAl Viro retval = audit_bprm(bprm); 1256473ae30bSAl Viro if (retval) 1257473ae30bSAl Viro return retval; 1258473ae30bSAl Viro 12591da177e4SLinus Torvalds retval = -ENOENT; 12601da177e4SLinus Torvalds for (try=0; try<2; try++) { 12611da177e4SLinus Torvalds read_lock(&binfmt_lock); 1262e4dc1b14SAlexey Dobriyan list_for_each_entry(fmt, &formats, lh) { 12631da177e4SLinus Torvalds int (*fn)(struct linux_binprm *, struct pt_regs *) = fmt->load_binary; 12641da177e4SLinus Torvalds if (!fn) 12651da177e4SLinus Torvalds continue; 12661da177e4SLinus Torvalds if (!try_module_get(fmt->module)) 12671da177e4SLinus Torvalds continue; 12681da177e4SLinus Torvalds read_unlock(&binfmt_lock); 12691da177e4SLinus Torvalds retval = fn(bprm, regs); 127085f33466SRoland McGrath /* 127185f33466SRoland McGrath * Restore the depth counter to its starting value 127285f33466SRoland McGrath * in this call, so we don't have to rely on every 127385f33466SRoland McGrath * load_binary function to restore it on return. 127485f33466SRoland McGrath */ 127585f33466SRoland McGrath bprm->recursion_depth = depth; 12761da177e4SLinus Torvalds if (retval >= 0) { 127785f33466SRoland McGrath if (depth == 0) 12786341c393SRoland McGrath tracehook_report_exec(fmt, bprm, regs); 12791da177e4SLinus Torvalds put_binfmt(fmt); 12801da177e4SLinus Torvalds allow_write_access(bprm->file); 12811da177e4SLinus Torvalds if (bprm->file) 12821da177e4SLinus Torvalds fput(bprm->file); 12831da177e4SLinus Torvalds bprm->file = NULL; 12841da177e4SLinus Torvalds current->did_exec = 1; 12859f46080cSMatt Helsley proc_exec_connector(current); 12861da177e4SLinus Torvalds return retval; 12871da177e4SLinus Torvalds } 12881da177e4SLinus Torvalds read_lock(&binfmt_lock); 12891da177e4SLinus Torvalds put_binfmt(fmt); 12901da177e4SLinus Torvalds if (retval != -ENOEXEC || bprm->mm == NULL) 12911da177e4SLinus Torvalds break; 12921da177e4SLinus Torvalds if (!bprm->file) { 12931da177e4SLinus Torvalds read_unlock(&binfmt_lock); 12941da177e4SLinus Torvalds return retval; 12951da177e4SLinus Torvalds } 12961da177e4SLinus Torvalds } 12971da177e4SLinus Torvalds read_unlock(&binfmt_lock); 12981da177e4SLinus Torvalds if (retval != -ENOEXEC || bprm->mm == NULL) { 12991da177e4SLinus Torvalds break; 13005f4123beSJohannes Berg #ifdef CONFIG_MODULES 13011da177e4SLinus Torvalds } else { 13021da177e4SLinus Torvalds #define printable(c) (((c)=='\t') || ((c)=='\n') || (0x20<=(c) && (c)<=0x7e)) 13031da177e4SLinus Torvalds if (printable(bprm->buf[0]) && 13041da177e4SLinus Torvalds printable(bprm->buf[1]) && 13051da177e4SLinus Torvalds printable(bprm->buf[2]) && 13061da177e4SLinus Torvalds printable(bprm->buf[3])) 13071da177e4SLinus Torvalds break; /* -ENOEXEC */ 13081da177e4SLinus Torvalds request_module("binfmt-%04x", *(unsigned short *)(&bprm->buf[2])); 13091da177e4SLinus Torvalds #endif 13101da177e4SLinus Torvalds } 13111da177e4SLinus Torvalds } 13121da177e4SLinus Torvalds return retval; 13131da177e4SLinus Torvalds } 13141da177e4SLinus Torvalds 13151da177e4SLinus Torvalds EXPORT_SYMBOL(search_binary_handler); 13161da177e4SLinus Torvalds 13171da177e4SLinus Torvalds /* 13181da177e4SLinus Torvalds * sys_execve() executes a new program. 13191da177e4SLinus Torvalds */ 13201da177e4SLinus Torvalds int do_execve(char * filename, 13211da177e4SLinus Torvalds char __user *__user *argv, 13221da177e4SLinus Torvalds char __user *__user *envp, 13231da177e4SLinus Torvalds struct pt_regs * regs) 13241da177e4SLinus Torvalds { 13251da177e4SLinus Torvalds struct linux_binprm *bprm; 13261da177e4SLinus Torvalds struct file *file; 13273b125388SAl Viro struct files_struct *displaced; 13288c652f96SOleg Nesterov bool clear_in_exec; 13291da177e4SLinus Torvalds int retval; 13301da177e4SLinus Torvalds 13313b125388SAl Viro retval = unshare_files(&displaced); 1332fd8328beSAl Viro if (retval) 1333fd8328beSAl Viro goto out_ret; 1334fd8328beSAl Viro 13351da177e4SLinus Torvalds retval = -ENOMEM; 133611b0b5abSOliver Neukum bprm = kzalloc(sizeof(*bprm), GFP_KERNEL); 13371da177e4SLinus Torvalds if (!bprm) 1338fd8328beSAl Viro goto out_files; 13391da177e4SLinus Torvalds 1340a2a8474cSOleg Nesterov retval = prepare_bprm_creds(bprm); 1341a2a8474cSOleg Nesterov if (retval) 1342a6f76f23SDavid Howells goto out_free; 1343498052bbSAl Viro 1344498052bbSAl Viro retval = check_unsafe_exec(bprm); 13458c652f96SOleg Nesterov if (retval < 0) 1346a2a8474cSOleg Nesterov goto out_free; 13478c652f96SOleg Nesterov clear_in_exec = retval; 1348a2a8474cSOleg Nesterov current->in_execve = 1; 1349a6f76f23SDavid Howells 13501da177e4SLinus Torvalds file = open_exec(filename); 13511da177e4SLinus Torvalds retval = PTR_ERR(file); 13521da177e4SLinus Torvalds if (IS_ERR(file)) 1353498052bbSAl Viro goto out_unmark; 13541da177e4SLinus Torvalds 13551da177e4SLinus Torvalds sched_exec(); 13561da177e4SLinus Torvalds 13571da177e4SLinus Torvalds bprm->file = file; 13581da177e4SLinus Torvalds bprm->filename = filename; 13591da177e4SLinus Torvalds bprm->interp = filename; 1360b6a2fea3SOllie Wild 1361b6a2fea3SOllie Wild retval = bprm_mm_init(bprm); 1362b6a2fea3SOllie Wild if (retval) 13631da177e4SLinus Torvalds goto out_file; 13641da177e4SLinus Torvalds 1365b6a2fea3SOllie Wild bprm->argc = count(argv, MAX_ARG_STRINGS); 13661da177e4SLinus Torvalds if ((retval = bprm->argc) < 0) 1367a6f76f23SDavid Howells goto out; 13681da177e4SLinus Torvalds 1369b6a2fea3SOllie Wild bprm->envc = count(envp, MAX_ARG_STRINGS); 13701da177e4SLinus Torvalds if ((retval = bprm->envc) < 0) 13711da177e4SLinus Torvalds goto out; 13721da177e4SLinus Torvalds 13731da177e4SLinus Torvalds retval = prepare_binprm(bprm); 13741da177e4SLinus Torvalds if (retval < 0) 13751da177e4SLinus Torvalds goto out; 13761da177e4SLinus Torvalds 13771da177e4SLinus Torvalds retval = copy_strings_kernel(1, &bprm->filename, bprm); 13781da177e4SLinus Torvalds if (retval < 0) 13791da177e4SLinus Torvalds goto out; 13801da177e4SLinus Torvalds 13811da177e4SLinus Torvalds bprm->exec = bprm->p; 13821da177e4SLinus Torvalds retval = copy_strings(bprm->envc, envp, bprm); 13831da177e4SLinus Torvalds if (retval < 0) 13841da177e4SLinus Torvalds goto out; 13851da177e4SLinus Torvalds 13861da177e4SLinus Torvalds retval = copy_strings(bprm->argc, argv, bprm); 13871da177e4SLinus Torvalds if (retval < 0) 13881da177e4SLinus Torvalds goto out; 13891da177e4SLinus Torvalds 13907b34e428SOleg Nesterov current->flags &= ~PF_KTHREAD; 13911da177e4SLinus Torvalds retval = search_binary_handler(bprm,regs); 1392a6f76f23SDavid Howells if (retval < 0) 1393a6f76f23SDavid Howells goto out; 1394a6f76f23SDavid Howells 1395a6f76f23SDavid Howells /* execve succeeded */ 1396498052bbSAl Viro current->fs->in_exec = 0; 1397f9ce1f1cSKentaro Takeda current->in_execve = 0; 13981da177e4SLinus Torvalds acct_update_integrals(current); 139908a6fac1SAl Viro free_bprm(bprm); 14003b125388SAl Viro if (displaced) 14013b125388SAl Viro put_files_struct(displaced); 14021da177e4SLinus Torvalds return retval; 14031da177e4SLinus Torvalds 14041da177e4SLinus Torvalds out: 14051da177e4SLinus Torvalds if (bprm->mm) 1406b6a2fea3SOllie Wild mmput (bprm->mm); 14071da177e4SLinus Torvalds 14081da177e4SLinus Torvalds out_file: 14091da177e4SLinus Torvalds if (bprm->file) { 14101da177e4SLinus Torvalds allow_write_access(bprm->file); 14111da177e4SLinus Torvalds fput(bprm->file); 14121da177e4SLinus Torvalds } 1413a6f76f23SDavid Howells 1414498052bbSAl Viro out_unmark: 14158c652f96SOleg Nesterov if (clear_in_exec) 1416498052bbSAl Viro current->fs->in_exec = 0; 1417f9ce1f1cSKentaro Takeda current->in_execve = 0; 1418a6f76f23SDavid Howells 1419a6f76f23SDavid Howells out_free: 142008a6fac1SAl Viro free_bprm(bprm); 14211da177e4SLinus Torvalds 1422fd8328beSAl Viro out_files: 14233b125388SAl Viro if (displaced) 14243b125388SAl Viro reset_files_struct(displaced); 14251da177e4SLinus Torvalds out_ret: 14261da177e4SLinus Torvalds return retval; 14271da177e4SLinus Torvalds } 14281da177e4SLinus Torvalds 1429964ee7dfSOleg Nesterov void set_binfmt(struct linux_binfmt *new) 14301da177e4SLinus Torvalds { 1431801460d0SHiroshi Shimamoto struct mm_struct *mm = current->mm; 14321da177e4SLinus Torvalds 1433801460d0SHiroshi Shimamoto if (mm->binfmt) 1434801460d0SHiroshi Shimamoto module_put(mm->binfmt->module); 1435801460d0SHiroshi Shimamoto 1436801460d0SHiroshi Shimamoto mm->binfmt = new; 1437964ee7dfSOleg Nesterov if (new) 1438964ee7dfSOleg Nesterov __module_get(new->module); 14391da177e4SLinus Torvalds } 14401da177e4SLinus Torvalds 14411da177e4SLinus Torvalds EXPORT_SYMBOL(set_binfmt); 14421da177e4SLinus Torvalds 14431da177e4SLinus Torvalds /* format_corename will inspect the pattern parameter, and output a 14441da177e4SLinus Torvalds * name into corename, which must have space for at least 14451da177e4SLinus Torvalds * CORENAME_MAX_SIZE bytes plus one byte for the zero terminator. 14461da177e4SLinus Torvalds */ 14476409324bSOleg Nesterov static int format_corename(char *corename, long signr) 14481da177e4SLinus Torvalds { 144986a264abSDavid Howells const struct cred *cred = current_cred(); 1450565b9b14SOleg Nesterov const char *pat_ptr = core_pattern; 1451565b9b14SOleg Nesterov int ispipe = (*pat_ptr == '|'); 14521da177e4SLinus Torvalds char *out_ptr = corename; 14531da177e4SLinus Torvalds char *const out_end = corename + CORENAME_MAX_SIZE; 14541da177e4SLinus Torvalds int rc; 14551da177e4SLinus Torvalds int pid_in_pattern = 0; 14561da177e4SLinus Torvalds 14571da177e4SLinus Torvalds /* Repeat as long as we have more pattern to process and more output 14581da177e4SLinus Torvalds space */ 14591da177e4SLinus Torvalds while (*pat_ptr) { 14601da177e4SLinus Torvalds if (*pat_ptr != '%') { 14611da177e4SLinus Torvalds if (out_ptr == out_end) 14621da177e4SLinus Torvalds goto out; 14631da177e4SLinus Torvalds *out_ptr++ = *pat_ptr++; 14641da177e4SLinus Torvalds } else { 14651da177e4SLinus Torvalds switch (*++pat_ptr) { 14661da177e4SLinus Torvalds case 0: 14671da177e4SLinus Torvalds goto out; 14681da177e4SLinus Torvalds /* Double percent, output one percent */ 14691da177e4SLinus Torvalds case '%': 14701da177e4SLinus Torvalds if (out_ptr == out_end) 14711da177e4SLinus Torvalds goto out; 14721da177e4SLinus Torvalds *out_ptr++ = '%'; 14731da177e4SLinus Torvalds break; 14741da177e4SLinus Torvalds /* pid */ 14751da177e4SLinus Torvalds case 'p': 14761da177e4SLinus Torvalds pid_in_pattern = 1; 14771da177e4SLinus Torvalds rc = snprintf(out_ptr, out_end - out_ptr, 1478b488893aSPavel Emelyanov "%d", task_tgid_vnr(current)); 14791da177e4SLinus Torvalds if (rc > out_end - out_ptr) 14801da177e4SLinus Torvalds goto out; 14811da177e4SLinus Torvalds out_ptr += rc; 14821da177e4SLinus Torvalds break; 14831da177e4SLinus Torvalds /* uid */ 14841da177e4SLinus Torvalds case 'u': 14851da177e4SLinus Torvalds rc = snprintf(out_ptr, out_end - out_ptr, 148686a264abSDavid Howells "%d", cred->uid); 14871da177e4SLinus Torvalds if (rc > out_end - out_ptr) 14881da177e4SLinus Torvalds goto out; 14891da177e4SLinus Torvalds out_ptr += rc; 14901da177e4SLinus Torvalds break; 14911da177e4SLinus Torvalds /* gid */ 14921da177e4SLinus Torvalds case 'g': 14931da177e4SLinus Torvalds rc = snprintf(out_ptr, out_end - out_ptr, 149486a264abSDavid Howells "%d", cred->gid); 14951da177e4SLinus Torvalds if (rc > out_end - out_ptr) 14961da177e4SLinus Torvalds goto out; 14971da177e4SLinus Torvalds out_ptr += rc; 14981da177e4SLinus Torvalds break; 14991da177e4SLinus Torvalds /* signal that caused the coredump */ 15001da177e4SLinus Torvalds case 's': 15011da177e4SLinus Torvalds rc = snprintf(out_ptr, out_end - out_ptr, 15021da177e4SLinus Torvalds "%ld", signr); 15031da177e4SLinus Torvalds if (rc > out_end - out_ptr) 15041da177e4SLinus Torvalds goto out; 15051da177e4SLinus Torvalds out_ptr += rc; 15061da177e4SLinus Torvalds break; 15071da177e4SLinus Torvalds /* UNIX time of coredump */ 15081da177e4SLinus Torvalds case 't': { 15091da177e4SLinus Torvalds struct timeval tv; 15101da177e4SLinus Torvalds do_gettimeofday(&tv); 15111da177e4SLinus Torvalds rc = snprintf(out_ptr, out_end - out_ptr, 15121da177e4SLinus Torvalds "%lu", tv.tv_sec); 15131da177e4SLinus Torvalds if (rc > out_end - out_ptr) 15141da177e4SLinus Torvalds goto out; 15151da177e4SLinus Torvalds out_ptr += rc; 15161da177e4SLinus Torvalds break; 15171da177e4SLinus Torvalds } 15181da177e4SLinus Torvalds /* hostname */ 15191da177e4SLinus Torvalds case 'h': 15201da177e4SLinus Torvalds down_read(&uts_sem); 15211da177e4SLinus Torvalds rc = snprintf(out_ptr, out_end - out_ptr, 1522e9ff3990SSerge E. Hallyn "%s", utsname()->nodename); 15231da177e4SLinus Torvalds up_read(&uts_sem); 15241da177e4SLinus Torvalds if (rc > out_end - out_ptr) 15251da177e4SLinus Torvalds goto out; 15261da177e4SLinus Torvalds out_ptr += rc; 15271da177e4SLinus Torvalds break; 15281da177e4SLinus Torvalds /* executable */ 15291da177e4SLinus Torvalds case 'e': 15301da177e4SLinus Torvalds rc = snprintf(out_ptr, out_end - out_ptr, 15311da177e4SLinus Torvalds "%s", current->comm); 15321da177e4SLinus Torvalds if (rc > out_end - out_ptr) 15331da177e4SLinus Torvalds goto out; 15341da177e4SLinus Torvalds out_ptr += rc; 15351da177e4SLinus Torvalds break; 153674aadce9SNeil Horman /* core limit size */ 153774aadce9SNeil Horman case 'c': 153874aadce9SNeil Horman rc = snprintf(out_ptr, out_end - out_ptr, 1539d554ed89SJiri Slaby "%lu", rlimit(RLIMIT_CORE)); 154074aadce9SNeil Horman if (rc > out_end - out_ptr) 154174aadce9SNeil Horman goto out; 154274aadce9SNeil Horman out_ptr += rc; 154374aadce9SNeil Horman break; 15441da177e4SLinus Torvalds default: 15451da177e4SLinus Torvalds break; 15461da177e4SLinus Torvalds } 15471da177e4SLinus Torvalds ++pat_ptr; 15481da177e4SLinus Torvalds } 15491da177e4SLinus Torvalds } 15501da177e4SLinus Torvalds /* Backward compatibility with core_uses_pid: 15511da177e4SLinus Torvalds * 15521da177e4SLinus Torvalds * If core_pattern does not include a %p (as is the default) 15531da177e4SLinus Torvalds * and core_uses_pid is set, then .%pid will be appended to 1554c4bbafdaSAlan Cox * the filename. Do not do this for piped commands. */ 15556409324bSOleg Nesterov if (!ispipe && !pid_in_pattern && core_uses_pid) { 15561da177e4SLinus Torvalds rc = snprintf(out_ptr, out_end - out_ptr, 1557b488893aSPavel Emelyanov ".%d", task_tgid_vnr(current)); 15581da177e4SLinus Torvalds if (rc > out_end - out_ptr) 15591da177e4SLinus Torvalds goto out; 15601da177e4SLinus Torvalds out_ptr += rc; 15611da177e4SLinus Torvalds } 15621da177e4SLinus Torvalds out: 15631da177e4SLinus Torvalds *out_ptr = 0; 1564c4bbafdaSAlan Cox return ispipe; 15651da177e4SLinus Torvalds } 15661da177e4SLinus Torvalds 15675c99cbf4SOleg Nesterov static int zap_process(struct task_struct *start, int exit_code) 1568aceecc04SOleg Nesterov { 1569aceecc04SOleg Nesterov struct task_struct *t; 15708cd9c249SOleg Nesterov int nr = 0; 1571281de339SOleg Nesterov 1572d5f70c00SOleg Nesterov start->signal->flags = SIGNAL_GROUP_EXIT; 15735c99cbf4SOleg Nesterov start->signal->group_exit_code = exit_code; 1574d5f70c00SOleg Nesterov start->signal->group_stop_count = 0; 1575aceecc04SOleg Nesterov 1576aceecc04SOleg Nesterov t = start; 1577aceecc04SOleg Nesterov do { 1578aceecc04SOleg Nesterov if (t != current && t->mm) { 1579281de339SOleg Nesterov sigaddset(&t->pending.signal, SIGKILL); 1580281de339SOleg Nesterov signal_wake_up(t, 1); 15818cd9c249SOleg Nesterov nr++; 1582aceecc04SOleg Nesterov } 1583e4901f92SOleg Nesterov } while_each_thread(start, t); 15848cd9c249SOleg Nesterov 15858cd9c249SOleg Nesterov return nr; 1586aceecc04SOleg Nesterov } 1587aceecc04SOleg Nesterov 1588dcf560c5SOleg Nesterov static inline int zap_threads(struct task_struct *tsk, struct mm_struct *mm, 15898cd9c249SOleg Nesterov struct core_state *core_state, int exit_code) 15901da177e4SLinus Torvalds { 15911da177e4SLinus Torvalds struct task_struct *g, *p; 15925debfa6dSOleg Nesterov unsigned long flags; 15938cd9c249SOleg Nesterov int nr = -EAGAIN; 15941da177e4SLinus Torvalds 1595dcf560c5SOleg Nesterov spin_lock_irq(&tsk->sighand->siglock); 1596ed5d2cacSOleg Nesterov if (!signal_group_exit(tsk->signal)) { 15978cd9c249SOleg Nesterov mm->core_state = core_state; 15985c99cbf4SOleg Nesterov nr = zap_process(tsk, exit_code); 15991da177e4SLinus Torvalds } 1600dcf560c5SOleg Nesterov spin_unlock_irq(&tsk->sighand->siglock); 16018cd9c249SOleg Nesterov if (unlikely(nr < 0)) 16028cd9c249SOleg Nesterov return nr; 16031da177e4SLinus Torvalds 16048cd9c249SOleg Nesterov if (atomic_read(&mm->mm_users) == nr + 1) 16055debfa6dSOleg Nesterov goto done; 1606e4901f92SOleg Nesterov /* 1607e4901f92SOleg Nesterov * We should find and kill all tasks which use this mm, and we should 1608999d9fc1SOleg Nesterov * count them correctly into ->nr_threads. We don't take tasklist 1609e4901f92SOleg Nesterov * lock, but this is safe wrt: 1610e4901f92SOleg Nesterov * 1611e4901f92SOleg Nesterov * fork: 1612e4901f92SOleg Nesterov * None of sub-threads can fork after zap_process(leader). All 1613e4901f92SOleg Nesterov * processes which were created before this point should be 1614e4901f92SOleg Nesterov * visible to zap_threads() because copy_process() adds the new 1615e4901f92SOleg Nesterov * process to the tail of init_task.tasks list, and lock/unlock 1616e4901f92SOleg Nesterov * of ->siglock provides a memory barrier. 1617e4901f92SOleg Nesterov * 1618e4901f92SOleg Nesterov * do_exit: 1619e4901f92SOleg Nesterov * The caller holds mm->mmap_sem. This means that the task which 1620e4901f92SOleg Nesterov * uses this mm can't pass exit_mm(), so it can't exit or clear 1621e4901f92SOleg Nesterov * its ->mm. 1622e4901f92SOleg Nesterov * 1623e4901f92SOleg Nesterov * de_thread: 1624e4901f92SOleg Nesterov * It does list_replace_rcu(&leader->tasks, ¤t->tasks), 1625e4901f92SOleg Nesterov * we must see either old or new leader, this does not matter. 1626e4901f92SOleg Nesterov * However, it can change p->sighand, so lock_task_sighand(p) 1627e4901f92SOleg Nesterov * must be used. Since p->mm != NULL and we hold ->mmap_sem 1628e4901f92SOleg Nesterov * it can't fail. 1629e4901f92SOleg Nesterov * 1630e4901f92SOleg Nesterov * Note also that "g" can be the old leader with ->mm == NULL 1631e4901f92SOleg Nesterov * and already unhashed and thus removed from ->thread_group. 1632e4901f92SOleg Nesterov * This is OK, __unhash_process()->list_del_rcu() does not 1633e4901f92SOleg Nesterov * clear the ->next pointer, we will find the new leader via 1634e4901f92SOleg Nesterov * next_thread(). 1635e4901f92SOleg Nesterov */ 16367b1c6154SOleg Nesterov rcu_read_lock(); 1637aceecc04SOleg Nesterov for_each_process(g) { 16385debfa6dSOleg Nesterov if (g == tsk->group_leader) 16395debfa6dSOleg Nesterov continue; 164015b9f360SOleg Nesterov if (g->flags & PF_KTHREAD) 164115b9f360SOleg Nesterov continue; 1642aceecc04SOleg Nesterov p = g; 1643aceecc04SOleg Nesterov do { 1644aceecc04SOleg Nesterov if (p->mm) { 164515b9f360SOleg Nesterov if (unlikely(p->mm == mm)) { 16465debfa6dSOleg Nesterov lock_task_sighand(p, &flags); 16475c99cbf4SOleg Nesterov nr += zap_process(p, exit_code); 16485debfa6dSOleg Nesterov unlock_task_sighand(p, &flags); 16495debfa6dSOleg Nesterov } 1650aceecc04SOleg Nesterov break; 16511da177e4SLinus Torvalds } 1652e4901f92SOleg Nesterov } while_each_thread(g, p); 1653aceecc04SOleg Nesterov } 16547b1c6154SOleg Nesterov rcu_read_unlock(); 16555debfa6dSOleg Nesterov done: 1656c5f1cc8cSOleg Nesterov atomic_set(&core_state->nr_threads, nr); 16578cd9c249SOleg Nesterov return nr; 16581da177e4SLinus Torvalds } 16591da177e4SLinus Torvalds 16609d5b327bSOleg Nesterov static int coredump_wait(int exit_code, struct core_state *core_state) 16611da177e4SLinus Torvalds { 1662dcf560c5SOleg Nesterov struct task_struct *tsk = current; 1663dcf560c5SOleg Nesterov struct mm_struct *mm = tsk->mm; 1664dcf560c5SOleg Nesterov struct completion *vfork_done; 1665269b005aSOleg Nesterov int core_waiters = -EBUSY; 16661da177e4SLinus Torvalds 16679d5b327bSOleg Nesterov init_completion(&core_state->startup); 1668b564daf8SOleg Nesterov core_state->dumper.task = tsk; 1669b564daf8SOleg Nesterov core_state->dumper.next = NULL; 1670269b005aSOleg Nesterov 1671269b005aSOleg Nesterov down_write(&mm->mmap_sem); 1672269b005aSOleg Nesterov if (!mm->core_state) 16739d5b327bSOleg Nesterov core_waiters = zap_threads(tsk, mm, core_state, exit_code); 16741da177e4SLinus Torvalds up_write(&mm->mmap_sem); 16752384f55fSOleg Nesterov 1676dcf560c5SOleg Nesterov if (unlikely(core_waiters < 0)) 1677dcf560c5SOleg Nesterov goto fail; 1678dcf560c5SOleg Nesterov 1679dcf560c5SOleg Nesterov /* 1680dcf560c5SOleg Nesterov * Make sure nobody is waiting for us to release the VM, 1681dcf560c5SOleg Nesterov * otherwise we can deadlock when we wait on each other 1682dcf560c5SOleg Nesterov */ 1683dcf560c5SOleg Nesterov vfork_done = tsk->vfork_done; 1684dcf560c5SOleg Nesterov if (vfork_done) { 1685dcf560c5SOleg Nesterov tsk->vfork_done = NULL; 1686dcf560c5SOleg Nesterov complete(vfork_done); 1687dcf560c5SOleg Nesterov } 1688dcf560c5SOleg Nesterov 16892384f55fSOleg Nesterov if (core_waiters) 16909d5b327bSOleg Nesterov wait_for_completion(&core_state->startup); 1691dcf560c5SOleg Nesterov fail: 1692dcf560c5SOleg Nesterov return core_waiters; 16931da177e4SLinus Torvalds } 16941da177e4SLinus Torvalds 1695a94e2d40SOleg Nesterov static void coredump_finish(struct mm_struct *mm) 1696a94e2d40SOleg Nesterov { 1697a94e2d40SOleg Nesterov struct core_thread *curr, *next; 1698a94e2d40SOleg Nesterov struct task_struct *task; 1699a94e2d40SOleg Nesterov 1700a94e2d40SOleg Nesterov next = mm->core_state->dumper.next; 1701a94e2d40SOleg Nesterov while ((curr = next) != NULL) { 1702a94e2d40SOleg Nesterov next = curr->next; 1703a94e2d40SOleg Nesterov task = curr->task; 1704a94e2d40SOleg Nesterov /* 1705a94e2d40SOleg Nesterov * see exit_mm(), curr->task must not see 1706a94e2d40SOleg Nesterov * ->task == NULL before we read ->next. 1707a94e2d40SOleg Nesterov */ 1708a94e2d40SOleg Nesterov smp_mb(); 1709a94e2d40SOleg Nesterov curr->task = NULL; 1710a94e2d40SOleg Nesterov wake_up_process(task); 1711a94e2d40SOleg Nesterov } 1712a94e2d40SOleg Nesterov 1713a94e2d40SOleg Nesterov mm->core_state = NULL; 1714a94e2d40SOleg Nesterov } 1715a94e2d40SOleg Nesterov 17166c5d5238SKawai, Hidehiro /* 17176c5d5238SKawai, Hidehiro * set_dumpable converts traditional three-value dumpable to two flags and 17186c5d5238SKawai, Hidehiro * stores them into mm->flags. It modifies lower two bits of mm->flags, but 17196c5d5238SKawai, Hidehiro * these bits are not changed atomically. So get_dumpable can observe the 17206c5d5238SKawai, Hidehiro * intermediate state. To avoid doing unexpected behavior, get get_dumpable 17216c5d5238SKawai, Hidehiro * return either old dumpable or new one by paying attention to the order of 17226c5d5238SKawai, Hidehiro * modifying the bits. 17236c5d5238SKawai, Hidehiro * 17246c5d5238SKawai, Hidehiro * dumpable | mm->flags (binary) 17256c5d5238SKawai, Hidehiro * old new | initial interim final 17266c5d5238SKawai, Hidehiro * ---------+----------------------- 17276c5d5238SKawai, Hidehiro * 0 1 | 00 01 01 17286c5d5238SKawai, Hidehiro * 0 2 | 00 10(*) 11 17296c5d5238SKawai, Hidehiro * 1 0 | 01 00 00 17306c5d5238SKawai, Hidehiro * 1 2 | 01 11 11 17316c5d5238SKawai, Hidehiro * 2 0 | 11 10(*) 00 17326c5d5238SKawai, Hidehiro * 2 1 | 11 11 01 17336c5d5238SKawai, Hidehiro * 17346c5d5238SKawai, Hidehiro * (*) get_dumpable regards interim value of 10 as 11. 17356c5d5238SKawai, Hidehiro */ 17366c5d5238SKawai, Hidehiro void set_dumpable(struct mm_struct *mm, int value) 17376c5d5238SKawai, Hidehiro { 17386c5d5238SKawai, Hidehiro switch (value) { 17396c5d5238SKawai, Hidehiro case 0: 17406c5d5238SKawai, Hidehiro clear_bit(MMF_DUMPABLE, &mm->flags); 17416c5d5238SKawai, Hidehiro smp_wmb(); 17426c5d5238SKawai, Hidehiro clear_bit(MMF_DUMP_SECURELY, &mm->flags); 17436c5d5238SKawai, Hidehiro break; 17446c5d5238SKawai, Hidehiro case 1: 17456c5d5238SKawai, Hidehiro set_bit(MMF_DUMPABLE, &mm->flags); 17466c5d5238SKawai, Hidehiro smp_wmb(); 17476c5d5238SKawai, Hidehiro clear_bit(MMF_DUMP_SECURELY, &mm->flags); 17486c5d5238SKawai, Hidehiro break; 17496c5d5238SKawai, Hidehiro case 2: 17506c5d5238SKawai, Hidehiro set_bit(MMF_DUMP_SECURELY, &mm->flags); 17516c5d5238SKawai, Hidehiro smp_wmb(); 17526c5d5238SKawai, Hidehiro set_bit(MMF_DUMPABLE, &mm->flags); 17536c5d5238SKawai, Hidehiro break; 17546c5d5238SKawai, Hidehiro } 17556c5d5238SKawai, Hidehiro } 17566c5d5238SKawai, Hidehiro 175730736a4dSMasami Hiramatsu static int __get_dumpable(unsigned long mm_flags) 17586c5d5238SKawai, Hidehiro { 17596c5d5238SKawai, Hidehiro int ret; 17606c5d5238SKawai, Hidehiro 176130736a4dSMasami Hiramatsu ret = mm_flags & MMF_DUMPABLE_MASK; 17626c5d5238SKawai, Hidehiro return (ret >= 2) ? 2 : ret; 17636c5d5238SKawai, Hidehiro } 17646c5d5238SKawai, Hidehiro 176530736a4dSMasami Hiramatsu int get_dumpable(struct mm_struct *mm) 176630736a4dSMasami Hiramatsu { 176730736a4dSMasami Hiramatsu return __get_dumpable(mm->flags); 176830736a4dSMasami Hiramatsu } 176930736a4dSMasami Hiramatsu 177061be228aSNeil Horman static void wait_for_dump_helpers(struct file *file) 177161be228aSNeil Horman { 177261be228aSNeil Horman struct pipe_inode_info *pipe; 177361be228aSNeil Horman 177461be228aSNeil Horman pipe = file->f_path.dentry->d_inode->i_pipe; 177561be228aSNeil Horman 177661be228aSNeil Horman pipe_lock(pipe); 177761be228aSNeil Horman pipe->readers++; 177861be228aSNeil Horman pipe->writers--; 177961be228aSNeil Horman 178061be228aSNeil Horman while ((pipe->readers > 1) && (!signal_pending(current))) { 178161be228aSNeil Horman wake_up_interruptible_sync(&pipe->wait); 178261be228aSNeil Horman kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN); 178361be228aSNeil Horman pipe_wait(pipe); 178461be228aSNeil Horman } 178561be228aSNeil Horman 178661be228aSNeil Horman pipe->readers--; 178761be228aSNeil Horman pipe->writers++; 178861be228aSNeil Horman pipe_unlock(pipe); 178961be228aSNeil Horman 179061be228aSNeil Horman } 179161be228aSNeil Horman 179261be228aSNeil Horman 1793898b374aSNeil Horman /* 1794898b374aSNeil Horman * uhm_pipe_setup 1795898b374aSNeil Horman * helper function to customize the process used 1796898b374aSNeil Horman * to collect the core in userspace. Specifically 1797898b374aSNeil Horman * it sets up a pipe and installs it as fd 0 (stdin) 1798898b374aSNeil Horman * for the process. Returns 0 on success, or 1799898b374aSNeil Horman * PTR_ERR on failure. 1800898b374aSNeil Horman * Note that it also sets the core limit to 1. This 1801898b374aSNeil Horman * is a special value that we use to trap recursive 1802898b374aSNeil Horman * core dumps 1803898b374aSNeil Horman */ 1804898b374aSNeil Horman static int umh_pipe_setup(struct subprocess_info *info) 1805898b374aSNeil Horman { 1806898b374aSNeil Horman struct file *rp, *wp; 1807898b374aSNeil Horman struct fdtable *fdt; 1808898b374aSNeil Horman struct coredump_params *cp = (struct coredump_params *)info->data; 1809898b374aSNeil Horman struct files_struct *cf = current->files; 1810898b374aSNeil Horman 1811898b374aSNeil Horman wp = create_write_pipe(0); 1812898b374aSNeil Horman if (IS_ERR(wp)) 1813898b374aSNeil Horman return PTR_ERR(wp); 1814898b374aSNeil Horman 1815898b374aSNeil Horman rp = create_read_pipe(wp, 0); 1816898b374aSNeil Horman if (IS_ERR(rp)) { 1817898b374aSNeil Horman free_write_pipe(wp); 1818898b374aSNeil Horman return PTR_ERR(rp); 1819898b374aSNeil Horman } 1820898b374aSNeil Horman 1821898b374aSNeil Horman cp->file = wp; 1822898b374aSNeil Horman 1823898b374aSNeil Horman sys_close(0); 1824898b374aSNeil Horman fd_install(0, rp); 1825898b374aSNeil Horman spin_lock(&cf->file_lock); 1826898b374aSNeil Horman fdt = files_fdtable(cf); 1827898b374aSNeil Horman FD_SET(0, fdt->open_fds); 1828898b374aSNeil Horman FD_CLR(0, fdt->close_on_exec); 1829898b374aSNeil Horman spin_unlock(&cf->file_lock); 1830898b374aSNeil Horman 1831898b374aSNeil Horman /* and disallow core files too */ 1832898b374aSNeil Horman current->signal->rlim[RLIMIT_CORE] = (struct rlimit){1, 1}; 1833898b374aSNeil Horman 1834898b374aSNeil Horman return 0; 1835898b374aSNeil Horman } 1836898b374aSNeil Horman 18378cd3ac3aSWANG Cong void do_coredump(long signr, int exit_code, struct pt_regs *regs) 18381da177e4SLinus Torvalds { 18399d5b327bSOleg Nesterov struct core_state core_state; 18401da177e4SLinus Torvalds char corename[CORENAME_MAX_SIZE + 1]; 18411da177e4SLinus Torvalds struct mm_struct *mm = current->mm; 18421da177e4SLinus Torvalds struct linux_binfmt * binfmt; 1843d84f4f99SDavid Howells const struct cred *old_cred; 1844d84f4f99SDavid Howells struct cred *cred; 18451da177e4SLinus Torvalds int retval = 0; 1846d6e71144SAlan Cox int flag = 0; 1847d5bf4c4fSOleg Nesterov int ispipe; 1848a293980cSNeil Horman static atomic_t core_dump_count = ATOMIC_INIT(0); 1849f6151dfeSMasami Hiramatsu struct coredump_params cprm = { 1850f6151dfeSMasami Hiramatsu .signr = signr, 1851f6151dfeSMasami Hiramatsu .regs = regs, 1852d554ed89SJiri Slaby .limit = rlimit(RLIMIT_CORE), 185330736a4dSMasami Hiramatsu /* 185430736a4dSMasami Hiramatsu * We must use the same mm->flags while dumping core to avoid 185530736a4dSMasami Hiramatsu * inconsistency of bit flags, since this flag is not protected 185630736a4dSMasami Hiramatsu * by any locks. 185730736a4dSMasami Hiramatsu */ 185830736a4dSMasami Hiramatsu .mm_flags = mm->flags, 1859f6151dfeSMasami Hiramatsu }; 18601da177e4SLinus Torvalds 18610a4ff8c2SSteve Grubb audit_core_dumps(signr); 18620a4ff8c2SSteve Grubb 1863801460d0SHiroshi Shimamoto binfmt = mm->binfmt; 18641da177e4SLinus Torvalds if (!binfmt || !binfmt->core_dump) 18651da177e4SLinus Torvalds goto fail; 1866269b005aSOleg Nesterov if (!__get_dumpable(cprm.mm_flags)) 1867269b005aSOleg Nesterov goto fail; 1868d84f4f99SDavid Howells 1869d84f4f99SDavid Howells cred = prepare_creds(); 18705e43aef5SOleg Nesterov if (!cred) 1871d84f4f99SDavid Howells goto fail; 1872d6e71144SAlan Cox /* 1873d6e71144SAlan Cox * We cannot trust fsuid as being the "true" uid of the 1874d6e71144SAlan Cox * process nor do we know its entire history. We only know it 1875d6e71144SAlan Cox * was tainted so we dump it as root in mode 2. 1876d6e71144SAlan Cox */ 187730736a4dSMasami Hiramatsu if (__get_dumpable(cprm.mm_flags) == 2) { 187830736a4dSMasami Hiramatsu /* Setuid core dump mode */ 1879d6e71144SAlan Cox flag = O_EXCL; /* Stop rewrite attacks */ 1880d84f4f99SDavid Howells cred->fsuid = 0; /* Dump root private */ 1881d6e71144SAlan Cox } 18821291cf41SOleg Nesterov 18839d5b327bSOleg Nesterov retval = coredump_wait(exit_code, &core_state); 18845e43aef5SOleg Nesterov if (retval < 0) 18855e43aef5SOleg Nesterov goto fail_creds; 1886d84f4f99SDavid Howells 1887d84f4f99SDavid Howells old_cred = override_creds(cred); 18881da177e4SLinus Torvalds 18891da177e4SLinus Torvalds /* 18901da177e4SLinus Torvalds * Clear any false indication of pending signals that might 18911da177e4SLinus Torvalds * be seen by the filesystem code called to write the core file. 18921da177e4SLinus Torvalds */ 18931da177e4SLinus Torvalds clear_thread_flag(TIF_SIGPENDING); 18941da177e4SLinus Torvalds 18951da177e4SLinus Torvalds /* 18961da177e4SLinus Torvalds * lock_kernel() because format_corename() is controlled by sysctl, which 18971da177e4SLinus Torvalds * uses lock_kernel() 18981da177e4SLinus Torvalds */ 18991da177e4SLinus Torvalds lock_kernel(); 19006409324bSOleg Nesterov ispipe = format_corename(corename, signr); 19011da177e4SLinus Torvalds unlock_kernel(); 1902725eae32SNeil Horman 1903c4bbafdaSAlan Cox if (ispipe) { 1904d5bf4c4fSOleg Nesterov int dump_count; 1905d5bf4c4fSOleg Nesterov char **helper_argv; 1906d5bf4c4fSOleg Nesterov 1907898b374aSNeil Horman if (cprm.limit == 1) { 1908725eae32SNeil Horman /* 1909725eae32SNeil Horman * Normally core limits are irrelevant to pipes, since 1910725eae32SNeil Horman * we're not writing to the file system, but we use 1911898b374aSNeil Horman * cprm.limit of 1 here as a speacial value. Any 1912898b374aSNeil Horman * non-1 limit gets set to RLIM_INFINITY below, but 1913725eae32SNeil Horman * a limit of 0 skips the dump. This is a consistent 1914725eae32SNeil Horman * way to catch recursive crashes. We can still crash 1915898b374aSNeil Horman * if the core_pattern binary sets RLIM_CORE = !1 1916725eae32SNeil Horman * but it runs as root, and can do lots of stupid things 1917725eae32SNeil Horman * Note that we use task_tgid_vnr here to grab the pid 1918725eae32SNeil Horman * of the process group leader. That way we get the 1919725eae32SNeil Horman * right pid if a thread in a multi-threaded 1920725eae32SNeil Horman * core_pattern process dies. 1921725eae32SNeil Horman */ 1922725eae32SNeil Horman printk(KERN_WARNING 1923898b374aSNeil Horman "Process %d(%s) has RLIMIT_CORE set to 1\n", 1924725eae32SNeil Horman task_tgid_vnr(current), current->comm); 1925725eae32SNeil Horman printk(KERN_WARNING "Aborting core\n"); 1926725eae32SNeil Horman goto fail_unlock; 1927725eae32SNeil Horman } 1928d5bf4c4fSOleg Nesterov cprm.limit = RLIM_INFINITY; 1929725eae32SNeil Horman 1930a293980cSNeil Horman dump_count = atomic_inc_return(&core_dump_count); 1931a293980cSNeil Horman if (core_pipe_limit && (core_pipe_limit < dump_count)) { 1932a293980cSNeil Horman printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", 1933a293980cSNeil Horman task_tgid_vnr(current), current->comm); 1934a293980cSNeil Horman printk(KERN_WARNING "Skipping core dump\n"); 1935a293980cSNeil Horman goto fail_dropcount; 1936a293980cSNeil Horman } 1937a293980cSNeil Horman 1938d5bf4c4fSOleg Nesterov helper_argv = argv_split(GFP_KERNEL, corename+1, NULL); 1939350eaf79STetsuo Handa if (!helper_argv) { 1940350eaf79STetsuo Handa printk(KERN_WARNING "%s failed to allocate memory\n", 1941350eaf79STetsuo Handa __func__); 1942a293980cSNeil Horman goto fail_dropcount; 1943350eaf79STetsuo Handa } 194432321137SNeil Horman 1945d5bf4c4fSOleg Nesterov retval = call_usermodehelper_fns(helper_argv[0], helper_argv, 1946d5bf4c4fSOleg Nesterov NULL, UMH_WAIT_EXEC, umh_pipe_setup, 1947d5bf4c4fSOleg Nesterov NULL, &cprm); 1948d5bf4c4fSOleg Nesterov argv_free(helper_argv); 1949d5bf4c4fSOleg Nesterov if (retval) { 1950d025c9dbSAndi Kleen printk(KERN_INFO "Core dump to %s pipe failed\n", 1951d025c9dbSAndi Kleen corename); 1952d5bf4c4fSOleg Nesterov goto close_fail; 1953d025c9dbSAndi Kleen } 1954c7135411SOleg Nesterov } else { 1955c7135411SOleg Nesterov struct inode *inode; 1956c7135411SOleg Nesterov 1957c7135411SOleg Nesterov if (cprm.limit < binfmt->min_coredump) 1958c7135411SOleg Nesterov goto fail_unlock; 1959c7135411SOleg Nesterov 1960f6151dfeSMasami Hiramatsu cprm.file = filp_open(corename, 19616d4df677SAlexey Dobriyan O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, 19626d4df677SAlexey Dobriyan 0600); 1963f6151dfeSMasami Hiramatsu if (IS_ERR(cprm.file)) 1964c7135411SOleg Nesterov goto fail_unlock; 1965c7135411SOleg Nesterov 1966f6151dfeSMasami Hiramatsu inode = cprm.file->f_path.dentry->d_inode; 19671da177e4SLinus Torvalds if (inode->i_nlink > 1) 19681da177e4SLinus Torvalds goto close_fail; 1969c7135411SOleg Nesterov if (d_unhashed(cprm.file->f_path.dentry)) 1970c7135411SOleg Nesterov goto close_fail; 1971c7135411SOleg Nesterov /* 1972c7135411SOleg Nesterov * AK: actually i see no reason to not allow this for named 1973c7135411SOleg Nesterov * pipes etc, but keep the previous behaviour for now. 1974c7135411SOleg Nesterov */ 1975c7135411SOleg Nesterov if (!S_ISREG(inode->i_mode)) 19761da177e4SLinus Torvalds goto close_fail; 1977c46f739dSIngo Molnar /* 1978c46f739dSIngo Molnar * Dont allow local users get cute and trick others to coredump 1979c7135411SOleg Nesterov * into their pre-created files. 1980c46f739dSIngo Molnar */ 1981c7135411SOleg Nesterov if (inode->i_uid != current_fsuid()) 1982c46f739dSIngo Molnar goto close_fail; 1983c7135411SOleg Nesterov if (!cprm.file->f_op || !cprm.file->f_op->write) 19841da177e4SLinus Torvalds goto close_fail; 1985c7135411SOleg Nesterov if (do_truncate(cprm.file->f_path.dentry, 0, 0, cprm.file)) 19861da177e4SLinus Torvalds goto close_fail; 1987c7135411SOleg Nesterov } 19881da177e4SLinus Torvalds 1989f6151dfeSMasami Hiramatsu retval = binfmt->core_dump(&cprm); 19901da177e4SLinus Torvalds if (retval) 19911da177e4SLinus Torvalds current->signal->group_exit_code |= 0x80; 1992d5bf4c4fSOleg Nesterov 199361be228aSNeil Horman if (ispipe && core_pipe_limit) 1994f6151dfeSMasami Hiramatsu wait_for_dump_helpers(cprm.file); 1995d5bf4c4fSOleg Nesterov close_fail: 1996d5bf4c4fSOleg Nesterov if (cprm.file) 1997f6151dfeSMasami Hiramatsu filp_close(cprm.file, NULL); 1998a293980cSNeil Horman fail_dropcount: 1999d5bf4c4fSOleg Nesterov if (ispipe) 2000a293980cSNeil Horman atomic_dec(&core_dump_count); 20011da177e4SLinus Torvalds fail_unlock: 2002a94e2d40SOleg Nesterov coredump_finish(mm); 20035e43aef5SOleg Nesterov revert_creds(old_cred); 20045e43aef5SOleg Nesterov fail_creds: 20055e43aef5SOleg Nesterov put_cred(cred); 20061da177e4SLinus Torvalds fail: 20078cd3ac3aSWANG Cong return; 20081da177e4SLinus Torvalds } 2009