2019-05-19 06:08:20 -06:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2005-04-16 16:20:36 -06:00
|
|
|
/*
|
|
|
|
|
* linux/fs/binfmt_elf.c
|
|
|
|
|
*
|
|
|
|
|
* These are the functions used to load ELF format executables as used
|
|
|
|
|
* on SVr4 machines. Information on the format may be found in the book
|
|
|
|
|
* "UNIX SYSTEM V RELEASE 4 Programmers Guide: Ansi C and Programming Support
|
|
|
|
|
* Tools".
|
|
|
|
|
*
|
|
|
|
|
* Copyright 1993, 1994: Eric Youngdale (ericy@cais.com).
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <linux/module.h>
|
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
|
#include <linux/fs.h>
|
|
|
|
|
#include <linux/mm.h>
|
|
|
|
|
#include <linux/mman.h>
|
|
|
|
|
#include <linux/errno.h>
|
|
|
|
|
#include <linux/signal.h>
|
|
|
|
|
#include <linux/binfmts.h>
|
|
|
|
|
#include <linux/string.h>
|
|
|
|
|
#include <linux/file.h>
|
|
|
|
|
#include <linux/slab.h>
|
|
|
|
|
#include <linux/personality.h>
|
|
|
|
|
#include <linux/elfcore.h>
|
|
|
|
|
#include <linux/init.h>
|
|
|
|
|
#include <linux/highuid.h>
|
|
|
|
|
#include <linux/compiler.h>
|
|
|
|
|
#include <linux/highmem.h>
|
|
|
|
|
#include <linux/pagemap.h>
|
2012-10-04 18:15:36 -06:00
|
|
|
#include <linux/vmalloc.h>
|
2005-04-16 16:20:36 -06:00
|
|
|
#include <linux/security.h>
|
|
|
|
|
#include <linux/random.h>
|
2006-06-23 03:05:35 -06:00
|
|
|
#include <linux/elf.h>
|
2015-04-14 16:48:07 -06:00
|
|
|
#include <linux/elf-randomize.h>
|
2007-05-08 01:28:59 -06:00
|
|
|
#include <linux/utsname.h>
|
2010-03-05 14:44:06 -07:00
|
|
|
#include <linux/coredump.h>
|
2012-11-13 06:20:55 -07:00
|
|
|
#include <linux/sched.h>
|
2017-02-08 10:51:30 -07:00
|
|
|
#include <linux/sched/coredump.h>
|
2017-02-08 10:51:37 -07:00
|
|
|
#include <linux/sched/task_stack.h>
|
2017-02-05 03:48:36 -07:00
|
|
|
#include <linux/sched/cputime.h>
|
2017-02-02 09:54:15 -07:00
|
|
|
#include <linux/cred.h>
|
2015-10-05 16:33:36 -06:00
|
|
|
#include <linux/dax.h>
|
2016-12-24 12:46:01 -07:00
|
|
|
#include <linux/uaccess.h>
|
2005-04-16 16:20:36 -06:00
|
|
|
#include <asm/param.h>
|
|
|
|
|
#include <asm/page.h>
|
|
|
|
|
|
2012-10-04 18:15:36 -06:00
|
|
|
#ifndef user_long_t
|
|
|
|
|
#define user_long_t long
|
|
|
|
|
#endif
|
2012-10-04 18:15:35 -06:00
|
|
|
#ifndef user_siginfo_t
|
|
|
|
|
#define user_siginfo_t siginfo_t
|
|
|
|
|
#endif
|
|
|
|
|
|
2017-08-16 14:05:13 -06:00
|
|
|
/* That's for binfmt_elf_fdpic to deal with */
|
|
|
|
|
#ifndef elf_check_fdpic
|
|
|
|
|
#define elf_check_fdpic(ex) false
|
|
|
|
|
#endif
|
|
|
|
|
|
2012-10-20 20:00:48 -06:00
|
|
|
static int load_elf_binary(struct linux_binprm *bprm);
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2014-04-03 15:48:27 -06:00
|
|
|
#ifdef CONFIG_USELIB
|
|
|
|
|
static int load_elf_library(struct file *);
|
|
|
|
|
#else
|
|
|
|
|
#define load_elf_library NULL
|
|
|
|
|
#endif
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
/*
|
|
|
|
|
* If we don't support core dumping, then supply a NULL so we
|
|
|
|
|
* don't even try.
|
|
|
|
|
*/
|
2009-12-15 17:47:37 -07:00
|
|
|
#ifdef CONFIG_ELF_CORE
|
2009-12-17 16:27:16 -07:00
|
|
|
static int elf_core_dump(struct coredump_params *cprm);
|
2005-04-16 16:20:36 -06:00
|
|
|
#else
|
|
|
|
|
#define elf_core_dump NULL
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#if ELF_EXEC_PAGESIZE > PAGE_SIZE
|
2006-06-23 03:05:35 -06:00
|
|
|
#define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
|
2005-04-16 16:20:36 -06:00
|
|
|
#else
|
2006-06-23 03:05:35 -06:00
|
|
|
#define ELF_MIN_ALIGN PAGE_SIZE
|
2005-04-16 16:20:36 -06:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#ifndef ELF_CORE_EFLAGS
|
|
|
|
|
#define ELF_CORE_EFLAGS 0
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#define ELF_PAGESTART(_v) ((_v) & ~(unsigned long)(ELF_MIN_ALIGN-1))
|
|
|
|
|
#define ELF_PAGEOFFSET(_v) ((_v) & (ELF_MIN_ALIGN-1))
|
|
|
|
|
#define ELF_PAGEALIGN(_v) (((_v) + ELF_MIN_ALIGN - 1) & ~(ELF_MIN_ALIGN - 1))
|
|
|
|
|
|
|
|
|
|
static struct linux_binfmt elf_format = {
|
2011-01-12 18:00:02 -07:00
|
|
|
.module = THIS_MODULE,
|
|
|
|
|
.load_binary = load_elf_binary,
|
|
|
|
|
.load_shlib = load_elf_library,
|
|
|
|
|
.core_dump = elf_core_dump,
|
|
|
|
|
.min_coredump = ELF_EXEC_PAGESIZE,
|
2005-04-16 16:20:36 -06:00
|
|
|
};
|
|
|
|
|
|
2007-07-21 05:37:32 -06:00
|
|
|
#define BAD_ADDR(x) ((unsigned long)(x) >= TASK_SIZE)
|
2005-04-16 16:20:36 -06:00
|
|
|
|
powerpc: do not make the entire heap executable
On 32-bit powerpc the ELF PLT sections of binaries (built with
--bss-plt, or with a toolchain which defaults to it) look like this:
[17] .sbss NOBITS 0002aff8 01aff8 000014 00 WA 0 0 4
[18] .plt NOBITS 0002b00c 01aff8 000084 00 WAX 0 0 4
[19] .bss NOBITS 0002b090 01aff8 0000a4 00 WA 0 0 4
Which results in an ELF load header:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x019c70 0x00029c70 0x00029c70 0x01388 0x014c4 RWE 0x10000
This is all correct, the load region containing the PLT is marked as
executable. Note that the PLT starts at 0002b00c but the file mapping
ends at 0002aff8, so the PLT falls in the 0 fill section described by
the load header, and after a page boundary.
Unfortunately the generic ELF loader ignores the X bit in the load
headers when it creates the 0 filled non-file backed mappings. It
assumes all of these mappings are RW BSS sections, which is not the case
for PPC.
gcc/ld has an option (--secure-plt) to not do this, this is said to
incur a small performance penalty.
Currently, to support 32-bit binaries with PLT in BSS kernel maps
*entire brk area* with executable rights for all binaries, even
--secure-plt ones.
Stop doing that.
Teach the ELF loader to check the X bit in the relevant load header and
create 0 filled anonymous mappings that are executable if the load
header requests that.
Test program showing the difference in /proc/$PID/maps:
int main() {
char buf[16*1024];
char *p = malloc(123); /* make "[heap]" mapping appear */
int fd = open("/proc/self/maps", O_RDONLY);
int len = read(fd, buf, sizeof(buf));
write(1, buf, len);
printf("%p\n", p);
return 0;
}
Compiled using: gcc -mbss-plt -m32 -Os test.c -otest
Unpatched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10690000-106c0000 rwxp 00000000 00:00 0 [heap]
f7f70000-f7fa0000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fa0000-f7fb0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fb0000-f7fc0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ffa90000-ffac0000 rw-p 00000000 00:00 0 [stack]
0x10690008
Patched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10180000-101b0000 rw-p 00000000 00:00 0 [heap]
^^^^ this has changed
f7c60000-f7c90000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7c90000-f7ca0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7ca0000-f7cb0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ff860000-ff890000 rw-p 00000000 00:00 0 [stack]
0x10180008
The patch was originally posted in 2012 by Jason Gunthorpe
and apparently ignored:
https://lkml.org/lkml/2012/9/30/138
Lightly run-tested.
Link: http://lkml.kernel.org/r/20161215131950.23054-1-dvlasenk@redhat.com
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-02-22 16:45:16 -07:00
|
|
|
static int set_brk(unsigned long start, unsigned long end, int prot)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
|
|
|
|
start = ELF_PAGEALIGN(start);
|
|
|
|
|
end = ELF_PAGEALIGN(end);
|
|
|
|
|
if (end > start) {
|
powerpc: do not make the entire heap executable
On 32-bit powerpc the ELF PLT sections of binaries (built with
--bss-plt, or with a toolchain which defaults to it) look like this:
[17] .sbss NOBITS 0002aff8 01aff8 000014 00 WA 0 0 4
[18] .plt NOBITS 0002b00c 01aff8 000084 00 WAX 0 0 4
[19] .bss NOBITS 0002b090 01aff8 0000a4 00 WA 0 0 4
Which results in an ELF load header:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x019c70 0x00029c70 0x00029c70 0x01388 0x014c4 RWE 0x10000
This is all correct, the load region containing the PLT is marked as
executable. Note that the PLT starts at 0002b00c but the file mapping
ends at 0002aff8, so the PLT falls in the 0 fill section described by
the load header, and after a page boundary.
Unfortunately the generic ELF loader ignores the X bit in the load
headers when it creates the 0 filled non-file backed mappings. It
assumes all of these mappings are RW BSS sections, which is not the case
for PPC.
gcc/ld has an option (--secure-plt) to not do this, this is said to
incur a small performance penalty.
Currently, to support 32-bit binaries with PLT in BSS kernel maps
*entire brk area* with executable rights for all binaries, even
--secure-plt ones.
Stop doing that.
Teach the ELF loader to check the X bit in the relevant load header and
create 0 filled anonymous mappings that are executable if the load
header requests that.
Test program showing the difference in /proc/$PID/maps:
int main() {
char buf[16*1024];
char *p = malloc(123); /* make "[heap]" mapping appear */
int fd = open("/proc/self/maps", O_RDONLY);
int len = read(fd, buf, sizeof(buf));
write(1, buf, len);
printf("%p\n", p);
return 0;
}
Compiled using: gcc -mbss-plt -m32 -Os test.c -otest
Unpatched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10690000-106c0000 rwxp 00000000 00:00 0 [heap]
f7f70000-f7fa0000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fa0000-f7fb0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fb0000-f7fc0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ffa90000-ffac0000 rw-p 00000000 00:00 0 [stack]
0x10690008
Patched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10180000-101b0000 rw-p 00000000 00:00 0 [heap]
^^^^ this has changed
f7c60000-f7c90000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7c90000-f7ca0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7ca0000-f7cb0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ff860000-ff890000 rw-p 00000000 00:00 0 [stack]
0x10180008
The patch was originally posted in 2012 by Jason Gunthorpe
and apparently ignored:
https://lkml.org/lkml/2012/9/30/138
Lightly run-tested.
Link: http://lkml.kernel.org/r/20161215131950.23054-1-dvlasenk@redhat.com
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-02-22 16:45:16 -07:00
|
|
|
/*
|
|
|
|
|
* Map the last of the bss segment.
|
|
|
|
|
* If the header is requesting these pages to be
|
|
|
|
|
* executable, honour that (ppc32 needs this).
|
|
|
|
|
*/
|
|
|
|
|
int error = vm_brk_flags(start, end - start,
|
|
|
|
|
prot & PROT_EXEC ? VM_EXEC : 0);
|
2016-05-27 16:57:31 -06:00
|
|
|
if (error)
|
|
|
|
|
return error;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
current->mm->start_brk = current->mm->brk = end;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* We need to explicitly zero any fractional pages
|
|
|
|
|
after the data section (i.e. bss). This would
|
|
|
|
|
contain the junk from the file that should not
|
2006-06-23 03:05:35 -06:00
|
|
|
be in memory
|
|
|
|
|
*/
|
2005-04-16 16:20:36 -06:00
|
|
|
static int padzero(unsigned long elf_bss)
|
|
|
|
|
{
|
|
|
|
|
unsigned long nbyte;
|
|
|
|
|
|
|
|
|
|
nbyte = ELF_PAGEOFFSET(elf_bss);
|
|
|
|
|
if (nbyte) {
|
|
|
|
|
nbyte = ELF_MIN_ALIGN - nbyte;
|
|
|
|
|
if (clear_user((void __user *) elf_bss, nbyte))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2008-02-03 09:05:15 -07:00
|
|
|
/* Let's use some macros to make this stack manipulation a little clearer */
|
2005-04-16 16:20:36 -06:00
|
|
|
#ifdef CONFIG_STACK_GROWSUP
|
|
|
|
|
#define STACK_ADD(sp, items) ((elf_addr_t __user *)(sp) + (items))
|
|
|
|
|
#define STACK_ROUND(sp, items) \
|
|
|
|
|
((15 + (unsigned long) ((sp) + (items))) &~ 15UL)
|
2006-06-23 03:05:35 -06:00
|
|
|
#define STACK_ALLOC(sp, len) ({ \
|
|
|
|
|
elf_addr_t __user *old_sp = (elf_addr_t __user *)sp; sp += len; \
|
|
|
|
|
old_sp; })
|
2005-04-16 16:20:36 -06:00
|
|
|
#else
|
|
|
|
|
#define STACK_ADD(sp, items) ((elf_addr_t __user *)(sp) - (items))
|
|
|
|
|
#define STACK_ROUND(sp, items) \
|
|
|
|
|
(((unsigned long) (sp - items)) &~ 15UL)
|
|
|
|
|
#define STACK_ALLOC(sp, len) ({ sp -= len ; sp; })
|
|
|
|
|
#endif
|
|
|
|
|
|
ELF loader support for auxvec base platform string
Some IBM POWER-based platforms have the ability to run in a
mode which mostly appears to the OS as a different processor from the
actual hardware. For example, a Power6 system may appear to be a
Power5+, which makes the AT_PLATFORM value "power5+". This means that
programs are restricted to the ISA supported by Power5+;
Power6-specific instructions are treated as illegal.
However, some applications (virtual machines, optimized libraries) can
benefit from knowledge of the underlying CPU model. A new aux vector
entry, AT_BASE_PLATFORM, will denote the actual hardware. For
example, on a Power6 system in Power5+ compatibility mode, AT_PLATFORM
will be "power5+" and AT_BASE_PLATFORM will be "power6". The idea is
that AT_PLATFORM indicates the instruction set supported, while
AT_BASE_PLATFORM indicates the underlying microarchitecture.
If the architecture has defined ELF_BASE_PLATFORM, copy that value to
the user stack in the same manner as ELF_PLATFORM.
Signed-off-by: Nathan Lynch <ntl@pobox.com>
Acked-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
2008-07-21 12:48:46 -06:00
|
|
|
#ifndef ELF_BASE_PLATFORM
|
|
|
|
|
/*
|
|
|
|
|
* AT_BASE_PLATFORM indicates the "real" hardware/microarchitecture.
|
|
|
|
|
* If the arch defines ELF_BASE_PLATFORM (in asm/elf.h), the value
|
|
|
|
|
* will be copied to the user stack in the same manner as AT_PLATFORM.
|
|
|
|
|
*/
|
|
|
|
|
#define ELF_BASE_PLATFORM NULL
|
|
|
|
|
#endif
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
static int
|
2006-06-23 03:05:35 -06:00
|
|
|
create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
|
2008-02-08 05:21:54 -07:00
|
|
|
unsigned long load_addr, unsigned long interp_load_addr)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
|
|
|
|
unsigned long p = bprm->p;
|
|
|
|
|
int argc = bprm->argc;
|
|
|
|
|
int envc = bprm->envc;
|
|
|
|
|
elf_addr_t __user *sp;
|
|
|
|
|
elf_addr_t __user *u_platform;
|
ELF loader support for auxvec base platform string
Some IBM POWER-based platforms have the ability to run in a
mode which mostly appears to the OS as a different processor from the
actual hardware. For example, a Power6 system may appear to be a
Power5+, which makes the AT_PLATFORM value "power5+". This means that
programs are restricted to the ISA supported by Power5+;
Power6-specific instructions are treated as illegal.
However, some applications (virtual machines, optimized libraries) can
benefit from knowledge of the underlying CPU model. A new aux vector
entry, AT_BASE_PLATFORM, will denote the actual hardware. For
example, on a Power6 system in Power5+ compatibility mode, AT_PLATFORM
will be "power5+" and AT_BASE_PLATFORM will be "power6". The idea is
that AT_PLATFORM indicates the instruction set supported, while
AT_BASE_PLATFORM indicates the underlying microarchitecture.
If the architecture has defined ELF_BASE_PLATFORM, copy that value to
the user stack in the same manner as ELF_PLATFORM.
Signed-off-by: Nathan Lynch <ntl@pobox.com>
Acked-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
2008-07-21 12:48:46 -06:00
|
|
|
elf_addr_t __user *u_base_platform;
|
2009-01-07 19:08:52 -07:00
|
|
|
elf_addr_t __user *u_rand_bytes;
|
2005-04-16 16:20:36 -06:00
|
|
|
const char *k_platform = ELF_PLATFORM;
|
ELF loader support for auxvec base platform string
Some IBM POWER-based platforms have the ability to run in a
mode which mostly appears to the OS as a different processor from the
actual hardware. For example, a Power6 system may appear to be a
Power5+, which makes the AT_PLATFORM value "power5+". This means that
programs are restricted to the ISA supported by Power5+;
Power6-specific instructions are treated as illegal.
However, some applications (virtual machines, optimized libraries) can
benefit from knowledge of the underlying CPU model. A new aux vector
entry, AT_BASE_PLATFORM, will denote the actual hardware. For
example, on a Power6 system in Power5+ compatibility mode, AT_PLATFORM
will be "power5+" and AT_BASE_PLATFORM will be "power6". The idea is
that AT_PLATFORM indicates the instruction set supported, while
AT_BASE_PLATFORM indicates the underlying microarchitecture.
If the architecture has defined ELF_BASE_PLATFORM, copy that value to
the user stack in the same manner as ELF_PLATFORM.
Signed-off-by: Nathan Lynch <ntl@pobox.com>
Acked-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
2008-07-21 12:48:46 -06:00
|
|
|
const char *k_base_platform = ELF_BASE_PLATFORM;
|
2009-01-07 19:08:52 -07:00
|
|
|
unsigned char k_rand_bytes[16];
|
2005-04-16 16:20:36 -06:00
|
|
|
int items;
|
|
|
|
|
elf_addr_t *elf_info;
|
|
|
|
|
int ei_index = 0;
|
2008-11-13 16:39:18 -07:00
|
|
|
const struct cred *cred = current_cred();
|
2007-07-19 02:48:16 -06:00
|
|
|
struct vm_area_struct *vma;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2007-10-17 00:30:24 -06:00
|
|
|
/*
|
|
|
|
|
* In some cases (e.g. Hyper-Threading), we want to avoid L1
|
|
|
|
|
* evictions by the processes running on the same package. One
|
|
|
|
|
* thing we can do is to shuffle the initial stack for them.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
p = arch_align_stack(p);
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
/*
|
|
|
|
|
* If this architecture has a platform capability string, copy it
|
|
|
|
|
* to userspace. In some cases (Sparc), this info is impossible
|
|
|
|
|
* for userspace to get any other way, in others (i386) it is
|
|
|
|
|
* merely difficult.
|
|
|
|
|
*/
|
|
|
|
|
u_platform = NULL;
|
|
|
|
|
if (k_platform) {
|
|
|
|
|
size_t len = strlen(k_platform) + 1;
|
|
|
|
|
|
|
|
|
|
u_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);
|
|
|
|
|
if (__copy_to_user(u_platform, k_platform, len))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
}
|
|
|
|
|
|
ELF loader support for auxvec base platform string
Some IBM POWER-based platforms have the ability to run in a
mode which mostly appears to the OS as a different processor from the
actual hardware. For example, a Power6 system may appear to be a
Power5+, which makes the AT_PLATFORM value "power5+". This means that
programs are restricted to the ISA supported by Power5+;
Power6-specific instructions are treated as illegal.
However, some applications (virtual machines, optimized libraries) can
benefit from knowledge of the underlying CPU model. A new aux vector
entry, AT_BASE_PLATFORM, will denote the actual hardware. For
example, on a Power6 system in Power5+ compatibility mode, AT_PLATFORM
will be "power5+" and AT_BASE_PLATFORM will be "power6". The idea is
that AT_PLATFORM indicates the instruction set supported, while
AT_BASE_PLATFORM indicates the underlying microarchitecture.
If the architecture has defined ELF_BASE_PLATFORM, copy that value to
the user stack in the same manner as ELF_PLATFORM.
Signed-off-by: Nathan Lynch <ntl@pobox.com>
Acked-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
2008-07-21 12:48:46 -06:00
|
|
|
/*
|
|
|
|
|
* If this architecture has a "base" platform capability
|
|
|
|
|
* string, copy it to userspace.
|
|
|
|
|
*/
|
|
|
|
|
u_base_platform = NULL;
|
|
|
|
|
if (k_base_platform) {
|
|
|
|
|
size_t len = strlen(k_base_platform) + 1;
|
|
|
|
|
|
|
|
|
|
u_base_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);
|
|
|
|
|
if (__copy_to_user(u_base_platform, k_base_platform, len))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
}
|
|
|
|
|
|
2009-01-07 19:08:52 -07:00
|
|
|
/*
|
|
|
|
|
* Generate 16 random bytes for userspace PRNG seeding.
|
|
|
|
|
*/
|
|
|
|
|
get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
|
|
|
|
|
u_rand_bytes = (elf_addr_t __user *)
|
|
|
|
|
STACK_ALLOC(p, sizeof(k_rand_bytes));
|
|
|
|
|
if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
/* Create the ELF interpreter info */
|
2006-06-23 03:05:35 -06:00
|
|
|
elf_info = (elf_addr_t *)current->mm->saved_auxv;
|
2007-10-17 00:30:12 -06:00
|
|
|
/* update AT_VECTOR_SIZE_BASE if the number of NEW_AUX_ENT() changes */
|
2005-04-16 16:20:36 -06:00
|
|
|
#define NEW_AUX_ENT(id, val) \
|
2006-06-23 03:05:35 -06:00
|
|
|
do { \
|
2006-06-23 03:05:35 -06:00
|
|
|
elf_info[ei_index++] = id; \
|
|
|
|
|
elf_info[ei_index++] = val; \
|
2006-06-23 03:05:35 -06:00
|
|
|
} while (0)
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
#ifdef ARCH_DLINFO
|
|
|
|
|
/*
|
|
|
|
|
* ARCH_DLINFO must come first so PPC can do its special alignment of
|
|
|
|
|
* AUXV.
|
2007-10-17 00:30:12 -06:00
|
|
|
* update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT() in
|
|
|
|
|
* ARCH_DLINFO changes
|
2005-04-16 16:20:36 -06:00
|
|
|
*/
|
|
|
|
|
ARCH_DLINFO;
|
|
|
|
|
#endif
|
|
|
|
|
NEW_AUX_ENT(AT_HWCAP, ELF_HWCAP);
|
|
|
|
|
NEW_AUX_ENT(AT_PAGESZ, ELF_EXEC_PAGESIZE);
|
|
|
|
|
NEW_AUX_ENT(AT_CLKTCK, CLOCKS_PER_SEC);
|
|
|
|
|
NEW_AUX_ENT(AT_PHDR, load_addr + exec->e_phoff);
|
2006-06-23 03:05:35 -06:00
|
|
|
NEW_AUX_ENT(AT_PHENT, sizeof(struct elf_phdr));
|
2005-04-16 16:20:36 -06:00
|
|
|
NEW_AUX_ENT(AT_PHNUM, exec->e_phnum);
|
|
|
|
|
NEW_AUX_ENT(AT_BASE, interp_load_addr);
|
|
|
|
|
NEW_AUX_ENT(AT_FLAGS, 0);
|
|
|
|
|
NEW_AUX_ENT(AT_ENTRY, exec->e_entry);
|
2012-02-07 19:36:10 -07:00
|
|
|
NEW_AUX_ENT(AT_UID, from_kuid_munged(cred->user_ns, cred->uid));
|
|
|
|
|
NEW_AUX_ENT(AT_EUID, from_kuid_munged(cred->user_ns, cred->euid));
|
|
|
|
|
NEW_AUX_ENT(AT_GID, from_kgid_munged(cred->user_ns, cred->gid));
|
|
|
|
|
NEW_AUX_ENT(AT_EGID, from_kgid_munged(cred->user_ns, cred->egid));
|
binfmt: Introduce secureexec flag
The bprm_secureexec hook can be moved earlier. Right now, it is called
during create_elf_tables(), via load_binary(), via search_binary_handler(),
via exec_binprm(). Nearly all (see exception below) state used by
bprm_secureexec is created during the bprm_set_creds hook, called from
prepare_binprm().
For all LSMs (except commoncaps described next), only the first execution
of bprm_set_creds takes any effect (they all check bprm->called_set_creds
which prepare_binprm() sets after the first call to the bprm_set_creds
hook). However, all these LSMs also only do anything with bprm_secureexec
when they detected a secure state during their first run of bprm_set_creds.
Therefore, it is functionally identical to move the detection into
bprm_set_creds, since the results from secureexec here only need to be
based on the first call to the LSM's bprm_set_creds hook.
The single exception is that the commoncaps secureexec hook also examines
euid/uid and egid/gid differences which are controlled by bprm_fill_uid(),
via prepare_binprm(), which can be called multiple times (e.g.
binfmt_script, binfmt_misc), and may clear the euid/egid for the final
load (i.e. the script interpreter). However, while commoncaps specifically
ignores bprm->cred_prepared, and runs its bprm_set_creds hook each time
prepare_binprm() may get called, it needs to base the secureexec decision
on the final call to bprm_set_creds. As a result, it will need special
handling.
To begin this refactoring, this adds the secureexec flag to the bprm
struct, and calls the secureexec hook during setup_new_exec(). This is
safe since all the cred work is finished (and past the point of no return).
This explicit call will be removed in later patches once the hook has been
removed.
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
2017-07-18 16:25:22 -06:00
|
|
|
NEW_AUX_ENT(AT_SECURE, bprm->secureexec);
|
2009-01-07 19:08:52 -07:00
|
|
|
NEW_AUX_ENT(AT_RANDOM, (elf_addr_t)(unsigned long)u_rand_bytes);
|
2013-04-17 11:33:11 -06:00
|
|
|
#ifdef ELF_HWCAP2
|
|
|
|
|
NEW_AUX_ENT(AT_HWCAP2, ELF_HWCAP2);
|
|
|
|
|
#endif
|
execve filename: document and export via auxiliary vector
The Linux kernel puts the filename argument of execve() into the new
address space. Many developers are surprised to learn this. Those who
know and could use it, object "But it's not documented."
Those who want to use it dislike the expression
(char *)(1+ strlen(env[-1+ n_env]) + env[-1+ n_env])
because it requires locating the last original environment variable,
and assumes that the filename follows the characters.
This patch documents the insertion of the filename, and makes it easier
to find by adding a new tag AT_EXECFN in the ElfXX_auxv_t; see <elf.h>.
In many cases readlink("/proc/self/exe",) gives the same answer. But if
all the original pages get unmapped, then the kernel erases the symlink
for /proc/self/exe. This can happen when a program decompressor does a
good job of cleaning up after uncompressing directly to memory, so that
the address space of the target program looks the same as if compression
had never happened. One example is http://upx.sourceforge.net .
One notable use of the underlying concept (what path containED the
executable) is glibc expanding $ORIGIN in DT_RUNPATH. In practice for
the near term, it may be a good idea for user-mode code to use both
/proc/self/exe and AT_EXECFN as fall-back methods for each other.
/proc/self/exe can fail due to unmapping, AT_EXECFN can fail because it
won't be present on non-new systems. The auxvec or {AT_EXECFN}.d_val
also can get overwritten, although in nearly all cases this would be the
result of a bug.
The runtime cost is one NEW_AUX_ENT using two words of stack space. The
underlying value is maintained already as bprm->exec; setup_arg_pages()
in fs/exec.c slides it for stack_shift, etc.
Signed-off-by: John Reiser <jreiser@BitWagon.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Jakub Jelinek <jakub@redhat.com>
Cc: Ulrich Drepper <drepper@redhat.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-07-21 15:21:32 -06:00
|
|
|
NEW_AUX_ENT(AT_EXECFN, bprm->exec);
|
2005-04-16 16:20:36 -06:00
|
|
|
if (k_platform) {
|
2006-06-23 03:05:35 -06:00
|
|
|
NEW_AUX_ENT(AT_PLATFORM,
|
2006-06-23 03:05:35 -06:00
|
|
|
(elf_addr_t)(unsigned long)u_platform);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
ELF loader support for auxvec base platform string
Some IBM POWER-based platforms have the ability to run in a
mode which mostly appears to the OS as a different processor from the
actual hardware. For example, a Power6 system may appear to be a
Power5+, which makes the AT_PLATFORM value "power5+". This means that
programs are restricted to the ISA supported by Power5+;
Power6-specific instructions are treated as illegal.
However, some applications (virtual machines, optimized libraries) can
benefit from knowledge of the underlying CPU model. A new aux vector
entry, AT_BASE_PLATFORM, will denote the actual hardware. For
example, on a Power6 system in Power5+ compatibility mode, AT_PLATFORM
will be "power5+" and AT_BASE_PLATFORM will be "power6". The idea is
that AT_PLATFORM indicates the instruction set supported, while
AT_BASE_PLATFORM indicates the underlying microarchitecture.
If the architecture has defined ELF_BASE_PLATFORM, copy that value to
the user stack in the same manner as ELF_PLATFORM.
Signed-off-by: Nathan Lynch <ntl@pobox.com>
Acked-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
2008-07-21 12:48:46 -06:00
|
|
|
if (k_base_platform) {
|
|
|
|
|
NEW_AUX_ENT(AT_BASE_PLATFORM,
|
|
|
|
|
(elf_addr_t)(unsigned long)u_base_platform);
|
|
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
if (bprm->interp_flags & BINPRM_FLAGS_EXECFD) {
|
2006-06-23 03:05:35 -06:00
|
|
|
NEW_AUX_ENT(AT_EXECFD, bprm->interp_data);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
#undef NEW_AUX_ENT
|
|
|
|
|
/* AT_NULL is zero; clear the rest too */
|
|
|
|
|
memset(&elf_info[ei_index], 0,
|
|
|
|
|
sizeof current->mm->saved_auxv - ei_index * sizeof elf_info[0]);
|
|
|
|
|
|
|
|
|
|
/* And advance past the AT_NULL entry. */
|
|
|
|
|
ei_index += 2;
|
|
|
|
|
|
|
|
|
|
sp = STACK_ADD(p, ei_index);
|
|
|
|
|
|
2008-02-08 05:21:54 -07:00
|
|
|
items = (argc + 1) + (envc + 1) + 1;
|
2005-04-16 16:20:36 -06:00
|
|
|
bprm->p = STACK_ROUND(sp, items);
|
|
|
|
|
|
|
|
|
|
/* Point sp at the lowest address on the stack */
|
|
|
|
|
#ifdef CONFIG_STACK_GROWSUP
|
|
|
|
|
sp = (elf_addr_t __user *)bprm->p - items - ei_index;
|
2006-06-23 03:05:35 -06:00
|
|
|
bprm->exec = (unsigned long)sp; /* XXX: PARISC HACK */
|
2005-04-16 16:20:36 -06:00
|
|
|
#else
|
|
|
|
|
sp = (elf_addr_t __user *)bprm->p;
|
|
|
|
|
#endif
|
|
|
|
|
|
2007-07-19 02:48:16 -06:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Grow the stack manually; some architectures have a limit on how
|
|
|
|
|
* far ahead a user-space access may be in order to grow the stack.
|
|
|
|
|
*/
|
|
|
|
|
vma = find_extend_vma(current->mm, bprm->p);
|
|
|
|
|
if (!vma)
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
/* Now, let's put argc (and argv, envp if appropriate) on the stack */
|
|
|
|
|
if (__put_user(argc, sp++))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
2017-07-10 16:52:54 -06:00
|
|
|
/* Populate list of argv pointers back to argv strings. */
|
2005-05-11 01:10:44 -06:00
|
|
|
p = current->mm->arg_end = current->mm->arg_start;
|
2005-04-16 16:20:36 -06:00
|
|
|
while (argc-- > 0) {
|
|
|
|
|
size_t len;
|
2017-07-10 16:52:54 -06:00
|
|
|
if (__put_user((elf_addr_t)p, sp++))
|
2006-12-06 21:36:35 -07:00
|
|
|
return -EFAULT;
|
2007-07-19 02:48:16 -06:00
|
|
|
len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
|
|
|
|
|
if (!len || len > MAX_ARG_STRLEN)
|
2008-05-08 07:52:33 -06:00
|
|
|
return -EINVAL;
|
2005-04-16 16:20:36 -06:00
|
|
|
p += len;
|
|
|
|
|
}
|
2017-07-10 16:52:54 -06:00
|
|
|
if (__put_user(0, sp++))
|
2005-04-16 16:20:36 -06:00
|
|
|
return -EFAULT;
|
2017-07-10 16:52:54 -06:00
|
|
|
current->mm->arg_end = p;
|
|
|
|
|
|
|
|
|
|
/* Populate list of envp pointers back to envp strings. */
|
|
|
|
|
current->mm->env_end = current->mm->env_start = p;
|
2005-04-16 16:20:36 -06:00
|
|
|
while (envc-- > 0) {
|
|
|
|
|
size_t len;
|
2017-07-10 16:52:54 -06:00
|
|
|
if (__put_user((elf_addr_t)p, sp++))
|
2006-12-06 21:36:35 -07:00
|
|
|
return -EFAULT;
|
2007-07-19 02:48:16 -06:00
|
|
|
len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
|
|
|
|
|
if (!len || len > MAX_ARG_STRLEN)
|
2008-05-08 07:52:33 -06:00
|
|
|
return -EINVAL;
|
2005-04-16 16:20:36 -06:00
|
|
|
p += len;
|
|
|
|
|
}
|
2017-07-10 16:52:54 -06:00
|
|
|
if (__put_user(0, sp++))
|
2005-04-16 16:20:36 -06:00
|
|
|
return -EFAULT;
|
|
|
|
|
current->mm->env_end = p;
|
|
|
|
|
|
|
|
|
|
/* Put the elf_info on the stack in the right place. */
|
|
|
|
|
if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2011-05-09 03:58:40 -06:00
|
|
|
#ifndef elf_map
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
static unsigned long elf_map(struct file *filep, unsigned long addr,
|
2019-03-07 17:29:03 -07:00
|
|
|
const struct elf_phdr *eppnt, int prot, int type,
|
2008-01-30 05:31:07 -07:00
|
|
|
unsigned long total_size)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
|
|
|
|
unsigned long map_addr;
|
2008-01-30 05:31:07 -07:00
|
|
|
unsigned long size = eppnt->p_filesz + ELF_PAGEOFFSET(eppnt->p_vaddr);
|
|
|
|
|
unsigned long off = eppnt->p_offset - ELF_PAGEOFFSET(eppnt->p_vaddr);
|
|
|
|
|
addr = ELF_PAGESTART(addr);
|
|
|
|
|
size = ELF_PAGEALIGN(size);
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2006-01-08 02:03:35 -07:00
|
|
|
/* mmap() will return -EINVAL if given a zero size, but a
|
|
|
|
|
* segment with zero filesize is perfectly valid */
|
2008-01-30 05:31:07 -07:00
|
|
|
if (!size)
|
|
|
|
|
return addr;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* total_size is the size of the ELF (interpreter) image.
|
|
|
|
|
* The _first_ mmap needs to know the full size, otherwise
|
|
|
|
|
* randomization might put this image into an overlapping
|
|
|
|
|
* position with the ELF binary image. (since size < total_size)
|
|
|
|
|
* So we first map the 'big' image - and unmap the remainder at
|
|
|
|
|
* the end. (which unmap is needed for ELF images with holes.)
|
|
|
|
|
*/
|
|
|
|
|
if (total_size) {
|
|
|
|
|
total_size = ELF_PAGEALIGN(total_size);
|
2012-05-29 23:49:38 -06:00
|
|
|
map_addr = vm_mmap(filep, addr, total_size, prot, type, off);
|
2008-01-30 05:31:07 -07:00
|
|
|
if (!BAD_ADDR(map_addr))
|
2012-05-29 23:49:38 -06:00
|
|
|
vm_munmap(map_addr+size, total_size-size);
|
2008-01-30 05:31:07 -07:00
|
|
|
} else
|
2012-05-29 23:49:38 -06:00
|
|
|
map_addr = vm_mmap(filep, addr, size, prot, type, off);
|
2008-01-30 05:31:07 -07:00
|
|
|
|
2018-04-20 15:56:13 -06:00
|
|
|
if ((type & MAP_FIXED_NOREPLACE) &&
|
|
|
|
|
PTR_ERR((void *)map_addr) == -EEXIST)
|
|
|
|
|
pr_info("%d (%s): Uhuuh, elf segment at %px requested but the memory is mapped already\n",
|
|
|
|
|
task_pid_nr(current), current->comm, (void *)addr);
|
2018-04-10 17:36:01 -06:00
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
return(map_addr);
|
|
|
|
|
}
|
|
|
|
|
|
2011-05-09 03:58:40 -06:00
|
|
|
#endif /* !elf_map */
|
|
|
|
|
|
2019-03-07 17:29:03 -07:00
|
|
|
static unsigned long total_mapping_size(const struct elf_phdr *cmds, int nr)
|
2008-01-30 05:31:07 -07:00
|
|
|
{
|
|
|
|
|
int i, first_idx = -1, last_idx = -1;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < nr; i++) {
|
|
|
|
|
if (cmds[i].p_type == PT_LOAD) {
|
|
|
|
|
last_idx = i;
|
|
|
|
|
if (first_idx == -1)
|
|
|
|
|
first_idx = i;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (first_idx == -1)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
return cmds[last_idx].p_vaddr + cmds[last_idx].p_memsz -
|
|
|
|
|
ELF_PAGESTART(cmds[first_idx].p_vaddr);
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-11 01:30:14 -06:00
|
|
|
/**
|
|
|
|
|
* load_elf_phdrs() - load ELF program headers
|
|
|
|
|
* @elf_ex: ELF header of the binary whose program headers should be loaded
|
|
|
|
|
* @elf_file: the opened ELF binary file
|
|
|
|
|
*
|
|
|
|
|
* Loads ELF program headers from the binary file elf_file, which has the ELF
|
|
|
|
|
* header pointed to by elf_ex, into a newly allocated array. The caller is
|
|
|
|
|
* responsible for freeing the allocated data. Returns an ERR_PTR upon failure.
|
|
|
|
|
*/
|
2019-03-07 17:29:03 -07:00
|
|
|
static struct elf_phdr *load_elf_phdrs(const struct elfhdr *elf_ex,
|
2014-09-11 01:30:14 -06:00
|
|
|
struct file *elf_file)
|
|
|
|
|
{
|
|
|
|
|
struct elf_phdr *elf_phdata = NULL;
|
2019-03-07 17:28:56 -07:00
|
|
|
int retval, err = -1;
|
2017-09-01 09:39:13 -06:00
|
|
|
loff_t pos = elf_ex->e_phoff;
|
2019-03-07 17:28:56 -07:00
|
|
|
unsigned int size;
|
2014-09-11 01:30:14 -06:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If the size of this structure has changed, then punt, since
|
|
|
|
|
* we will be doing the wrong thing.
|
|
|
|
|
*/
|
|
|
|
|
if (elf_ex->e_phentsize != sizeof(struct elf_phdr))
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
/* Sanity check the number of program headers... */
|
|
|
|
|
/* ...and their total size. */
|
|
|
|
|
size = sizeof(struct elf_phdr) * elf_ex->e_phnum;
|
2019-03-07 17:28:56 -07:00
|
|
|
if (size == 0 || size > 65536 || size > ELF_MIN_ALIGN)
|
2014-09-11 01:30:14 -06:00
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
elf_phdata = kmalloc(size, GFP_KERNEL);
|
|
|
|
|
if (!elf_phdata)
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
/* Read in the program headers */
|
2017-09-01 09:39:13 -06:00
|
|
|
retval = kernel_read(elf_file, elf_phdata, size, &pos);
|
2014-09-11 01:30:14 -06:00
|
|
|
if (retval != size) {
|
|
|
|
|
err = (retval < 0) ? retval : -EIO;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Success! */
|
|
|
|
|
err = 0;
|
|
|
|
|
out:
|
|
|
|
|
if (err) {
|
|
|
|
|
kfree(elf_phdata);
|
|
|
|
|
elf_phdata = NULL;
|
|
|
|
|
}
|
|
|
|
|
return elf_phdata;
|
|
|
|
|
}
|
2008-01-30 05:31:07 -07:00
|
|
|
|
binfmt_elf: allow arch code to examine PT_LOPROC ... PT_HIPROC headers
MIPS is introducing new variants of its O32 ABI which differ in their
handling of floating point, in order to enable a gradual transition
towards a world where mips32 binaries can take advantage of new hardware
features only available when configured for certain FP modes. In order
to do this ELF binaries are being augmented with a new section that
indicates, amongst other things, the FP mode requirements of the binary.
The presence & location of such a section is indicated by a program
header in the PT_LOPROC ... PT_HIPROC range.
In order to allow the MIPS architecture code to examine the program
header & section in question, pass all program headers in this range
to an architecture-specific arch_elf_pt_proc function. This function
may return an error if the header is deemed invalid or unsuitable for
the system, in which case that error will be returned from
load_elf_binary and upwards through the execve syscall.
A means is required for the architecture code to make a decision once
it is known that all such headers have been seen, but before it is too
late to return from an execve syscall. For this purpose the
arch_check_elf function is added, and called once, after all PT_LOPROC
to PT_HIPROC headers have been passed to arch_elf_pt_proc but before
the code which invoked execve has been lost. This enables the
architecture code to make a decision based upon all the headers present
in an ELF binary and its interpreter, as is required to forbid
conflicting FP ABI requirements between an ELF & its interpreter.
In order to allow data to be stored throughout the calls to the above
functions, struct arch_elf_state is introduced.
Finally a variant of the SET_PERSONALITY macro is introduced which
accepts a pointer to the struct arch_elf_state, allowing it to act
based upon state observed from the architecture specific program
headers.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/7679/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-09-11 01:30:16 -06:00
|
|
|
#ifndef CONFIG_ARCH_BINFMT_ELF_STATE
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* struct arch_elf_state - arch-specific ELF loading state
|
|
|
|
|
*
|
|
|
|
|
* This structure is used to preserve architecture specific data during
|
|
|
|
|
* the loading of an ELF file, throughout the checking of architecture
|
|
|
|
|
* specific ELF headers & through to the point where the ELF load is
|
|
|
|
|
* known to be proceeding (ie. SET_PERSONALITY).
|
|
|
|
|
*
|
|
|
|
|
* This implementation is a dummy for architectures which require no
|
|
|
|
|
* specific state.
|
|
|
|
|
*/
|
|
|
|
|
struct arch_elf_state {
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
#define INIT_ARCH_ELF_STATE {}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* arch_elf_pt_proc() - check a PT_LOPROC..PT_HIPROC ELF program header
|
|
|
|
|
* @ehdr: The main ELF header
|
|
|
|
|
* @phdr: The program header to check
|
|
|
|
|
* @elf: The open ELF file
|
|
|
|
|
* @is_interp: True if the phdr is from the interpreter of the ELF being
|
|
|
|
|
* loaded, else false.
|
|
|
|
|
* @state: Architecture-specific state preserved throughout the process
|
|
|
|
|
* of loading the ELF.
|
|
|
|
|
*
|
|
|
|
|
* Inspects the program header phdr to validate its correctness and/or
|
|
|
|
|
* suitability for the system. Called once per ELF program header in the
|
|
|
|
|
* range PT_LOPROC to PT_HIPROC, for both the ELF being loaded and its
|
|
|
|
|
* interpreter.
|
|
|
|
|
*
|
|
|
|
|
* Return: Zero to proceed with the ELF load, non-zero to fail the ELF load
|
|
|
|
|
* with that return code.
|
|
|
|
|
*/
|
|
|
|
|
static inline int arch_elf_pt_proc(struct elfhdr *ehdr,
|
|
|
|
|
struct elf_phdr *phdr,
|
|
|
|
|
struct file *elf, bool is_interp,
|
|
|
|
|
struct arch_elf_state *state)
|
|
|
|
|
{
|
|
|
|
|
/* Dummy implementation, always proceed */
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2015-10-26 09:47:57 -06:00
|
|
|
* arch_check_elf() - check an ELF executable
|
binfmt_elf: allow arch code to examine PT_LOPROC ... PT_HIPROC headers
MIPS is introducing new variants of its O32 ABI which differ in their
handling of floating point, in order to enable a gradual transition
towards a world where mips32 binaries can take advantage of new hardware
features only available when configured for certain FP modes. In order
to do this ELF binaries are being augmented with a new section that
indicates, amongst other things, the FP mode requirements of the binary.
The presence & location of such a section is indicated by a program
header in the PT_LOPROC ... PT_HIPROC range.
In order to allow the MIPS architecture code to examine the program
header & section in question, pass all program headers in this range
to an architecture-specific arch_elf_pt_proc function. This function
may return an error if the header is deemed invalid or unsuitable for
the system, in which case that error will be returned from
load_elf_binary and upwards through the execve syscall.
A means is required for the architecture code to make a decision once
it is known that all such headers have been seen, but before it is too
late to return from an execve syscall. For this purpose the
arch_check_elf function is added, and called once, after all PT_LOPROC
to PT_HIPROC headers have been passed to arch_elf_pt_proc but before
the code which invoked execve has been lost. This enables the
architecture code to make a decision based upon all the headers present
in an ELF binary and its interpreter, as is required to forbid
conflicting FP ABI requirements between an ELF & its interpreter.
In order to allow data to be stored throughout the calls to the above
functions, struct arch_elf_state is introduced.
Finally a variant of the SET_PERSONALITY macro is introduced which
accepts a pointer to the struct arch_elf_state, allowing it to act
based upon state observed from the architecture specific program
headers.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/7679/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-09-11 01:30:16 -06:00
|
|
|
* @ehdr: The main ELF header
|
|
|
|
|
* @has_interp: True if the ELF has an interpreter, else false.
|
2015-11-12 17:47:48 -07:00
|
|
|
* @interp_ehdr: The interpreter's ELF header
|
binfmt_elf: allow arch code to examine PT_LOPROC ... PT_HIPROC headers
MIPS is introducing new variants of its O32 ABI which differ in their
handling of floating point, in order to enable a gradual transition
towards a world where mips32 binaries can take advantage of new hardware
features only available when configured for certain FP modes. In order
to do this ELF binaries are being augmented with a new section that
indicates, amongst other things, the FP mode requirements of the binary.
The presence & location of such a section is indicated by a program
header in the PT_LOPROC ... PT_HIPROC range.
In order to allow the MIPS architecture code to examine the program
header & section in question, pass all program headers in this range
to an architecture-specific arch_elf_pt_proc function. This function
may return an error if the header is deemed invalid or unsuitable for
the system, in which case that error will be returned from
load_elf_binary and upwards through the execve syscall.
A means is required for the architecture code to make a decision once
it is known that all such headers have been seen, but before it is too
late to return from an execve syscall. For this purpose the
arch_check_elf function is added, and called once, after all PT_LOPROC
to PT_HIPROC headers have been passed to arch_elf_pt_proc but before
the code which invoked execve has been lost. This enables the
architecture code to make a decision based upon all the headers present
in an ELF binary and its interpreter, as is required to forbid
conflicting FP ABI requirements between an ELF & its interpreter.
In order to allow data to be stored throughout the calls to the above
functions, struct arch_elf_state is introduced.
Finally a variant of the SET_PERSONALITY macro is introduced which
accepts a pointer to the struct arch_elf_state, allowing it to act
based upon state observed from the architecture specific program
headers.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/7679/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-09-11 01:30:16 -06:00
|
|
|
* @state: Architecture-specific state preserved throughout the process
|
|
|
|
|
* of loading the ELF.
|
|
|
|
|
*
|
|
|
|
|
* Provides a final opportunity for architecture code to reject the loading
|
|
|
|
|
* of the ELF & cause an exec syscall to return an error. This is called after
|
|
|
|
|
* all program headers to be checked by arch_elf_pt_proc have been.
|
|
|
|
|
*
|
|
|
|
|
* Return: Zero to proceed with the ELF load, non-zero to fail the ELF load
|
|
|
|
|
* with that return code.
|
|
|
|
|
*/
|
|
|
|
|
static inline int arch_check_elf(struct elfhdr *ehdr, bool has_interp,
|
2015-11-12 17:47:48 -07:00
|
|
|
struct elfhdr *interp_ehdr,
|
binfmt_elf: allow arch code to examine PT_LOPROC ... PT_HIPROC headers
MIPS is introducing new variants of its O32 ABI which differ in their
handling of floating point, in order to enable a gradual transition
towards a world where mips32 binaries can take advantage of new hardware
features only available when configured for certain FP modes. In order
to do this ELF binaries are being augmented with a new section that
indicates, amongst other things, the FP mode requirements of the binary.
The presence & location of such a section is indicated by a program
header in the PT_LOPROC ... PT_HIPROC range.
In order to allow the MIPS architecture code to examine the program
header & section in question, pass all program headers in this range
to an architecture-specific arch_elf_pt_proc function. This function
may return an error if the header is deemed invalid or unsuitable for
the system, in which case that error will be returned from
load_elf_binary and upwards through the execve syscall.
A means is required for the architecture code to make a decision once
it is known that all such headers have been seen, but before it is too
late to return from an execve syscall. For this purpose the
arch_check_elf function is added, and called once, after all PT_LOPROC
to PT_HIPROC headers have been passed to arch_elf_pt_proc but before
the code which invoked execve has been lost. This enables the
architecture code to make a decision based upon all the headers present
in an ELF binary and its interpreter, as is required to forbid
conflicting FP ABI requirements between an ELF & its interpreter.
In order to allow data to be stored throughout the calls to the above
functions, struct arch_elf_state is introduced.
Finally a variant of the SET_PERSONALITY macro is introduced which
accepts a pointer to the struct arch_elf_state, allowing it to act
based upon state observed from the architecture specific program
headers.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/7679/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-09-11 01:30:16 -06:00
|
|
|
struct arch_elf_state *state)
|
|
|
|
|
{
|
|
|
|
|
/* Dummy implementation, always proceed */
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif /* !CONFIG_ARCH_BINFMT_ELF_STATE */
|
2008-01-30 05:31:07 -07:00
|
|
|
|
2019-05-14 16:43:51 -06:00
|
|
|
static inline int make_prot(u32 p_flags)
|
|
|
|
|
{
|
|
|
|
|
int prot = 0;
|
|
|
|
|
|
|
|
|
|
if (p_flags & PF_R)
|
|
|
|
|
prot |= PROT_READ;
|
|
|
|
|
if (p_flags & PF_W)
|
|
|
|
|
prot |= PROT_WRITE;
|
|
|
|
|
if (p_flags & PF_X)
|
|
|
|
|
prot |= PROT_EXEC;
|
|
|
|
|
return prot;
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
/* This is much more generalized than the library routine read function,
|
|
|
|
|
so we keep this separate. Technically the library read function
|
|
|
|
|
is only provided so that we can read a.out libraries that have
|
|
|
|
|
an ELF header */
|
|
|
|
|
|
2006-06-23 03:05:35 -06:00
|
|
|
static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
|
2008-01-30 05:31:07 -07:00
|
|
|
struct file *interpreter, unsigned long *interp_map_addr,
|
2014-09-11 01:30:15 -06:00
|
|
|
unsigned long no_base, struct elf_phdr *interp_elf_phdata)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
|
|
|
|
struct elf_phdr *eppnt;
|
|
|
|
|
unsigned long load_addr = 0;
|
|
|
|
|
int load_addr_set = 0;
|
|
|
|
|
unsigned long last_bss = 0, elf_bss = 0;
|
powerpc: do not make the entire heap executable
On 32-bit powerpc the ELF PLT sections of binaries (built with
--bss-plt, or with a toolchain which defaults to it) look like this:
[17] .sbss NOBITS 0002aff8 01aff8 000014 00 WA 0 0 4
[18] .plt NOBITS 0002b00c 01aff8 000084 00 WAX 0 0 4
[19] .bss NOBITS 0002b090 01aff8 0000a4 00 WA 0 0 4
Which results in an ELF load header:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x019c70 0x00029c70 0x00029c70 0x01388 0x014c4 RWE 0x10000
This is all correct, the load region containing the PLT is marked as
executable. Note that the PLT starts at 0002b00c but the file mapping
ends at 0002aff8, so the PLT falls in the 0 fill section described by
the load header, and after a page boundary.
Unfortunately the generic ELF loader ignores the X bit in the load
headers when it creates the 0 filled non-file backed mappings. It
assumes all of these mappings are RW BSS sections, which is not the case
for PPC.
gcc/ld has an option (--secure-plt) to not do this, this is said to
incur a small performance penalty.
Currently, to support 32-bit binaries with PLT in BSS kernel maps
*entire brk area* with executable rights for all binaries, even
--secure-plt ones.
Stop doing that.
Teach the ELF loader to check the X bit in the relevant load header and
create 0 filled anonymous mappings that are executable if the load
header requests that.
Test program showing the difference in /proc/$PID/maps:
int main() {
char buf[16*1024];
char *p = malloc(123); /* make "[heap]" mapping appear */
int fd = open("/proc/self/maps", O_RDONLY);
int len = read(fd, buf, sizeof(buf));
write(1, buf, len);
printf("%p\n", p);
return 0;
}
Compiled using: gcc -mbss-plt -m32 -Os test.c -otest
Unpatched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10690000-106c0000 rwxp 00000000 00:00 0 [heap]
f7f70000-f7fa0000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fa0000-f7fb0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fb0000-f7fc0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ffa90000-ffac0000 rw-p 00000000 00:00 0 [stack]
0x10690008
Patched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10180000-101b0000 rw-p 00000000 00:00 0 [heap]
^^^^ this has changed
f7c60000-f7c90000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7c90000-f7ca0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7ca0000-f7cb0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ff860000-ff890000 rw-p 00000000 00:00 0 [stack]
0x10180008
The patch was originally posted in 2012 by Jason Gunthorpe
and apparently ignored:
https://lkml.org/lkml/2012/9/30/138
Lightly run-tested.
Link: http://lkml.kernel.org/r/20161215131950.23054-1-dvlasenk@redhat.com
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-02-22 16:45:16 -07:00
|
|
|
int bss_prot = 0;
|
2005-04-16 16:20:36 -06:00
|
|
|
unsigned long error = ~0UL;
|
2008-01-30 05:31:07 -07:00
|
|
|
unsigned long total_size;
|
2014-09-11 01:30:14 -06:00
|
|
|
int i;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
/* First of all, some simple consistency checks */
|
|
|
|
|
if (interp_elf_ex->e_type != ET_EXEC &&
|
|
|
|
|
interp_elf_ex->e_type != ET_DYN)
|
|
|
|
|
goto out;
|
2017-08-16 14:05:13 -06:00
|
|
|
if (!elf_check_arch(interp_elf_ex) ||
|
|
|
|
|
elf_check_fdpic(interp_elf_ex))
|
2005-04-16 16:20:36 -06:00
|
|
|
goto out;
|
2013-09-22 14:27:52 -06:00
|
|
|
if (!interpreter->f_op->mmap)
|
2005-04-16 16:20:36 -06:00
|
|
|
goto out;
|
|
|
|
|
|
2014-09-11 01:30:15 -06:00
|
|
|
total_size = total_mapping_size(interp_elf_phdata,
|
|
|
|
|
interp_elf_ex->e_phnum);
|
2008-01-30 05:31:07 -07:00
|
|
|
if (!total_size) {
|
|
|
|
|
error = -EINVAL;
|
2014-09-11 01:30:15 -06:00
|
|
|
goto out;
|
2008-01-30 05:31:07 -07:00
|
|
|
}
|
|
|
|
|
|
2014-09-11 01:30:15 -06:00
|
|
|
eppnt = interp_elf_phdata;
|
2006-06-23 03:05:35 -06:00
|
|
|
for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
|
|
|
|
|
if (eppnt->p_type == PT_LOAD) {
|
|
|
|
|
int elf_type = MAP_PRIVATE | MAP_DENYWRITE;
|
2019-05-14 16:43:51 -06:00
|
|
|
int elf_prot = make_prot(eppnt->p_flags);
|
2006-06-23 03:05:35 -06:00
|
|
|
unsigned long vaddr = 0;
|
|
|
|
|
unsigned long k, map_addr;
|
|
|
|
|
|
|
|
|
|
vaddr = eppnt->p_vaddr;
|
|
|
|
|
if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
|
2018-04-10 17:36:01 -06:00
|
|
|
elf_type |= MAP_FIXED_NOREPLACE;
|
2008-01-30 05:31:07 -07:00
|
|
|
else if (no_base && interp_elf_ex->e_type == ET_DYN)
|
|
|
|
|
load_addr = -vaddr;
|
2006-06-23 03:05:35 -06:00
|
|
|
|
|
|
|
|
map_addr = elf_map(interpreter, load_addr + vaddr,
|
x86: PIE executable randomization, checkpatch fixes
#39: FILE: arch/ia64/ia32/binfmt_elf32.c:229:
+elf32_map (struct file *filep, unsigned long addr, struct elf_phdr *eppnt, int prot, int type, unsigned long unused)
WARNING: no space between function name and open parenthesis '('
#39: FILE: arch/ia64/ia32/binfmt_elf32.c:229:
+elf32_map (struct file *filep, unsigned long addr, struct elf_phdr *eppnt, int prot, int type, unsigned long unused)
WARNING: line over 80 characters
#67: FILE: arch/x86/kernel/sys_x86_64.c:80:
+ new_begin = randomize_range(*begin, *begin + 0x02000000, 0);
ERROR: use tabs not spaces
#110: FILE: arch/x86/kernel/sys_x86_64.c:185:
+ ^I mm->cached_hole_size = 0;$
ERROR: use tabs not spaces
#111: FILE: arch/x86/kernel/sys_x86_64.c:186:
+ ^I^Imm->free_area_cache = mm->mmap_base;$
ERROR: use tabs not spaces
#112: FILE: arch/x86/kernel/sys_x86_64.c:187:
+ ^I}$
ERROR: use tabs not spaces
#141: FILE: arch/x86/kernel/sys_x86_64.c:216:
+ ^I^I/* remember the largest hole we saw so far */$
ERROR: use tabs not spaces
#142: FILE: arch/x86/kernel/sys_x86_64.c:217:
+ ^I^Iif (addr + mm->cached_hole_size < vma->vm_start)$
ERROR: use tabs not spaces
#143: FILE: arch/x86/kernel/sys_x86_64.c:218:
+ ^I^I mm->cached_hole_size = vma->vm_start - addr;$
ERROR: use tabs not spaces
#157: FILE: arch/x86/kernel/sys_x86_64.c:232:
+ ^Imm->free_area_cache = TASK_UNMAPPED_BASE;$
ERROR: need a space before the open parenthesis '('
#291: FILE: arch/x86/mm/mmap_64.c:101:
+ } else if(mmap_is_legacy()) {
WARNING: braces {} are not necessary for single statement blocks
#302: FILE: arch/x86/mm/mmap_64.c:112:
+ if (current->flags & PF_RANDOMIZE) {
+ mm->mmap_base += ((long)rnd) << PAGE_SHIFT;
+ }
WARNING: line over 80 characters
#314: FILE: fs/binfmt_elf.c:48:
+static unsigned long elf_map (struct file *, unsigned long, struct elf_phdr *, int, int, unsigned long);
WARNING: no space between function name and open parenthesis '('
#314: FILE: fs/binfmt_elf.c:48:
+static unsigned long elf_map (struct file *, unsigned long, struct elf_phdr *, int, int, unsigned long);
WARNING: line over 80 characters
#429: FILE: fs/binfmt_elf.c:438:
+ eppnt, elf_prot, elf_type, total_size);
ERROR: need space after that ',' (ctx:VxV)
#480: FILE: fs/binfmt_elf.c:939:
+ elf_prot, elf_flags,0);
^
total: 9 errors, 7 warnings, 461 lines checked
Your patch has style problems, please review. If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
Please run checkpatch prior to sending patches
Cc: "Luck, Tony" <tony.luck@intel.com>
Cc: Arjan van de Ven <arjan@infradead.org>
Cc: Jakub Jelinek <jakub@redhat.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Roland McGrath <roland@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2008-01-30 05:31:07 -07:00
|
|
|
eppnt, elf_prot, elf_type, total_size);
|
2008-01-30 05:31:07 -07:00
|
|
|
total_size = 0;
|
|
|
|
|
if (!*interp_map_addr)
|
|
|
|
|
*interp_map_addr = map_addr;
|
2006-06-23 03:05:35 -06:00
|
|
|
error = map_addr;
|
|
|
|
|
if (BAD_ADDR(map_addr))
|
2014-09-11 01:30:15 -06:00
|
|
|
goto out;
|
2006-06-23 03:05:35 -06:00
|
|
|
|
|
|
|
|
if (!load_addr_set &&
|
|
|
|
|
interp_elf_ex->e_type == ET_DYN) {
|
|
|
|
|
load_addr = map_addr - ELF_PAGESTART(vaddr);
|
|
|
|
|
load_addr_set = 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check to see if the section's size will overflow the
|
|
|
|
|
* allowed task size. Note that p_filesz must always be
|
|
|
|
|
* <= p_memsize so it's only necessary to check p_memsz.
|
|
|
|
|
*/
|
|
|
|
|
k = load_addr + eppnt->p_vaddr;
|
[PATCH] binfmt_elf: fix checks for bad address
Fix check for bad address; use macro instead of open-coding two checks.
Taken from RHEL4 kernel update.
From: Ernie Petrides <petrides@redhat.com>
For background, the BAD_ADDR() macro should return TRUE if the address is
TASK_SIZE, because that's the lowest address that is *not* valid for
user-space mappings. The macro was correct in binfmt_aout.c but was wrong
for the "equal to" case in binfmt_elf.c. There were two in-line validations
of user-space addresses in binfmt_elf.c, which have been appropriately
converted to use the corrected BAD_ADDR() macro in the patch you posted
yesterday. Note that the size checks against TASK_SIZE are okay as coded.
The additional changes that I propose are below. These are in the error
paths for bad ELF entry addresses once load_elf_binary() has already
committed to exec'ing the new image (following the tearing down of the
task's original address space).
The 1st hunk deals with the interp-side of the outer "if". There were two
problems here. The printk() should be removed because this path can be
triggered at will by a bogus interpreter image created and used by a
malicious user. Further, the error code should not be ENOEXEC, because that
causes the loop in search_binary_handler() to continue trying other exec
handlers (twice, in fact). But it's too late for this to work correctly,
because the user address space has already been torn down, and an exec()
failure cannot be returned to the user code because the code no longer
exists. The only recovery is to force a SIGSEGV, but it's best to terminate
the search loop immediately. I somewhat arbitrarily chose EINVAL as a
fallback error code, but any error returned by load_elf_interp() will
override that (but this value will never be seen by user-space).
The 2nd hunk deals with the non-interp-side of the outer "if". There were
two problems here as well. The SIGSEGV needs to be forced, because a prior
sigaction() syscall might have set the associated disposition to SIG_IGN.
And the ENOEXEC should be changed to EINVAL as described above.
Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com>
Signed-off-by: Ernie Petrides <petrides@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-07-03 01:24:14 -06:00
|
|
|
if (BAD_ADDR(k) ||
|
2006-06-23 03:05:35 -06:00
|
|
|
eppnt->p_filesz > eppnt->p_memsz ||
|
|
|
|
|
eppnt->p_memsz > TASK_SIZE ||
|
|
|
|
|
TASK_SIZE - eppnt->p_memsz < k) {
|
|
|
|
|
error = -ENOMEM;
|
2014-09-11 01:30:15 -06:00
|
|
|
goto out;
|
2006-06-23 03:05:35 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Find the end of the file mapping for this phdr, and
|
|
|
|
|
* keep track of the largest address we see for this.
|
|
|
|
|
*/
|
|
|
|
|
k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
|
|
|
|
|
if (k > elf_bss)
|
|
|
|
|
elf_bss = k;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Do the same thing for the memory mapping - between
|
|
|
|
|
* elf_bss and last_bss is the bss section.
|
|
|
|
|
*/
|
binfmt_elf: fix calculations for bss padding
A double-bug exists in the bss calculation code, where an overflow can
happen in the "last_bss - elf_bss" calculation, but vm_brk internally
aligns the argument, underflowing it, wrapping back around safe. We
shouldn't depend on these bugs staying in sync, so this cleans up the
bss padding handling to avoid the overflow.
This moves the bss padzero() before the last_bss > elf_bss case, since
the zero-filling of the ELF_PAGE should have nothing to do with the
relationship of last_bss and elf_bss: any trailing portion should be
zeroed, and a zero size is already handled by padzero().
Then it handles the math on elf_bss vs last_bss correctly. These need
to both be ELF_PAGE aligned to get the comparison correct, since that's
the expected granularity of the mappings. Since elf_bss already had
alignment-based padding happen in padzero(), the "start" of the new
vm_brk() should be moved forward as done in the original code. However,
since the "end" of the vm_brk() area will already become PAGE_ALIGNed in
vm_brk() then last_bss should get aligned here to avoid hiding it as a
side-effect.
Additionally makes a cosmetic change to the initial last_bss calculation
so it's easier to read in comparison to the load_addr calculation above
it (i.e. the only difference is p_filesz vs p_memsz).
Link: http://lkml.kernel.org/r/1468014494-25291-2-git-send-email-keescook@chromium.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Hector Marco-Gisbert <hecmargi@upv.es>
Cc: Ismael Ripoll Ripoll <iripoll@upv.es>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Chen Gang <gang.chen.5i5j@gmail.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-08-02 15:04:51 -06:00
|
|
|
k = load_addr + eppnt->p_vaddr + eppnt->p_memsz;
|
powerpc: do not make the entire heap executable
On 32-bit powerpc the ELF PLT sections of binaries (built with
--bss-plt, or with a toolchain which defaults to it) look like this:
[17] .sbss NOBITS 0002aff8 01aff8 000014 00 WA 0 0 4
[18] .plt NOBITS 0002b00c 01aff8 000084 00 WAX 0 0 4
[19] .bss NOBITS 0002b090 01aff8 0000a4 00 WA 0 0 4
Which results in an ELF load header:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x019c70 0x00029c70 0x00029c70 0x01388 0x014c4 RWE 0x10000
This is all correct, the load region containing the PLT is marked as
executable. Note that the PLT starts at 0002b00c but the file mapping
ends at 0002aff8, so the PLT falls in the 0 fill section described by
the load header, and after a page boundary.
Unfortunately the generic ELF loader ignores the X bit in the load
headers when it creates the 0 filled non-file backed mappings. It
assumes all of these mappings are RW BSS sections, which is not the case
for PPC.
gcc/ld has an option (--secure-plt) to not do this, this is said to
incur a small performance penalty.
Currently, to support 32-bit binaries with PLT in BSS kernel maps
*entire brk area* with executable rights for all binaries, even
--secure-plt ones.
Stop doing that.
Teach the ELF loader to check the X bit in the relevant load header and
create 0 filled anonymous mappings that are executable if the load
header requests that.
Test program showing the difference in /proc/$PID/maps:
int main() {
char buf[16*1024];
char *p = malloc(123); /* make "[heap]" mapping appear */
int fd = open("/proc/self/maps", O_RDONLY);
int len = read(fd, buf, sizeof(buf));
write(1, buf, len);
printf("%p\n", p);
return 0;
}
Compiled using: gcc -mbss-plt -m32 -Os test.c -otest
Unpatched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10690000-106c0000 rwxp 00000000 00:00 0 [heap]
f7f70000-f7fa0000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fa0000-f7fb0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fb0000-f7fc0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ffa90000-ffac0000 rw-p 00000000 00:00 0 [stack]
0x10690008
Patched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10180000-101b0000 rw-p 00000000 00:00 0 [heap]
^^^^ this has changed
f7c60000-f7c90000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7c90000-f7ca0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7ca0000-f7cb0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ff860000-ff890000 rw-p 00000000 00:00 0 [stack]
0x10180008
The patch was originally posted in 2012 by Jason Gunthorpe
and apparently ignored:
https://lkml.org/lkml/2012/9/30/138
Lightly run-tested.
Link: http://lkml.kernel.org/r/20161215131950.23054-1-dvlasenk@redhat.com
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-02-22 16:45:16 -07:00
|
|
|
if (k > last_bss) {
|
2006-06-23 03:05:35 -06:00
|
|
|
last_bss = k;
|
powerpc: do not make the entire heap executable
On 32-bit powerpc the ELF PLT sections of binaries (built with
--bss-plt, or with a toolchain which defaults to it) look like this:
[17] .sbss NOBITS 0002aff8 01aff8 000014 00 WA 0 0 4
[18] .plt NOBITS 0002b00c 01aff8 000084 00 WAX 0 0 4
[19] .bss NOBITS 0002b090 01aff8 0000a4 00 WA 0 0 4
Which results in an ELF load header:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x019c70 0x00029c70 0x00029c70 0x01388 0x014c4 RWE 0x10000
This is all correct, the load region containing the PLT is marked as
executable. Note that the PLT starts at 0002b00c but the file mapping
ends at 0002aff8, so the PLT falls in the 0 fill section described by
the load header, and after a page boundary.
Unfortunately the generic ELF loader ignores the X bit in the load
headers when it creates the 0 filled non-file backed mappings. It
assumes all of these mappings are RW BSS sections, which is not the case
for PPC.
gcc/ld has an option (--secure-plt) to not do this, this is said to
incur a small performance penalty.
Currently, to support 32-bit binaries with PLT in BSS kernel maps
*entire brk area* with executable rights for all binaries, even
--secure-plt ones.
Stop doing that.
Teach the ELF loader to check the X bit in the relevant load header and
create 0 filled anonymous mappings that are executable if the load
header requests that.
Test program showing the difference in /proc/$PID/maps:
int main() {
char buf[16*1024];
char *p = malloc(123); /* make "[heap]" mapping appear */
int fd = open("/proc/self/maps", O_RDONLY);
int len = read(fd, buf, sizeof(buf));
write(1, buf, len);
printf("%p\n", p);
return 0;
}
Compiled using: gcc -mbss-plt -m32 -Os test.c -otest
Unpatched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10690000-106c0000 rwxp 00000000 00:00 0 [heap]
f7f70000-f7fa0000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fa0000-f7fb0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fb0000-f7fc0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ffa90000-ffac0000 rw-p 00000000 00:00 0 [stack]
0x10690008
Patched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10180000-101b0000 rw-p 00000000 00:00 0 [heap]
^^^^ this has changed
f7c60000-f7c90000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7c90000-f7ca0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7ca0000-f7cb0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ff860000-ff890000 rw-p 00000000 00:00 0 [stack]
0x10180008
The patch was originally posted in 2012 by Jason Gunthorpe
and apparently ignored:
https://lkml.org/lkml/2012/9/30/138
Lightly run-tested.
Link: http://lkml.kernel.org/r/20161215131950.23054-1-dvlasenk@redhat.com
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-02-22 16:45:16 -07:00
|
|
|
bss_prot = elf_prot;
|
|
|
|
|
}
|
2006-06-23 03:05:35 -06:00
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
binfmt_elf: fix calculations for bss padding
A double-bug exists in the bss calculation code, where an overflow can
happen in the "last_bss - elf_bss" calculation, but vm_brk internally
aligns the argument, underflowing it, wrapping back around safe. We
shouldn't depend on these bugs staying in sync, so this cleans up the
bss padding handling to avoid the overflow.
This moves the bss padzero() before the last_bss > elf_bss case, since
the zero-filling of the ELF_PAGE should have nothing to do with the
relationship of last_bss and elf_bss: any trailing portion should be
zeroed, and a zero size is already handled by padzero().
Then it handles the math on elf_bss vs last_bss correctly. These need
to both be ELF_PAGE aligned to get the comparison correct, since that's
the expected granularity of the mappings. Since elf_bss already had
alignment-based padding happen in padzero(), the "start" of the new
vm_brk() should be moved forward as done in the original code. However,
since the "end" of the vm_brk() area will already become PAGE_ALIGNed in
vm_brk() then last_bss should get aligned here to avoid hiding it as a
side-effect.
Additionally makes a cosmetic change to the initial last_bss calculation
so it's easier to read in comparison to the load_addr calculation above
it (i.e. the only difference is p_filesz vs p_memsz).
Link: http://lkml.kernel.org/r/1468014494-25291-2-git-send-email-keescook@chromium.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Hector Marco-Gisbert <hecmargi@upv.es>
Cc: Ismael Ripoll Ripoll <iripoll@upv.es>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Chen Gang <gang.chen.5i5j@gmail.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-08-02 15:04:51 -06:00
|
|
|
/*
|
|
|
|
|
* Now fill out the bss section: first pad the last page from
|
|
|
|
|
* the file up to the page boundary, and zero it from elf_bss
|
|
|
|
|
* up to the end of the page.
|
|
|
|
|
*/
|
|
|
|
|
if (padzero(elf_bss)) {
|
|
|
|
|
error = -EFAULT;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
* Next, align both the file and mem bss up to the page size,
|
|
|
|
|
* since this is where elf_bss was just zeroed up to, and where
|
powerpc: do not make the entire heap executable
On 32-bit powerpc the ELF PLT sections of binaries (built with
--bss-plt, or with a toolchain which defaults to it) look like this:
[17] .sbss NOBITS 0002aff8 01aff8 000014 00 WA 0 0 4
[18] .plt NOBITS 0002b00c 01aff8 000084 00 WAX 0 0 4
[19] .bss NOBITS 0002b090 01aff8 0000a4 00 WA 0 0 4
Which results in an ELF load header:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x019c70 0x00029c70 0x00029c70 0x01388 0x014c4 RWE 0x10000
This is all correct, the load region containing the PLT is marked as
executable. Note that the PLT starts at 0002b00c but the file mapping
ends at 0002aff8, so the PLT falls in the 0 fill section described by
the load header, and after a page boundary.
Unfortunately the generic ELF loader ignores the X bit in the load
headers when it creates the 0 filled non-file backed mappings. It
assumes all of these mappings are RW BSS sections, which is not the case
for PPC.
gcc/ld has an option (--secure-plt) to not do this, this is said to
incur a small performance penalty.
Currently, to support 32-bit binaries with PLT in BSS kernel maps
*entire brk area* with executable rights for all binaries, even
--secure-plt ones.
Stop doing that.
Teach the ELF loader to check the X bit in the relevant load header and
create 0 filled anonymous mappings that are executable if the load
header requests that.
Test program showing the difference in /proc/$PID/maps:
int main() {
char buf[16*1024];
char *p = malloc(123); /* make "[heap]" mapping appear */
int fd = open("/proc/self/maps", O_RDONLY);
int len = read(fd, buf, sizeof(buf));
write(1, buf, len);
printf("%p\n", p);
return 0;
}
Compiled using: gcc -mbss-plt -m32 -Os test.c -otest
Unpatched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10690000-106c0000 rwxp 00000000 00:00 0 [heap]
f7f70000-f7fa0000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fa0000-f7fb0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fb0000-f7fc0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ffa90000-ffac0000 rw-p 00000000 00:00 0 [stack]
0x10690008
Patched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10180000-101b0000 rw-p 00000000 00:00 0 [heap]
^^^^ this has changed
f7c60000-f7c90000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7c90000-f7ca0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7ca0000-f7cb0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ff860000-ff890000 rw-p 00000000 00:00 0 [stack]
0x10180008
The patch was originally posted in 2012 by Jason Gunthorpe
and apparently ignored:
https://lkml.org/lkml/2012/9/30/138
Lightly run-tested.
Link: http://lkml.kernel.org/r/20161215131950.23054-1-dvlasenk@redhat.com
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-02-22 16:45:16 -07:00
|
|
|
* last_bss will end after the vm_brk_flags() below.
|
binfmt_elf: fix calculations for bss padding
A double-bug exists in the bss calculation code, where an overflow can
happen in the "last_bss - elf_bss" calculation, but vm_brk internally
aligns the argument, underflowing it, wrapping back around safe. We
shouldn't depend on these bugs staying in sync, so this cleans up the
bss padding handling to avoid the overflow.
This moves the bss padzero() before the last_bss > elf_bss case, since
the zero-filling of the ELF_PAGE should have nothing to do with the
relationship of last_bss and elf_bss: any trailing portion should be
zeroed, and a zero size is already handled by padzero().
Then it handles the math on elf_bss vs last_bss correctly. These need
to both be ELF_PAGE aligned to get the comparison correct, since that's
the expected granularity of the mappings. Since elf_bss already had
alignment-based padding happen in padzero(), the "start" of the new
vm_brk() should be moved forward as done in the original code. However,
since the "end" of the vm_brk() area will already become PAGE_ALIGNed in
vm_brk() then last_bss should get aligned here to avoid hiding it as a
side-effect.
Additionally makes a cosmetic change to the initial last_bss calculation
so it's easier to read in comparison to the load_addr calculation above
it (i.e. the only difference is p_filesz vs p_memsz).
Link: http://lkml.kernel.org/r/1468014494-25291-2-git-send-email-keescook@chromium.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Hector Marco-Gisbert <hecmargi@upv.es>
Cc: Ismael Ripoll Ripoll <iripoll@upv.es>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Chen Gang <gang.chen.5i5j@gmail.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-08-02 15:04:51 -06:00
|
|
|
*/
|
|
|
|
|
elf_bss = ELF_PAGEALIGN(elf_bss);
|
|
|
|
|
last_bss = ELF_PAGEALIGN(last_bss);
|
|
|
|
|
/* Finally, if there is still more bss to allocate, do it. */
|
2009-09-08 20:49:40 -06:00
|
|
|
if (last_bss > elf_bss) {
|
powerpc: do not make the entire heap executable
On 32-bit powerpc the ELF PLT sections of binaries (built with
--bss-plt, or with a toolchain which defaults to it) look like this:
[17] .sbss NOBITS 0002aff8 01aff8 000014 00 WA 0 0 4
[18] .plt NOBITS 0002b00c 01aff8 000084 00 WAX 0 0 4
[19] .bss NOBITS 0002b090 01aff8 0000a4 00 WA 0 0 4
Which results in an ELF load header:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x019c70 0x00029c70 0x00029c70 0x01388 0x014c4 RWE 0x10000
This is all correct, the load region containing the PLT is marked as
executable. Note that the PLT starts at 0002b00c but the file mapping
ends at 0002aff8, so the PLT falls in the 0 fill section described by
the load header, and after a page boundary.
Unfortunately the generic ELF loader ignores the X bit in the load
headers when it creates the 0 filled non-file backed mappings. It
assumes all of these mappings are RW BSS sections, which is not the case
for PPC.
gcc/ld has an option (--secure-plt) to not do this, this is said to
incur a small performance penalty.
Currently, to support 32-bit binaries with PLT in BSS kernel maps
*entire brk area* with executable rights for all binaries, even
--secure-plt ones.
Stop doing that.
Teach the ELF loader to check the X bit in the relevant load header and
create 0 filled anonymous mappings that are executable if the load
header requests that.
Test program showing the difference in /proc/$PID/maps:
int main() {
char buf[16*1024];
char *p = malloc(123); /* make "[heap]" mapping appear */
int fd = open("/proc/self/maps", O_RDONLY);
int len = read(fd, buf, sizeof(buf));
write(1, buf, len);
printf("%p\n", p);
return 0;
}
Compiled using: gcc -mbss-plt -m32 -Os test.c -otest
Unpatched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10690000-106c0000 rwxp 00000000 00:00 0 [heap]
f7f70000-f7fa0000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fa0000-f7fb0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fb0000-f7fc0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ffa90000-ffac0000 rw-p 00000000 00:00 0 [stack]
0x10690008
Patched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10180000-101b0000 rw-p 00000000 00:00 0 [heap]
^^^^ this has changed
f7c60000-f7c90000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7c90000-f7ca0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7ca0000-f7cb0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ff860000-ff890000 rw-p 00000000 00:00 0 [stack]
0x10180008
The patch was originally posted in 2012 by Jason Gunthorpe
and apparently ignored:
https://lkml.org/lkml/2012/9/30/138
Lightly run-tested.
Link: http://lkml.kernel.org/r/20161215131950.23054-1-dvlasenk@redhat.com
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-02-22 16:45:16 -07:00
|
|
|
error = vm_brk_flags(elf_bss, last_bss - elf_bss,
|
|
|
|
|
bss_prot & PROT_EXEC ? VM_EXEC : 0);
|
2016-05-27 16:57:31 -06:00
|
|
|
if (error)
|
2014-09-11 01:30:15 -06:00
|
|
|
goto out;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
2008-01-30 05:31:07 -07:00
|
|
|
error = load_addr;
|
2005-04-16 16:20:36 -06:00
|
|
|
out:
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* These are the functions used to load ELF style executables and shared
|
|
|
|
|
* libraries. There is no binary dependent code anywhere else.
|
|
|
|
|
*/
|
|
|
|
|
|
2012-10-20 20:00:48 -06:00
|
|
|
static int load_elf_binary(struct linux_binprm *bprm)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
|
|
|
|
struct file *interpreter = NULL; /* to shut gcc up */
|
|
|
|
|
unsigned long load_addr = 0, load_bias = 0;
|
|
|
|
|
int load_addr_set = 0;
|
|
|
|
|
unsigned long error;
|
2014-09-11 01:30:15 -06:00
|
|
|
struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL;
|
2005-04-16 16:20:36 -06:00
|
|
|
unsigned long elf_bss, elf_brk;
|
powerpc: do not make the entire heap executable
On 32-bit powerpc the ELF PLT sections of binaries (built with
--bss-plt, or with a toolchain which defaults to it) look like this:
[17] .sbss NOBITS 0002aff8 01aff8 000014 00 WA 0 0 4
[18] .plt NOBITS 0002b00c 01aff8 000084 00 WAX 0 0 4
[19] .bss NOBITS 0002b090 01aff8 0000a4 00 WA 0 0 4
Which results in an ELF load header:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x019c70 0x00029c70 0x00029c70 0x01388 0x014c4 RWE 0x10000
This is all correct, the load region containing the PLT is marked as
executable. Note that the PLT starts at 0002b00c but the file mapping
ends at 0002aff8, so the PLT falls in the 0 fill section described by
the load header, and after a page boundary.
Unfortunately the generic ELF loader ignores the X bit in the load
headers when it creates the 0 filled non-file backed mappings. It
assumes all of these mappings are RW BSS sections, which is not the case
for PPC.
gcc/ld has an option (--secure-plt) to not do this, this is said to
incur a small performance penalty.
Currently, to support 32-bit binaries with PLT in BSS kernel maps
*entire brk area* with executable rights for all binaries, even
--secure-plt ones.
Stop doing that.
Teach the ELF loader to check the X bit in the relevant load header and
create 0 filled anonymous mappings that are executable if the load
header requests that.
Test program showing the difference in /proc/$PID/maps:
int main() {
char buf[16*1024];
char *p = malloc(123); /* make "[heap]" mapping appear */
int fd = open("/proc/self/maps", O_RDONLY);
int len = read(fd, buf, sizeof(buf));
write(1, buf, len);
printf("%p\n", p);
return 0;
}
Compiled using: gcc -mbss-plt -m32 -Os test.c -otest
Unpatched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10690000-106c0000 rwxp 00000000 00:00 0 [heap]
f7f70000-f7fa0000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fa0000-f7fb0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fb0000-f7fc0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ffa90000-ffac0000 rw-p 00000000 00:00 0 [stack]
0x10690008
Patched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10180000-101b0000 rw-p 00000000 00:00 0 [heap]
^^^^ this has changed
f7c60000-f7c90000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7c90000-f7ca0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7ca0000-f7cb0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ff860000-ff890000 rw-p 00000000 00:00 0 [stack]
0x10180008
The patch was originally posted in 2012 by Jason Gunthorpe
and apparently ignored:
https://lkml.org/lkml/2012/9/30/138
Lightly run-tested.
Link: http://lkml.kernel.org/r/20161215131950.23054-1-dvlasenk@redhat.com
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-02-22 16:45:16 -07:00
|
|
|
int bss_prot = 0;
|
2005-04-16 16:20:36 -06:00
|
|
|
int retval, i;
|
2008-01-30 05:31:07 -07:00
|
|
|
unsigned long elf_entry;
|
|
|
|
|
unsigned long interp_load_addr = 0;
|
2005-04-16 16:20:36 -06:00
|
|
|
unsigned long start_code, end_code, start_data, end_data;
|
2011-03-22 17:34:48 -06:00
|
|
|
unsigned long reloc_func_desc __maybe_unused = 0;
|
2006-12-06 21:40:16 -07:00
|
|
|
int executable_stack = EXSTACK_DEFAULT;
|
2005-04-16 16:20:36 -06:00
|
|
|
struct {
|
|
|
|
|
struct elfhdr elf_ex;
|
|
|
|
|
struct elfhdr interp_elf_ex;
|
|
|
|
|
} *loc;
|
binfmt_elf: allow arch code to examine PT_LOPROC ... PT_HIPROC headers
MIPS is introducing new variants of its O32 ABI which differ in their
handling of floating point, in order to enable a gradual transition
towards a world where mips32 binaries can take advantage of new hardware
features only available when configured for certain FP modes. In order
to do this ELF binaries are being augmented with a new section that
indicates, amongst other things, the FP mode requirements of the binary.
The presence & location of such a section is indicated by a program
header in the PT_LOPROC ... PT_HIPROC range.
In order to allow the MIPS architecture code to examine the program
header & section in question, pass all program headers in this range
to an architecture-specific arch_elf_pt_proc function. This function
may return an error if the header is deemed invalid or unsuitable for
the system, in which case that error will be returned from
load_elf_binary and upwards through the execve syscall.
A means is required for the architecture code to make a decision once
it is known that all such headers have been seen, but before it is too
late to return from an execve syscall. For this purpose the
arch_check_elf function is added, and called once, after all PT_LOPROC
to PT_HIPROC headers have been passed to arch_elf_pt_proc but before
the code which invoked execve has been lost. This enables the
architecture code to make a decision based upon all the headers present
in an ELF binary and its interpreter, as is required to forbid
conflicting FP ABI requirements between an ELF & its interpreter.
In order to allow data to be stored throughout the calls to the above
functions, struct arch_elf_state is introduced.
Finally a variant of the SET_PERSONALITY macro is introduced which
accepts a pointer to the struct arch_elf_state, allowing it to act
based upon state observed from the architecture specific program
headers.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/7679/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-09-11 01:30:16 -06:00
|
|
|
struct arch_elf_state arch_state = INIT_ARCH_ELF_STATE;
|
2019-05-14 16:43:54 -06:00
|
|
|
struct pt_regs *regs;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
loc = kmalloc(sizeof(*loc), GFP_KERNEL);
|
|
|
|
|
if (!loc) {
|
|
|
|
|
retval = -ENOMEM;
|
|
|
|
|
goto out_ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Get the exec-header */
|
2006-06-23 03:05:35 -06:00
|
|
|
loc->elf_ex = *((struct elfhdr *)bprm->buf);
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
retval = -ENOEXEC;
|
|
|
|
|
/* First of all, some simple consistency checks */
|
|
|
|
|
if (memcmp(loc->elf_ex.e_ident, ELFMAG, SELFMAG) != 0)
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
if (loc->elf_ex.e_type != ET_EXEC && loc->elf_ex.e_type != ET_DYN)
|
|
|
|
|
goto out;
|
|
|
|
|
if (!elf_check_arch(&loc->elf_ex))
|
|
|
|
|
goto out;
|
2017-08-16 14:05:13 -06:00
|
|
|
if (elf_check_fdpic(&loc->elf_ex))
|
|
|
|
|
goto out;
|
2013-09-22 14:27:52 -06:00
|
|
|
if (!bprm->file->f_op->mmap)
|
2005-04-16 16:20:36 -06:00
|
|
|
goto out;
|
|
|
|
|
|
2014-09-11 01:30:14 -06:00
|
|
|
elf_phdata = load_elf_phdrs(&loc->elf_ex, bprm->file);
|
2005-04-16 16:20:36 -06:00
|
|
|
if (!elf_phdata)
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
elf_ppnt = elf_phdata;
|
2019-05-14 16:43:45 -06:00
|
|
|
for (i = 0; i < loc->elf_ex.e_phnum; i++, elf_ppnt++) {
|
|
|
|
|
char *elf_interpreter;
|
|
|
|
|
loff_t pos;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2019-05-14 16:43:45 -06:00
|
|
|
if (elf_ppnt->p_type != PT_INTERP)
|
|
|
|
|
continue;
|
2007-01-26 01:57:16 -07:00
|
|
|
|
2019-05-14 16:43:45 -06:00
|
|
|
/*
|
|
|
|
|
* This is the program interpreter used for shared libraries -
|
|
|
|
|
* for now assume that this is an a.out format binary.
|
|
|
|
|
*/
|
|
|
|
|
retval = -ENOEXEC;
|
|
|
|
|
if (elf_ppnt->p_filesz > PATH_MAX || elf_ppnt->p_filesz < 2)
|
|
|
|
|
goto out_free_ph;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2019-05-14 16:43:45 -06:00
|
|
|
retval = -ENOMEM;
|
|
|
|
|
elf_interpreter = kmalloc(elf_ppnt->p_filesz, GFP_KERNEL);
|
|
|
|
|
if (!elf_interpreter)
|
|
|
|
|
goto out_free_ph;
|
2019-05-14 16:43:39 -06:00
|
|
|
|
2019-05-14 16:43:45 -06:00
|
|
|
pos = elf_ppnt->p_offset;
|
|
|
|
|
retval = kernel_read(bprm->file, elf_interpreter,
|
|
|
|
|
elf_ppnt->p_filesz, &pos);
|
|
|
|
|
if (retval != elf_ppnt->p_filesz) {
|
|
|
|
|
if (retval >= 0)
|
|
|
|
|
retval = -EIO;
|
|
|
|
|
goto out_free_interp;
|
|
|
|
|
}
|
|
|
|
|
/* make sure path is NULL terminated */
|
|
|
|
|
retval = -ENOEXEC;
|
|
|
|
|
if (elf_interpreter[elf_ppnt->p_filesz - 1] != '\0')
|
|
|
|
|
goto out_free_interp;
|
|
|
|
|
|
|
|
|
|
interpreter = open_exec(elf_interpreter);
|
|
|
|
|
kfree(elf_interpreter);
|
|
|
|
|
retval = PTR_ERR(interpreter);
|
|
|
|
|
if (IS_ERR(interpreter))
|
2019-05-14 16:43:39 -06:00
|
|
|
goto out_free_ph;
|
2019-05-14 16:43:45 -06:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If the binary is not readable then enforce mm->dumpable = 0
|
|
|
|
|
* regardless of the interpreter's permissions.
|
|
|
|
|
*/
|
|
|
|
|
would_dump(bprm, interpreter);
|
|
|
|
|
|
|
|
|
|
/* Get the exec headers */
|
|
|
|
|
pos = 0;
|
|
|
|
|
retval = kernel_read(interpreter, &loc->interp_elf_ex,
|
|
|
|
|
sizeof(loc->interp_elf_ex), &pos);
|
|
|
|
|
if (retval != sizeof(loc->interp_elf_ex)) {
|
|
|
|
|
if (retval >= 0)
|
|
|
|
|
retval = -EIO;
|
|
|
|
|
goto out_free_dentry;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
2019-05-14 16:43:45 -06:00
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
out_free_interp:
|
|
|
|
|
kfree(elf_interpreter);
|
|
|
|
|
goto out_free_ph;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
elf_ppnt = elf_phdata;
|
|
|
|
|
for (i = 0; i < loc->elf_ex.e_phnum; i++, elf_ppnt++)
|
binfmt_elf: allow arch code to examine PT_LOPROC ... PT_HIPROC headers
MIPS is introducing new variants of its O32 ABI which differ in their
handling of floating point, in order to enable a gradual transition
towards a world where mips32 binaries can take advantage of new hardware
features only available when configured for certain FP modes. In order
to do this ELF binaries are being augmented with a new section that
indicates, amongst other things, the FP mode requirements of the binary.
The presence & location of such a section is indicated by a program
header in the PT_LOPROC ... PT_HIPROC range.
In order to allow the MIPS architecture code to examine the program
header & section in question, pass all program headers in this range
to an architecture-specific arch_elf_pt_proc function. This function
may return an error if the header is deemed invalid or unsuitable for
the system, in which case that error will be returned from
load_elf_binary and upwards through the execve syscall.
A means is required for the architecture code to make a decision once
it is known that all such headers have been seen, but before it is too
late to return from an execve syscall. For this purpose the
arch_check_elf function is added, and called once, after all PT_LOPROC
to PT_HIPROC headers have been passed to arch_elf_pt_proc but before
the code which invoked execve has been lost. This enables the
architecture code to make a decision based upon all the headers present
in an ELF binary and its interpreter, as is required to forbid
conflicting FP ABI requirements between an ELF & its interpreter.
In order to allow data to be stored throughout the calls to the above
functions, struct arch_elf_state is introduced.
Finally a variant of the SET_PERSONALITY macro is introduced which
accepts a pointer to the struct arch_elf_state, allowing it to act
based upon state observed from the architecture specific program
headers.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/7679/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-09-11 01:30:16 -06:00
|
|
|
switch (elf_ppnt->p_type) {
|
|
|
|
|
case PT_GNU_STACK:
|
2005-04-16 16:20:36 -06:00
|
|
|
if (elf_ppnt->p_flags & PF_X)
|
|
|
|
|
executable_stack = EXSTACK_ENABLE_X;
|
|
|
|
|
else
|
|
|
|
|
executable_stack = EXSTACK_DISABLE_X;
|
|
|
|
|
break;
|
binfmt_elf: allow arch code to examine PT_LOPROC ... PT_HIPROC headers
MIPS is introducing new variants of its O32 ABI which differ in their
handling of floating point, in order to enable a gradual transition
towards a world where mips32 binaries can take advantage of new hardware
features only available when configured for certain FP modes. In order
to do this ELF binaries are being augmented with a new section that
indicates, amongst other things, the FP mode requirements of the binary.
The presence & location of such a section is indicated by a program
header in the PT_LOPROC ... PT_HIPROC range.
In order to allow the MIPS architecture code to examine the program
header & section in question, pass all program headers in this range
to an architecture-specific arch_elf_pt_proc function. This function
may return an error if the header is deemed invalid or unsuitable for
the system, in which case that error will be returned from
load_elf_binary and upwards through the execve syscall.
A means is required for the architecture code to make a decision once
it is known that all such headers have been seen, but before it is too
late to return from an execve syscall. For this purpose the
arch_check_elf function is added, and called once, after all PT_LOPROC
to PT_HIPROC headers have been passed to arch_elf_pt_proc but before
the code which invoked execve has been lost. This enables the
architecture code to make a decision based upon all the headers present
in an ELF binary and its interpreter, as is required to forbid
conflicting FP ABI requirements between an ELF & its interpreter.
In order to allow data to be stored throughout the calls to the above
functions, struct arch_elf_state is introduced.
Finally a variant of the SET_PERSONALITY macro is introduced which
accepts a pointer to the struct arch_elf_state, allowing it to act
based upon state observed from the architecture specific program
headers.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/7679/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-09-11 01:30:16 -06:00
|
|
|
|
|
|
|
|
case PT_LOPROC ... PT_HIPROC:
|
|
|
|
|
retval = arch_elf_pt_proc(&loc->elf_ex, elf_ppnt,
|
|
|
|
|
bprm->file, false,
|
|
|
|
|
&arch_state);
|
|
|
|
|
if (retval)
|
|
|
|
|
goto out_free_dentry;
|
|
|
|
|
break;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Some simple consistency checks for the interpreter */
|
2019-05-14 16:43:39 -06:00
|
|
|
if (interpreter) {
|
2005-04-16 16:20:36 -06:00
|
|
|
retval = -ELIBBAD;
|
2008-02-08 05:21:54 -07:00
|
|
|
/* Not an ELF interpreter */
|
|
|
|
|
if (memcmp(loc->interp_elf_ex.e_ident, ELFMAG, SELFMAG) != 0)
|
2005-04-16 16:20:36 -06:00
|
|
|
goto out_free_dentry;
|
|
|
|
|
/* Verify the interpreter has a valid arch */
|
2017-08-16 14:05:13 -06:00
|
|
|
if (!elf_check_arch(&loc->interp_elf_ex) ||
|
|
|
|
|
elf_check_fdpic(&loc->interp_elf_ex))
|
2005-04-16 16:20:36 -06:00
|
|
|
goto out_free_dentry;
|
2014-09-11 01:30:15 -06:00
|
|
|
|
|
|
|
|
/* Load the interpreter program headers */
|
|
|
|
|
interp_elf_phdata = load_elf_phdrs(&loc->interp_elf_ex,
|
|
|
|
|
interpreter);
|
|
|
|
|
if (!interp_elf_phdata)
|
|
|
|
|
goto out_free_dentry;
|
binfmt_elf: allow arch code to examine PT_LOPROC ... PT_HIPROC headers
MIPS is introducing new variants of its O32 ABI which differ in their
handling of floating point, in order to enable a gradual transition
towards a world where mips32 binaries can take advantage of new hardware
features only available when configured for certain FP modes. In order
to do this ELF binaries are being augmented with a new section that
indicates, amongst other things, the FP mode requirements of the binary.
The presence & location of such a section is indicated by a program
header in the PT_LOPROC ... PT_HIPROC range.
In order to allow the MIPS architecture code to examine the program
header & section in question, pass all program headers in this range
to an architecture-specific arch_elf_pt_proc function. This function
may return an error if the header is deemed invalid or unsuitable for
the system, in which case that error will be returned from
load_elf_binary and upwards through the execve syscall.
A means is required for the architecture code to make a decision once
it is known that all such headers have been seen, but before it is too
late to return from an execve syscall. For this purpose the
arch_check_elf function is added, and called once, after all PT_LOPROC
to PT_HIPROC headers have been passed to arch_elf_pt_proc but before
the code which invoked execve has been lost. This enables the
architecture code to make a decision based upon all the headers present
in an ELF binary and its interpreter, as is required to forbid
conflicting FP ABI requirements between an ELF & its interpreter.
In order to allow data to be stored throughout the calls to the above
functions, struct arch_elf_state is introduced.
Finally a variant of the SET_PERSONALITY macro is introduced which
accepts a pointer to the struct arch_elf_state, allowing it to act
based upon state observed from the architecture specific program
headers.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/7679/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-09-11 01:30:16 -06:00
|
|
|
|
|
|
|
|
/* Pass PT_LOPROC..PT_HIPROC headers to arch code */
|
|
|
|
|
elf_ppnt = interp_elf_phdata;
|
|
|
|
|
for (i = 0; i < loc->interp_elf_ex.e_phnum; i++, elf_ppnt++)
|
|
|
|
|
switch (elf_ppnt->p_type) {
|
|
|
|
|
case PT_LOPROC ... PT_HIPROC:
|
|
|
|
|
retval = arch_elf_pt_proc(&loc->interp_elf_ex,
|
|
|
|
|
elf_ppnt, interpreter,
|
|
|
|
|
true, &arch_state);
|
|
|
|
|
if (retval)
|
|
|
|
|
goto out_free_dentry;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
binfmt_elf: allow arch code to examine PT_LOPROC ... PT_HIPROC headers
MIPS is introducing new variants of its O32 ABI which differ in their
handling of floating point, in order to enable a gradual transition
towards a world where mips32 binaries can take advantage of new hardware
features only available when configured for certain FP modes. In order
to do this ELF binaries are being augmented with a new section that
indicates, amongst other things, the FP mode requirements of the binary.
The presence & location of such a section is indicated by a program
header in the PT_LOPROC ... PT_HIPROC range.
In order to allow the MIPS architecture code to examine the program
header & section in question, pass all program headers in this range
to an architecture-specific arch_elf_pt_proc function. This function
may return an error if the header is deemed invalid or unsuitable for
the system, in which case that error will be returned from
load_elf_binary and upwards through the execve syscall.
A means is required for the architecture code to make a decision once
it is known that all such headers have been seen, but before it is too
late to return from an execve syscall. For this purpose the
arch_check_elf function is added, and called once, after all PT_LOPROC
to PT_HIPROC headers have been passed to arch_elf_pt_proc but before
the code which invoked execve has been lost. This enables the
architecture code to make a decision based upon all the headers present
in an ELF binary and its interpreter, as is required to forbid
conflicting FP ABI requirements between an ELF & its interpreter.
In order to allow data to be stored throughout the calls to the above
functions, struct arch_elf_state is introduced.
Finally a variant of the SET_PERSONALITY macro is introduced which
accepts a pointer to the struct arch_elf_state, allowing it to act
based upon state observed from the architecture specific program
headers.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/7679/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-09-11 01:30:16 -06:00
|
|
|
/*
|
|
|
|
|
* Allow arch code to reject the ELF at this point, whilst it's
|
|
|
|
|
* still possible to return an error to the code that invoked
|
|
|
|
|
* the exec syscall.
|
|
|
|
|
*/
|
2015-11-12 17:47:48 -07:00
|
|
|
retval = arch_check_elf(&loc->elf_ex,
|
|
|
|
|
!!interpreter, &loc->interp_elf_ex,
|
|
|
|
|
&arch_state);
|
binfmt_elf: allow arch code to examine PT_LOPROC ... PT_HIPROC headers
MIPS is introducing new variants of its O32 ABI which differ in their
handling of floating point, in order to enable a gradual transition
towards a world where mips32 binaries can take advantage of new hardware
features only available when configured for certain FP modes. In order
to do this ELF binaries are being augmented with a new section that
indicates, amongst other things, the FP mode requirements of the binary.
The presence & location of such a section is indicated by a program
header in the PT_LOPROC ... PT_HIPROC range.
In order to allow the MIPS architecture code to examine the program
header & section in question, pass all program headers in this range
to an architecture-specific arch_elf_pt_proc function. This function
may return an error if the header is deemed invalid or unsuitable for
the system, in which case that error will be returned from
load_elf_binary and upwards through the execve syscall.
A means is required for the architecture code to make a decision once
it is known that all such headers have been seen, but before it is too
late to return from an execve syscall. For this purpose the
arch_check_elf function is added, and called once, after all PT_LOPROC
to PT_HIPROC headers have been passed to arch_elf_pt_proc but before
the code which invoked execve has been lost. This enables the
architecture code to make a decision based upon all the headers present
in an ELF binary and its interpreter, as is required to forbid
conflicting FP ABI requirements between an ELF & its interpreter.
In order to allow data to be stored throughout the calls to the above
functions, struct arch_elf_state is introduced.
Finally a variant of the SET_PERSONALITY macro is introduced which
accepts a pointer to the struct arch_elf_state, allowing it to act
based upon state observed from the architecture specific program
headers.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/7679/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-09-11 01:30:16 -06:00
|
|
|
if (retval)
|
|
|
|
|
goto out_free_dentry;
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
/* Flush all traces of the currently running executable */
|
|
|
|
|
retval = flush_old_exec(bprm);
|
|
|
|
|
if (retval)
|
|
|
|
|
goto out_free_dentry;
|
|
|
|
|
|
|
|
|
|
/* Do this immediately, since STACK_TOP as used in setup_arg_pages
|
|
|
|
|
may depend on the personality. */
|
binfmt_elf: allow arch code to examine PT_LOPROC ... PT_HIPROC headers
MIPS is introducing new variants of its O32 ABI which differ in their
handling of floating point, in order to enable a gradual transition
towards a world where mips32 binaries can take advantage of new hardware
features only available when configured for certain FP modes. In order
to do this ELF binaries are being augmented with a new section that
indicates, amongst other things, the FP mode requirements of the binary.
The presence & location of such a section is indicated by a program
header in the PT_LOPROC ... PT_HIPROC range.
In order to allow the MIPS architecture code to examine the program
header & section in question, pass all program headers in this range
to an architecture-specific arch_elf_pt_proc function. This function
may return an error if the header is deemed invalid or unsuitable for
the system, in which case that error will be returned from
load_elf_binary and upwards through the execve syscall.
A means is required for the architecture code to make a decision once
it is known that all such headers have been seen, but before it is too
late to return from an execve syscall. For this purpose the
arch_check_elf function is added, and called once, after all PT_LOPROC
to PT_HIPROC headers have been passed to arch_elf_pt_proc but before
the code which invoked execve has been lost. This enables the
architecture code to make a decision based upon all the headers present
in an ELF binary and its interpreter, as is required to forbid
conflicting FP ABI requirements between an ELF & its interpreter.
In order to allow data to be stored throughout the calls to the above
functions, struct arch_elf_state is introduced.
Finally a variant of the SET_PERSONALITY macro is introduced which
accepts a pointer to the struct arch_elf_state, allowing it to act
based upon state observed from the architecture specific program
headers.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/7679/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-09-11 01:30:16 -06:00
|
|
|
SET_PERSONALITY2(loc->elf_ex, &arch_state);
|
2005-04-16 16:20:36 -06:00
|
|
|
if (elf_read_implies_exec(loc->elf_ex, executable_stack))
|
|
|
|
|
current->personality |= READ_IMPLIES_EXEC;
|
|
|
|
|
|
2006-06-23 03:05:35 -06:00
|
|
|
if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
|
2005-04-16 16:20:36 -06:00
|
|
|
current->flags |= PF_RANDOMIZE;
|
Split 'flush_old_exec' into two functions
'flush_old_exec()' is the point of no return when doing an execve(), and
it is pretty badly misnamed. It doesn't just flush the old executable
environment, it also starts up the new one.
Which is very inconvenient for things like setting up the new
personality, because we want the new personality to affect the starting
of the new environment, but at the same time we do _not_ want the new
personality to take effect if flushing the old one fails.
As a result, the x86-64 '32-bit' personality is actually done using this
insane "I'm going to change the ABI, but I haven't done it yet" bit
(TIF_ABI_PENDING), with SET_PERSONALITY() not actually setting the
personality, but just the "pending" bit, so that "flush_thread()" can do
the actual personality magic.
This patch in no way changes any of that insanity, but it does split the
'flush_old_exec()' function up into a preparatory part that can fail
(still called flush_old_exec()), and a new part that will actually set
up the new exec environment (setup_new_exec()). All callers are changed
to trivially comply with the new world order.
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-01-28 23:14:42 -07:00
|
|
|
|
|
|
|
|
setup_new_exec(bprm);
|
2016-08-22 17:41:46 -06:00
|
|
|
install_exec_creds(bprm);
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
/* Do this so that we can load the interpreter, if need be. We will
|
|
|
|
|
change some of these later */
|
|
|
|
|
retval = setup_arg_pages(bprm, randomize_stack_top(STACK_TOP),
|
|
|
|
|
executable_stack);
|
2014-05-04 18:11:36 -06:00
|
|
|
if (retval < 0)
|
2005-04-16 16:20:36 -06:00
|
|
|
goto out_free_dentry;
|
|
|
|
|
|
2019-05-14 16:43:48 -06:00
|
|
|
elf_bss = 0;
|
|
|
|
|
elf_brk = 0;
|
|
|
|
|
|
|
|
|
|
start_code = ~0UL;
|
|
|
|
|
end_code = 0;
|
|
|
|
|
start_data = 0;
|
|
|
|
|
end_data = 0;
|
|
|
|
|
|
tree-wide: fix assorted typos all over the place
That is "success", "unknown", "through", "performance", "[re|un]mapping"
, "access", "default", "reasonable", "[con]currently", "temperature"
, "channel", "[un]used", "application", "example","hierarchy", "therefore"
, "[over|under]flow", "contiguous", "threshold", "enough" and others.
Signed-off-by: André Goddard Rosa <andre.goddard@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2009-11-14 08:09:05 -07:00
|
|
|
/* Now we do a little grungy work by mmapping the ELF image into
|
2008-01-30 05:31:07 -07:00
|
|
|
the correct location in memory. */
|
2006-06-23 03:05:35 -06:00
|
|
|
for(i = 0, elf_ppnt = elf_phdata;
|
|
|
|
|
i < loc->elf_ex.e_phnum; i++, elf_ppnt++) {
|
elf: don't use MAP_FIXED_NOREPLACE for elf executable mappings
In commit 4ed28639519c ("fs, elf: drop MAP_FIXED usage from elf_map") we
changed elf to use MAP_FIXED_NOREPLACE instead of MAP_FIXED for the
executable mappings.
Then, people reported that it broke some binaries that had overlapping
segments from the same file, and commit ad55eac74f20 ("elf: enforce
MAP_FIXED on overlaying elf segments") re-instated MAP_FIXED for some
overlaying elf segment cases. But only some - despite the summary line
of that commit, it only did it when it also does a temporary brk vma for
one obvious overlapping case.
Now Russell King reports another overlapping case with old 32-bit x86
binaries, which doesn't trigger that limited case. End result: we had
better just drop MAP_FIXED_NOREPLACE entirely, and go back to MAP_FIXED.
Yes, it's a sign of old binaries generated with old tool-chains, but we
do pride ourselves on not breaking existing setups.
This still leaves MAP_FIXED_NOREPLACE in place for the load_elf_interp()
and the old load_elf_library() use-cases, because nobody has reported
breakage for those. Yet.
Note that in all the cases seen so far, the overlapping elf sections
seem to be just re-mapping of the same executable with different section
attributes. We could possibly introduce a new MAP_FIXED_NOFILECHANGE
flag or similar, which acts like NOREPLACE, but allows just remapping
the same executable file using different protection flags.
It's not clear that would make a huge difference to anything, but if
people really hate that "elf remaps over previous maps" behavior, maybe
at least a more limited form of remapping would alleviate some concerns.
Alternatively, we should take a look at our elf_map() logic to see if we
end up not mapping things properly the first time.
In the meantime, this is the minimal "don't do that then" patch while
people hopefully think about it more.
Reported-by: Russell King <linux@armlinux.org.uk>
Fixes: 4ed28639519c ("fs, elf: drop MAP_FIXED usage from elf_map")
Fixes: ad55eac74f20 ("elf: enforce MAP_FIXED on overlaying elf segments")
Cc: Michal Hocko <mhocko@suse.com>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-10-06 14:53:27 -06:00
|
|
|
int elf_prot, elf_flags;
|
2005-04-16 16:20:36 -06:00
|
|
|
unsigned long k, vaddr;
|
2015-04-14 16:47:38 -06:00
|
|
|
unsigned long total_size = 0;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
if (elf_ppnt->p_type != PT_LOAD)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
if (unlikely (elf_brk > elf_bss)) {
|
|
|
|
|
unsigned long nbyte;
|
|
|
|
|
|
|
|
|
|
/* There was a PT_LOAD segment with p_memsz > p_filesz
|
|
|
|
|
before this one. Map anonymous pages, if needed,
|
|
|
|
|
and clear the area. */
|
2011-01-12 18:00:02 -07:00
|
|
|
retval = set_brk(elf_bss + load_bias,
|
powerpc: do not make the entire heap executable
On 32-bit powerpc the ELF PLT sections of binaries (built with
--bss-plt, or with a toolchain which defaults to it) look like this:
[17] .sbss NOBITS 0002aff8 01aff8 000014 00 WA 0 0 4
[18] .plt NOBITS 0002b00c 01aff8 000084 00 WAX 0 0 4
[19] .bss NOBITS 0002b090 01aff8 0000a4 00 WA 0 0 4
Which results in an ELF load header:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x019c70 0x00029c70 0x00029c70 0x01388 0x014c4 RWE 0x10000
This is all correct, the load region containing the PLT is marked as
executable. Note that the PLT starts at 0002b00c but the file mapping
ends at 0002aff8, so the PLT falls in the 0 fill section described by
the load header, and after a page boundary.
Unfortunately the generic ELF loader ignores the X bit in the load
headers when it creates the 0 filled non-file backed mappings. It
assumes all of these mappings are RW BSS sections, which is not the case
for PPC.
gcc/ld has an option (--secure-plt) to not do this, this is said to
incur a small performance penalty.
Currently, to support 32-bit binaries with PLT in BSS kernel maps
*entire brk area* with executable rights for all binaries, even
--secure-plt ones.
Stop doing that.
Teach the ELF loader to check the X bit in the relevant load header and
create 0 filled anonymous mappings that are executable if the load
header requests that.
Test program showing the difference in /proc/$PID/maps:
int main() {
char buf[16*1024];
char *p = malloc(123); /* make "[heap]" mapping appear */
int fd = open("/proc/self/maps", O_RDONLY);
int len = read(fd, buf, sizeof(buf));
write(1, buf, len);
printf("%p\n", p);
return 0;
}
Compiled using: gcc -mbss-plt -m32 -Os test.c -otest
Unpatched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10690000-106c0000 rwxp 00000000 00:00 0 [heap]
f7f70000-f7fa0000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fa0000-f7fb0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fb0000-f7fc0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ffa90000-ffac0000 rw-p 00000000 00:00 0 [stack]
0x10690008
Patched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10180000-101b0000 rw-p 00000000 00:00 0 [heap]
^^^^ this has changed
f7c60000-f7c90000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7c90000-f7ca0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7ca0000-f7cb0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ff860000-ff890000 rw-p 00000000 00:00 0 [stack]
0x10180008
The patch was originally posted in 2012 by Jason Gunthorpe
and apparently ignored:
https://lkml.org/lkml/2012/9/30/138
Lightly run-tested.
Link: http://lkml.kernel.org/r/20161215131950.23054-1-dvlasenk@redhat.com
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-02-22 16:45:16 -07:00
|
|
|
elf_brk + load_bias,
|
|
|
|
|
bss_prot);
|
2014-05-04 18:11:36 -06:00
|
|
|
if (retval)
|
2005-04-16 16:20:36 -06:00
|
|
|
goto out_free_dentry;
|
|
|
|
|
nbyte = ELF_PAGEOFFSET(elf_bss);
|
|
|
|
|
if (nbyte) {
|
|
|
|
|
nbyte = ELF_MIN_ALIGN - nbyte;
|
|
|
|
|
if (nbyte > elf_brk - elf_bss)
|
|
|
|
|
nbyte = elf_brk - elf_bss;
|
|
|
|
|
if (clear_user((void __user *)elf_bss +
|
|
|
|
|
load_bias, nbyte)) {
|
|
|
|
|
/*
|
|
|
|
|
* This bss-zeroing can fail if the ELF
|
2006-06-23 03:05:35 -06:00
|
|
|
* file specifies odd protections. So
|
2005-04-16 16:20:36 -06:00
|
|
|
* we don't check the return value
|
|
|
|
|
*/
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-05-14 16:43:51 -06:00
|
|
|
elf_prot = make_prot(elf_ppnt->p_flags);
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2006-06-23 03:05:35 -06:00
|
|
|
elf_flags = MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
vaddr = elf_ppnt->p_vaddr;
|
binfmt_elf: use ELF_ET_DYN_BASE only for PIE
The ELF_ET_DYN_BASE position was originally intended to keep loaders
away from ET_EXEC binaries. (For example, running "/lib/ld-linux.so.2
/bin/cat" might cause the subsequent load of /bin/cat into where the
loader had been loaded.)
With the advent of PIE (ET_DYN binaries with an INTERP Program Header),
ELF_ET_DYN_BASE continued to be used since the kernel was only looking
at ET_DYN. However, since ELF_ET_DYN_BASE is traditionally set at the
top 1/3rd of the TASK_SIZE, a substantial portion of the address space
is unused.
For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs are
loaded above the mmap region. This means they can be made to collide
(CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with
pathological stack regions.
Lowering ELF_ET_DYN_BASE solves both by moving programs below the mmap
region in all cases, and will now additionally avoid programs falling
back to the mmap region by enforcing MAP_FIXED for program loads (i.e.
if it would have collided with the stack, now it will fail to load
instead of falling back to the mmap region).
To allow for a lower ELF_ET_DYN_BASE, loaders (ET_DYN without INTERP)
are loaded into the mmap region, leaving space available for either an
ET_EXEC binary with a fixed location or PIE being loaded into mmap by
the loader. Only PIE programs are loaded offset from ELF_ET_DYN_BASE,
which means architectures can now safely lower their values without risk
of loaders colliding with their subsequently loaded programs.
For 64-bit, ELF_ET_DYN_BASE is best set to 4GB to allow runtimes to use
the entire 32-bit address space for 32-bit pointers.
Thanks to PaX Team, Daniel Micay, and Rik van Riel for inspiration and
suggestions on how to implement this solution.
Fixes: d1fd836dcf00 ("mm: split ET_DYN ASLR from mmap ASLR")
Link: http://lkml.kernel.org/r/20170621173201.GA114489@beast
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: Daniel Micay <danielmicay@gmail.com>
Cc: Qualys Security Advisory <qsa@qualys.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Dmitry Safonov <dsafonov@virtuozzo.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Pratyush Anand <panand@redhat.com>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Will Deacon <will.deacon@arm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-07-10 16:52:37 -06:00
|
|
|
/*
|
|
|
|
|
* If we are loading ET_EXEC or we have already performed
|
|
|
|
|
* the ET_DYN load_addr calculations, proceed normally.
|
|
|
|
|
*/
|
2005-04-16 16:20:36 -06:00
|
|
|
if (loc->elf_ex.e_type == ET_EXEC || load_addr_set) {
|
elf: don't use MAP_FIXED_NOREPLACE for elf executable mappings
In commit 4ed28639519c ("fs, elf: drop MAP_FIXED usage from elf_map") we
changed elf to use MAP_FIXED_NOREPLACE instead of MAP_FIXED for the
executable mappings.
Then, people reported that it broke some binaries that had overlapping
segments from the same file, and commit ad55eac74f20 ("elf: enforce
MAP_FIXED on overlaying elf segments") re-instated MAP_FIXED for some
overlaying elf segment cases. But only some - despite the summary line
of that commit, it only did it when it also does a temporary brk vma for
one obvious overlapping case.
Now Russell King reports another overlapping case with old 32-bit x86
binaries, which doesn't trigger that limited case. End result: we had
better just drop MAP_FIXED_NOREPLACE entirely, and go back to MAP_FIXED.
Yes, it's a sign of old binaries generated with old tool-chains, but we
do pride ourselves on not breaking existing setups.
This still leaves MAP_FIXED_NOREPLACE in place for the load_elf_interp()
and the old load_elf_library() use-cases, because nobody has reported
breakage for those. Yet.
Note that in all the cases seen so far, the overlapping elf sections
seem to be just re-mapping of the same executable with different section
attributes. We could possibly introduce a new MAP_FIXED_NOFILECHANGE
flag or similar, which acts like NOREPLACE, but allows just remapping
the same executable file using different protection flags.
It's not clear that would make a huge difference to anything, but if
people really hate that "elf remaps over previous maps" behavior, maybe
at least a more limited form of remapping would alleviate some concerns.
Alternatively, we should take a look at our elf_map() logic to see if we
end up not mapping things properly the first time.
In the meantime, this is the minimal "don't do that then" patch while
people hopefully think about it more.
Reported-by: Russell King <linux@armlinux.org.uk>
Fixes: 4ed28639519c ("fs, elf: drop MAP_FIXED usage from elf_map")
Fixes: ad55eac74f20 ("elf: enforce MAP_FIXED on overlaying elf segments")
Cc: Michal Hocko <mhocko@suse.com>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-10-06 14:53:27 -06:00
|
|
|
elf_flags |= MAP_FIXED;
|
2005-04-16 16:20:36 -06:00
|
|
|
} else if (loc->elf_ex.e_type == ET_DYN) {
|
binfmt_elf: use ELF_ET_DYN_BASE only for PIE
The ELF_ET_DYN_BASE position was originally intended to keep loaders
away from ET_EXEC binaries. (For example, running "/lib/ld-linux.so.2
/bin/cat" might cause the subsequent load of /bin/cat into where the
loader had been loaded.)
With the advent of PIE (ET_DYN binaries with an INTERP Program Header),
ELF_ET_DYN_BASE continued to be used since the kernel was only looking
at ET_DYN. However, since ELF_ET_DYN_BASE is traditionally set at the
top 1/3rd of the TASK_SIZE, a substantial portion of the address space
is unused.
For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs are
loaded above the mmap region. This means they can be made to collide
(CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with
pathological stack regions.
Lowering ELF_ET_DYN_BASE solves both by moving programs below the mmap
region in all cases, and will now additionally avoid programs falling
back to the mmap region by enforcing MAP_FIXED for program loads (i.e.
if it would have collided with the stack, now it will fail to load
instead of falling back to the mmap region).
To allow for a lower ELF_ET_DYN_BASE, loaders (ET_DYN without INTERP)
are loaded into the mmap region, leaving space available for either an
ET_EXEC binary with a fixed location or PIE being loaded into mmap by
the loader. Only PIE programs are loaded offset from ELF_ET_DYN_BASE,
which means architectures can now safely lower their values without risk
of loaders colliding with their subsequently loaded programs.
For 64-bit, ELF_ET_DYN_BASE is best set to 4GB to allow runtimes to use
the entire 32-bit address space for 32-bit pointers.
Thanks to PaX Team, Daniel Micay, and Rik van Riel for inspiration and
suggestions on how to implement this solution.
Fixes: d1fd836dcf00 ("mm: split ET_DYN ASLR from mmap ASLR")
Link: http://lkml.kernel.org/r/20170621173201.GA114489@beast
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: Daniel Micay <danielmicay@gmail.com>
Cc: Qualys Security Advisory <qsa@qualys.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Dmitry Safonov <dsafonov@virtuozzo.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Pratyush Anand <panand@redhat.com>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Will Deacon <will.deacon@arm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-07-10 16:52:37 -06:00
|
|
|
/*
|
|
|
|
|
* This logic is run once for the first LOAD Program
|
|
|
|
|
* Header for ET_DYN binaries to calculate the
|
|
|
|
|
* randomization (load_bias) for all the LOAD
|
|
|
|
|
* Program Headers, and to calculate the entire
|
|
|
|
|
* size of the ELF mapping (total_size). (Note that
|
|
|
|
|
* load_addr_set is set to true later once the
|
|
|
|
|
* initial mapping is performed.)
|
|
|
|
|
*
|
|
|
|
|
* There are effectively two types of ET_DYN
|
|
|
|
|
* binaries: programs (i.e. PIE: ET_DYN with INTERP)
|
|
|
|
|
* and loaders (ET_DYN without INTERP, since they
|
|
|
|
|
* _are_ the ELF interpreter). The loaders must
|
|
|
|
|
* be loaded away from programs since the program
|
|
|
|
|
* may otherwise collide with the loader (especially
|
|
|
|
|
* for ET_EXEC which does not have a randomized
|
|
|
|
|
* position). For example to handle invocations of
|
|
|
|
|
* "./ld.so someprog" to test out a new version of
|
|
|
|
|
* the loader, the subsequent program that the
|
|
|
|
|
* loader loads must avoid the loader itself, so
|
|
|
|
|
* they cannot share the same load range. Sufficient
|
|
|
|
|
* room for the brk must be allocated with the
|
|
|
|
|
* loader as well, since brk must be available with
|
|
|
|
|
* the loader.
|
|
|
|
|
*
|
|
|
|
|
* Therefore, programs are loaded offset from
|
|
|
|
|
* ELF_ET_DYN_BASE and loaders are loaded into the
|
|
|
|
|
* independently randomized mmap region (0 load_bias
|
|
|
|
|
* without MAP_FIXED).
|
|
|
|
|
*/
|
2019-05-14 16:43:39 -06:00
|
|
|
if (interpreter) {
|
binfmt_elf: use ELF_ET_DYN_BASE only for PIE
The ELF_ET_DYN_BASE position was originally intended to keep loaders
away from ET_EXEC binaries. (For example, running "/lib/ld-linux.so.2
/bin/cat" might cause the subsequent load of /bin/cat into where the
loader had been loaded.)
With the advent of PIE (ET_DYN binaries with an INTERP Program Header),
ELF_ET_DYN_BASE continued to be used since the kernel was only looking
at ET_DYN. However, since ELF_ET_DYN_BASE is traditionally set at the
top 1/3rd of the TASK_SIZE, a substantial portion of the address space
is unused.
For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs are
loaded above the mmap region. This means they can be made to collide
(CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with
pathological stack regions.
Lowering ELF_ET_DYN_BASE solves both by moving programs below the mmap
region in all cases, and will now additionally avoid programs falling
back to the mmap region by enforcing MAP_FIXED for program loads (i.e.
if it would have collided with the stack, now it will fail to load
instead of falling back to the mmap region).
To allow for a lower ELF_ET_DYN_BASE, loaders (ET_DYN without INTERP)
are loaded into the mmap region, leaving space available for either an
ET_EXEC binary with a fixed location or PIE being loaded into mmap by
the loader. Only PIE programs are loaded offset from ELF_ET_DYN_BASE,
which means architectures can now safely lower their values without risk
of loaders colliding with their subsequently loaded programs.
For 64-bit, ELF_ET_DYN_BASE is best set to 4GB to allow runtimes to use
the entire 32-bit address space for 32-bit pointers.
Thanks to PaX Team, Daniel Micay, and Rik van Riel for inspiration and
suggestions on how to implement this solution.
Fixes: d1fd836dcf00 ("mm: split ET_DYN ASLR from mmap ASLR")
Link: http://lkml.kernel.org/r/20170621173201.GA114489@beast
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: Daniel Micay <danielmicay@gmail.com>
Cc: Qualys Security Advisory <qsa@qualys.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Dmitry Safonov <dsafonov@virtuozzo.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Pratyush Anand <panand@redhat.com>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Will Deacon <will.deacon@arm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-07-10 16:52:37 -06:00
|
|
|
load_bias = ELF_ET_DYN_BASE;
|
|
|
|
|
if (current->flags & PF_RANDOMIZE)
|
|
|
|
|
load_bias += arch_mmap_rnd();
|
elf: don't use MAP_FIXED_NOREPLACE for elf executable mappings
In commit 4ed28639519c ("fs, elf: drop MAP_FIXED usage from elf_map") we
changed elf to use MAP_FIXED_NOREPLACE instead of MAP_FIXED for the
executable mappings.
Then, people reported that it broke some binaries that had overlapping
segments from the same file, and commit ad55eac74f20 ("elf: enforce
MAP_FIXED on overlaying elf segments") re-instated MAP_FIXED for some
overlaying elf segment cases. But only some - despite the summary line
of that commit, it only did it when it also does a temporary brk vma for
one obvious overlapping case.
Now Russell King reports another overlapping case with old 32-bit x86
binaries, which doesn't trigger that limited case. End result: we had
better just drop MAP_FIXED_NOREPLACE entirely, and go back to MAP_FIXED.
Yes, it's a sign of old binaries generated with old tool-chains, but we
do pride ourselves on not breaking existing setups.
This still leaves MAP_FIXED_NOREPLACE in place for the load_elf_interp()
and the old load_elf_library() use-cases, because nobody has reported
breakage for those. Yet.
Note that in all the cases seen so far, the overlapping elf sections
seem to be just re-mapping of the same executable with different section
attributes. We could possibly introduce a new MAP_FIXED_NOFILECHANGE
flag or similar, which acts like NOREPLACE, but allows just remapping
the same executable file using different protection flags.
It's not clear that would make a huge difference to anything, but if
people really hate that "elf remaps over previous maps" behavior, maybe
at least a more limited form of remapping would alleviate some concerns.
Alternatively, we should take a look at our elf_map() logic to see if we
end up not mapping things properly the first time.
In the meantime, this is the minimal "don't do that then" patch while
people hopefully think about it more.
Reported-by: Russell King <linux@armlinux.org.uk>
Fixes: 4ed28639519c ("fs, elf: drop MAP_FIXED usage from elf_map")
Fixes: ad55eac74f20 ("elf: enforce MAP_FIXED on overlaying elf segments")
Cc: Michal Hocko <mhocko@suse.com>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-10-06 14:53:27 -06:00
|
|
|
elf_flags |= MAP_FIXED;
|
binfmt_elf: use ELF_ET_DYN_BASE only for PIE
The ELF_ET_DYN_BASE position was originally intended to keep loaders
away from ET_EXEC binaries. (For example, running "/lib/ld-linux.so.2
/bin/cat" might cause the subsequent load of /bin/cat into where the
loader had been loaded.)
With the advent of PIE (ET_DYN binaries with an INTERP Program Header),
ELF_ET_DYN_BASE continued to be used since the kernel was only looking
at ET_DYN. However, since ELF_ET_DYN_BASE is traditionally set at the
top 1/3rd of the TASK_SIZE, a substantial portion of the address space
is unused.
For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs are
loaded above the mmap region. This means they can be made to collide
(CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with
pathological stack regions.
Lowering ELF_ET_DYN_BASE solves both by moving programs below the mmap
region in all cases, and will now additionally avoid programs falling
back to the mmap region by enforcing MAP_FIXED for program loads (i.e.
if it would have collided with the stack, now it will fail to load
instead of falling back to the mmap region).
To allow for a lower ELF_ET_DYN_BASE, loaders (ET_DYN without INTERP)
are loaded into the mmap region, leaving space available for either an
ET_EXEC binary with a fixed location or PIE being loaded into mmap by
the loader. Only PIE programs are loaded offset from ELF_ET_DYN_BASE,
which means architectures can now safely lower their values without risk
of loaders colliding with their subsequently loaded programs.
For 64-bit, ELF_ET_DYN_BASE is best set to 4GB to allow runtimes to use
the entire 32-bit address space for 32-bit pointers.
Thanks to PaX Team, Daniel Micay, and Rik van Riel for inspiration and
suggestions on how to implement this solution.
Fixes: d1fd836dcf00 ("mm: split ET_DYN ASLR from mmap ASLR")
Link: http://lkml.kernel.org/r/20170621173201.GA114489@beast
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: Daniel Micay <danielmicay@gmail.com>
Cc: Qualys Security Advisory <qsa@qualys.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Dmitry Safonov <dsafonov@virtuozzo.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Pratyush Anand <panand@redhat.com>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Will Deacon <will.deacon@arm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-07-10 16:52:37 -06:00
|
|
|
} else
|
|
|
|
|
load_bias = 0;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Since load_bias is used for all subsequent loading
|
|
|
|
|
* calculations, we must lower it by the first vaddr
|
|
|
|
|
* so that the remaining calculations based on the
|
|
|
|
|
* ELF vaddrs will be correctly offset. The result
|
|
|
|
|
* is then page aligned.
|
|
|
|
|
*/
|
|
|
|
|
load_bias = ELF_PAGESTART(load_bias - vaddr);
|
|
|
|
|
|
2015-04-14 16:47:38 -06:00
|
|
|
total_size = total_mapping_size(elf_phdata,
|
|
|
|
|
loc->elf_ex.e_phnum);
|
|
|
|
|
if (!total_size) {
|
2015-05-28 16:44:24 -06:00
|
|
|
retval = -EINVAL;
|
2015-04-14 16:47:38 -06:00
|
|
|
goto out_free_dentry;
|
|
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
2006-06-23 03:05:35 -06:00
|
|
|
error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
|
2015-04-14 16:47:38 -06:00
|
|
|
elf_prot, elf_flags, total_size);
|
2005-04-16 16:20:36 -06:00
|
|
|
if (BAD_ADDR(error)) {
|
2007-05-08 01:31:57 -06:00
|
|
|
retval = IS_ERR((void *)error) ?
|
|
|
|
|
PTR_ERR((void*)error) : -EINVAL;
|
2005-04-16 16:20:36 -06:00
|
|
|
goto out_free_dentry;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!load_addr_set) {
|
|
|
|
|
load_addr_set = 1;
|
|
|
|
|
load_addr = (elf_ppnt->p_vaddr - elf_ppnt->p_offset);
|
|
|
|
|
if (loc->elf_ex.e_type == ET_DYN) {
|
|
|
|
|
load_bias += error -
|
|
|
|
|
ELF_PAGESTART(load_bias + vaddr);
|
|
|
|
|
load_addr += load_bias;
|
|
|
|
|
reloc_func_desc = load_bias;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
k = elf_ppnt->p_vaddr;
|
2006-06-23 03:05:35 -06:00
|
|
|
if (k < start_code)
|
|
|
|
|
start_code = k;
|
|
|
|
|
if (start_data < k)
|
|
|
|
|
start_data = k;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check to see if the section's size will overflow the
|
|
|
|
|
* allowed task size. Note that p_filesz must always be
|
|
|
|
|
* <= p_memsz so it is only necessary to check p_memsz.
|
|
|
|
|
*/
|
[PATCH] binfmt_elf: fix checks for bad address
Fix check for bad address; use macro instead of open-coding two checks.
Taken from RHEL4 kernel update.
From: Ernie Petrides <petrides@redhat.com>
For background, the BAD_ADDR() macro should return TRUE if the address is
TASK_SIZE, because that's the lowest address that is *not* valid for
user-space mappings. The macro was correct in binfmt_aout.c but was wrong
for the "equal to" case in binfmt_elf.c. There were two in-line validations
of user-space addresses in binfmt_elf.c, which have been appropriately
converted to use the corrected BAD_ADDR() macro in the patch you posted
yesterday. Note that the size checks against TASK_SIZE are okay as coded.
The additional changes that I propose are below. These are in the error
paths for bad ELF entry addresses once load_elf_binary() has already
committed to exec'ing the new image (following the tearing down of the
task's original address space).
The 1st hunk deals with the interp-side of the outer "if". There were two
problems here. The printk() should be removed because this path can be
triggered at will by a bogus interpreter image created and used by a
malicious user. Further, the error code should not be ENOEXEC, because that
causes the loop in search_binary_handler() to continue trying other exec
handlers (twice, in fact). But it's too late for this to work correctly,
because the user address space has already been torn down, and an exec()
failure cannot be returned to the user code because the code no longer
exists. The only recovery is to force a SIGSEGV, but it's best to terminate
the search loop immediately. I somewhat arbitrarily chose EINVAL as a
fallback error code, but any error returned by load_elf_interp() will
override that (but this value will never be seen by user-space).
The 2nd hunk deals with the non-interp-side of the outer "if". There were
two problems here as well. The SIGSEGV needs to be forced, because a prior
sigaction() syscall might have set the associated disposition to SIG_IGN.
And the ENOEXEC should be changed to EINVAL as described above.
Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com>
Signed-off-by: Ernie Petrides <petrides@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-07-03 01:24:14 -06:00
|
|
|
if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
|
2005-04-16 16:20:36 -06:00
|
|
|
elf_ppnt->p_memsz > TASK_SIZE ||
|
|
|
|
|
TASK_SIZE - elf_ppnt->p_memsz < k) {
|
2006-06-23 03:05:35 -06:00
|
|
|
/* set_brk can never work. Avoid overflows. */
|
2007-05-08 01:31:57 -06:00
|
|
|
retval = -EINVAL;
|
2005-04-16 16:20:36 -06:00
|
|
|
goto out_free_dentry;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
k = elf_ppnt->p_vaddr + elf_ppnt->p_filesz;
|
|
|
|
|
|
|
|
|
|
if (k > elf_bss)
|
|
|
|
|
elf_bss = k;
|
|
|
|
|
if ((elf_ppnt->p_flags & PF_X) && end_code < k)
|
|
|
|
|
end_code = k;
|
|
|
|
|
if (end_data < k)
|
|
|
|
|
end_data = k;
|
|
|
|
|
k = elf_ppnt->p_vaddr + elf_ppnt->p_memsz;
|
powerpc: do not make the entire heap executable
On 32-bit powerpc the ELF PLT sections of binaries (built with
--bss-plt, or with a toolchain which defaults to it) look like this:
[17] .sbss NOBITS 0002aff8 01aff8 000014 00 WA 0 0 4
[18] .plt NOBITS 0002b00c 01aff8 000084 00 WAX 0 0 4
[19] .bss NOBITS 0002b090 01aff8 0000a4 00 WA 0 0 4
Which results in an ELF load header:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x019c70 0x00029c70 0x00029c70 0x01388 0x014c4 RWE 0x10000
This is all correct, the load region containing the PLT is marked as
executable. Note that the PLT starts at 0002b00c but the file mapping
ends at 0002aff8, so the PLT falls in the 0 fill section described by
the load header, and after a page boundary.
Unfortunately the generic ELF loader ignores the X bit in the load
headers when it creates the 0 filled non-file backed mappings. It
assumes all of these mappings are RW BSS sections, which is not the case
for PPC.
gcc/ld has an option (--secure-plt) to not do this, this is said to
incur a small performance penalty.
Currently, to support 32-bit binaries with PLT in BSS kernel maps
*entire brk area* with executable rights for all binaries, even
--secure-plt ones.
Stop doing that.
Teach the ELF loader to check the X bit in the relevant load header and
create 0 filled anonymous mappings that are executable if the load
header requests that.
Test program showing the difference in /proc/$PID/maps:
int main() {
char buf[16*1024];
char *p = malloc(123); /* make "[heap]" mapping appear */
int fd = open("/proc/self/maps", O_RDONLY);
int len = read(fd, buf, sizeof(buf));
write(1, buf, len);
printf("%p\n", p);
return 0;
}
Compiled using: gcc -mbss-plt -m32 -Os test.c -otest
Unpatched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10690000-106c0000 rwxp 00000000 00:00 0 [heap]
f7f70000-f7fa0000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fa0000-f7fb0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fb0000-f7fc0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ffa90000-ffac0000 rw-p 00000000 00:00 0 [stack]
0x10690008
Patched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10180000-101b0000 rw-p 00000000 00:00 0 [heap]
^^^^ this has changed
f7c60000-f7c90000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7c90000-f7ca0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7ca0000-f7cb0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ff860000-ff890000 rw-p 00000000 00:00 0 [stack]
0x10180008
The patch was originally posted in 2012 by Jason Gunthorpe
and apparently ignored:
https://lkml.org/lkml/2012/9/30/138
Lightly run-tested.
Link: http://lkml.kernel.org/r/20161215131950.23054-1-dvlasenk@redhat.com
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-02-22 16:45:16 -07:00
|
|
|
if (k > elf_brk) {
|
|
|
|
|
bss_prot = elf_prot;
|
2005-04-16 16:20:36 -06:00
|
|
|
elf_brk = k;
|
powerpc: do not make the entire heap executable
On 32-bit powerpc the ELF PLT sections of binaries (built with
--bss-plt, or with a toolchain which defaults to it) look like this:
[17] .sbss NOBITS 0002aff8 01aff8 000014 00 WA 0 0 4
[18] .plt NOBITS 0002b00c 01aff8 000084 00 WAX 0 0 4
[19] .bss NOBITS 0002b090 01aff8 0000a4 00 WA 0 0 4
Which results in an ELF load header:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x019c70 0x00029c70 0x00029c70 0x01388 0x014c4 RWE 0x10000
This is all correct, the load region containing the PLT is marked as
executable. Note that the PLT starts at 0002b00c but the file mapping
ends at 0002aff8, so the PLT falls in the 0 fill section described by
the load header, and after a page boundary.
Unfortunately the generic ELF loader ignores the X bit in the load
headers when it creates the 0 filled non-file backed mappings. It
assumes all of these mappings are RW BSS sections, which is not the case
for PPC.
gcc/ld has an option (--secure-plt) to not do this, this is said to
incur a small performance penalty.
Currently, to support 32-bit binaries with PLT in BSS kernel maps
*entire brk area* with executable rights for all binaries, even
--secure-plt ones.
Stop doing that.
Teach the ELF loader to check the X bit in the relevant load header and
create 0 filled anonymous mappings that are executable if the load
header requests that.
Test program showing the difference in /proc/$PID/maps:
int main() {
char buf[16*1024];
char *p = malloc(123); /* make "[heap]" mapping appear */
int fd = open("/proc/self/maps", O_RDONLY);
int len = read(fd, buf, sizeof(buf));
write(1, buf, len);
printf("%p\n", p);
return 0;
}
Compiled using: gcc -mbss-plt -m32 -Os test.c -otest
Unpatched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10690000-106c0000 rwxp 00000000 00:00 0 [heap]
f7f70000-f7fa0000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fa0000-f7fb0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fb0000-f7fc0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ffa90000-ffac0000 rw-p 00000000 00:00 0 [stack]
0x10690008
Patched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10180000-101b0000 rw-p 00000000 00:00 0 [heap]
^^^^ this has changed
f7c60000-f7c90000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7c90000-f7ca0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7ca0000-f7cb0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ff860000-ff890000 rw-p 00000000 00:00 0 [stack]
0x10180008
The patch was originally posted in 2012 by Jason Gunthorpe
and apparently ignored:
https://lkml.org/lkml/2012/9/30/138
Lightly run-tested.
Link: http://lkml.kernel.org/r/20161215131950.23054-1-dvlasenk@redhat.com
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-02-22 16:45:16 -07:00
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
loc->elf_ex.e_entry += load_bias;
|
|
|
|
|
elf_bss += load_bias;
|
|
|
|
|
elf_brk += load_bias;
|
|
|
|
|
start_code += load_bias;
|
|
|
|
|
end_code += load_bias;
|
|
|
|
|
start_data += load_bias;
|
|
|
|
|
end_data += load_bias;
|
|
|
|
|
|
|
|
|
|
/* Calling set_brk effectively mmaps the pages that we need
|
|
|
|
|
* for the bss and break sections. We must do this before
|
|
|
|
|
* mapping in the interpreter, to make sure it doesn't wind
|
|
|
|
|
* up getting placed where the bss needs to go.
|
|
|
|
|
*/
|
powerpc: do not make the entire heap executable
On 32-bit powerpc the ELF PLT sections of binaries (built with
--bss-plt, or with a toolchain which defaults to it) look like this:
[17] .sbss NOBITS 0002aff8 01aff8 000014 00 WA 0 0 4
[18] .plt NOBITS 0002b00c 01aff8 000084 00 WAX 0 0 4
[19] .bss NOBITS 0002b090 01aff8 0000a4 00 WA 0 0 4
Which results in an ELF load header:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x019c70 0x00029c70 0x00029c70 0x01388 0x014c4 RWE 0x10000
This is all correct, the load region containing the PLT is marked as
executable. Note that the PLT starts at 0002b00c but the file mapping
ends at 0002aff8, so the PLT falls in the 0 fill section described by
the load header, and after a page boundary.
Unfortunately the generic ELF loader ignores the X bit in the load
headers when it creates the 0 filled non-file backed mappings. It
assumes all of these mappings are RW BSS sections, which is not the case
for PPC.
gcc/ld has an option (--secure-plt) to not do this, this is said to
incur a small performance penalty.
Currently, to support 32-bit binaries with PLT in BSS kernel maps
*entire brk area* with executable rights for all binaries, even
--secure-plt ones.
Stop doing that.
Teach the ELF loader to check the X bit in the relevant load header and
create 0 filled anonymous mappings that are executable if the load
header requests that.
Test program showing the difference in /proc/$PID/maps:
int main() {
char buf[16*1024];
char *p = malloc(123); /* make "[heap]" mapping appear */
int fd = open("/proc/self/maps", O_RDONLY);
int len = read(fd, buf, sizeof(buf));
write(1, buf, len);
printf("%p\n", p);
return 0;
}
Compiled using: gcc -mbss-plt -m32 -Os test.c -otest
Unpatched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10690000-106c0000 rwxp 00000000 00:00 0 [heap]
f7f70000-f7fa0000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fa0000-f7fb0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7fb0000-f7fc0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ffa90000-ffac0000 rw-p 00000000 00:00 0 [stack]
0x10690008
Patched ppc64 kernel:
00100000-00120000 r-xp 00000000 00:00 0 [vdso]
0fe10000-0ffd0000 r-xp 00000000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffd0000-0ffe0000 r--p 001b0000 fd:00 67898094 /usr/lib/libc-2.17.so
0ffe0000-0fff0000 rw-p 001c0000 fd:00 67898094 /usr/lib/libc-2.17.so
10000000-10010000 r-xp 00000000 fd:00 100674505 /home/user/test
10010000-10020000 r--p 00000000 fd:00 100674505 /home/user/test
10020000-10030000 rw-p 00010000 fd:00 100674505 /home/user/test
10180000-101b0000 rw-p 00000000 00:00 0 [heap]
^^^^ this has changed
f7c60000-f7c90000 r-xp 00000000 fd:00 67898089 /usr/lib/ld-2.17.so
f7c90000-f7ca0000 r--p 00020000 fd:00 67898089 /usr/lib/ld-2.17.so
f7ca0000-f7cb0000 rw-p 00030000 fd:00 67898089 /usr/lib/ld-2.17.so
ff860000-ff890000 rw-p 00000000 00:00 0 [stack]
0x10180008
The patch was originally posted in 2012 by Jason Gunthorpe
and apparently ignored:
https://lkml.org/lkml/2012/9/30/138
Lightly run-tested.
Link: http://lkml.kernel.org/r/20161215131950.23054-1-dvlasenk@redhat.com
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-02-22 16:45:16 -07:00
|
|
|
retval = set_brk(elf_bss, elf_brk, bss_prot);
|
2014-05-04 18:11:36 -06:00
|
|
|
if (retval)
|
2005-04-16 16:20:36 -06:00
|
|
|
goto out_free_dentry;
|
2005-10-11 09:29:08 -06:00
|
|
|
if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
|
2005-04-16 16:20:36 -06:00
|
|
|
retval = -EFAULT; /* Nobody gets to see this, but.. */
|
|
|
|
|
goto out_free_dentry;
|
|
|
|
|
}
|
|
|
|
|
|
2019-05-14 16:43:39 -06:00
|
|
|
if (interpreter) {
|
2012-10-04 18:13:42 -06:00
|
|
|
unsigned long interp_map_addr = 0;
|
2008-02-08 05:21:54 -07:00
|
|
|
|
|
|
|
|
elf_entry = load_elf_interp(&loc->interp_elf_ex,
|
|
|
|
|
interpreter,
|
|
|
|
|
&interp_map_addr,
|
2014-09-11 01:30:15 -06:00
|
|
|
load_bias, interp_elf_phdata);
|
2008-02-08 05:21:54 -07:00
|
|
|
if (!IS_ERR((void *)elf_entry)) {
|
|
|
|
|
/*
|
|
|
|
|
* load_elf_interp() returns relocation
|
|
|
|
|
* adjustment
|
|
|
|
|
*/
|
|
|
|
|
interp_load_addr = elf_entry;
|
|
|
|
|
elf_entry += loc->interp_elf_ex.e_entry;
|
2008-01-30 05:31:07 -07:00
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
if (BAD_ADDR(elf_entry)) {
|
[PATCH] binfmt_elf: fix checks for bad address
Fix check for bad address; use macro instead of open-coding two checks.
Taken from RHEL4 kernel update.
From: Ernie Petrides <petrides@redhat.com>
For background, the BAD_ADDR() macro should return TRUE if the address is
TASK_SIZE, because that's the lowest address that is *not* valid for
user-space mappings. The macro was correct in binfmt_aout.c but was wrong
for the "equal to" case in binfmt_elf.c. There were two in-line validations
of user-space addresses in binfmt_elf.c, which have been appropriately
converted to use the corrected BAD_ADDR() macro in the patch you posted
yesterday. Note that the size checks against TASK_SIZE are okay as coded.
The additional changes that I propose are below. These are in the error
paths for bad ELF entry addresses once load_elf_binary() has already
committed to exec'ing the new image (following the tearing down of the
task's original address space).
The 1st hunk deals with the interp-side of the outer "if". There were two
problems here. The printk() should be removed because this path can be
triggered at will by a bogus interpreter image created and used by a
malicious user. Further, the error code should not be ENOEXEC, because that
causes the loop in search_binary_handler() to continue trying other exec
handlers (twice, in fact). But it's too late for this to work correctly,
because the user address space has already been torn down, and an exec()
failure cannot be returned to the user code because the code no longer
exists. The only recovery is to force a SIGSEGV, but it's best to terminate
the search loop immediately. I somewhat arbitrarily chose EINVAL as a
fallback error code, but any error returned by load_elf_interp() will
override that (but this value will never be seen by user-space).
The 2nd hunk deals with the non-interp-side of the outer "if". There were
two problems here as well. The SIGSEGV needs to be forced, because a prior
sigaction() syscall might have set the associated disposition to SIG_IGN.
And the ENOEXEC should be changed to EINVAL as described above.
Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com>
Signed-off-by: Ernie Petrides <petrides@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-07-03 01:24:14 -06:00
|
|
|
retval = IS_ERR((void *)elf_entry) ?
|
|
|
|
|
(int)elf_entry : -EINVAL;
|
2005-04-16 16:20:36 -06:00
|
|
|
goto out_free_dentry;
|
|
|
|
|
}
|
|
|
|
|
reloc_func_desc = interp_load_addr;
|
|
|
|
|
|
|
|
|
|
allow_write_access(interpreter);
|
|
|
|
|
fput(interpreter);
|
|
|
|
|
} else {
|
|
|
|
|
elf_entry = loc->elf_ex.e_entry;
|
2006-02-25 20:18:28 -07:00
|
|
|
if (BAD_ADDR(elf_entry)) {
|
[PATCH] binfmt_elf: fix checks for bad address
Fix check for bad address; use macro instead of open-coding two checks.
Taken from RHEL4 kernel update.
From: Ernie Petrides <petrides@redhat.com>
For background, the BAD_ADDR() macro should return TRUE if the address is
TASK_SIZE, because that's the lowest address that is *not* valid for
user-space mappings. The macro was correct in binfmt_aout.c but was wrong
for the "equal to" case in binfmt_elf.c. There were two in-line validations
of user-space addresses in binfmt_elf.c, which have been appropriately
converted to use the corrected BAD_ADDR() macro in the patch you posted
yesterday. Note that the size checks against TASK_SIZE are okay as coded.
The additional changes that I propose are below. These are in the error
paths for bad ELF entry addresses once load_elf_binary() has already
committed to exec'ing the new image (following the tearing down of the
task's original address space).
The 1st hunk deals with the interp-side of the outer "if". There were two
problems here. The printk() should be removed because this path can be
triggered at will by a bogus interpreter image created and used by a
malicious user. Further, the error code should not be ENOEXEC, because that
causes the loop in search_binary_handler() to continue trying other exec
handlers (twice, in fact). But it's too late for this to work correctly,
because the user address space has already been torn down, and an exec()
failure cannot be returned to the user code because the code no longer
exists. The only recovery is to force a SIGSEGV, but it's best to terminate
the search loop immediately. I somewhat arbitrarily chose EINVAL as a
fallback error code, but any error returned by load_elf_interp() will
override that (but this value will never be seen by user-space).
The 2nd hunk deals with the non-interp-side of the outer "if". There were
two problems here as well. The SIGSEGV needs to be forced, because a prior
sigaction() syscall might have set the associated disposition to SIG_IGN.
And the ENOEXEC should be changed to EINVAL as described above.
Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com>
Signed-off-by: Ernie Petrides <petrides@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-07-03 01:24:14 -06:00
|
|
|
retval = -EINVAL;
|
2006-02-25 20:18:28 -07:00
|
|
|
goto out_free_dentry;
|
|
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
binfmt_elf: allow arch code to examine PT_LOPROC ... PT_HIPROC headers
MIPS is introducing new variants of its O32 ABI which differ in their
handling of floating point, in order to enable a gradual transition
towards a world where mips32 binaries can take advantage of new hardware
features only available when configured for certain FP modes. In order
to do this ELF binaries are being augmented with a new section that
indicates, amongst other things, the FP mode requirements of the binary.
The presence & location of such a section is indicated by a program
header in the PT_LOPROC ... PT_HIPROC range.
In order to allow the MIPS architecture code to examine the program
header & section in question, pass all program headers in this range
to an architecture-specific arch_elf_pt_proc function. This function
may return an error if the header is deemed invalid or unsuitable for
the system, in which case that error will be returned from
load_elf_binary and upwards through the execve syscall.
A means is required for the architecture code to make a decision once
it is known that all such headers have been seen, but before it is too
late to return from an execve syscall. For this purpose the
arch_check_elf function is added, and called once, after all PT_LOPROC
to PT_HIPROC headers have been passed to arch_elf_pt_proc but before
the code which invoked execve has been lost. This enables the
architecture code to make a decision based upon all the headers present
in an ELF binary and its interpreter, as is required to forbid
conflicting FP ABI requirements between an ELF & its interpreter.
In order to allow data to be stored throughout the calls to the above
functions, struct arch_elf_state is introduced.
Finally a variant of the SET_PERSONALITY macro is introduced which
accepts a pointer to the struct arch_elf_state, allowing it to act
based upon state observed from the architecture specific program
headers.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/7679/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-09-11 01:30:16 -06:00
|
|
|
kfree(interp_elf_phdata);
|
2005-04-16 16:20:36 -06:00
|
|
|
kfree(elf_phdata);
|
|
|
|
|
|
|
|
|
|
set_binfmt(&elf_format);
|
|
|
|
|
|
2005-04-16 16:24:35 -06:00
|
|
|
#ifdef ARCH_HAS_SETUP_ADDITIONAL_PAGES
|
2019-05-14 16:43:39 -06:00
|
|
|
retval = arch_setup_additional_pages(bprm, !!interpreter);
|
2014-05-04 18:11:36 -06:00
|
|
|
if (retval < 0)
|
2005-04-28 16:17:19 -06:00
|
|
|
goto out;
|
2005-04-16 16:24:35 -06:00
|
|
|
#endif /* ARCH_HAS_SETUP_ADDITIONAL_PAGES */
|
|
|
|
|
|
2007-07-19 02:48:16 -06:00
|
|
|
retval = create_elf_tables(bprm, &loc->elf_ex,
|
2006-06-23 03:05:35 -06:00
|
|
|
load_addr, interp_load_addr);
|
2014-05-04 18:11:36 -06:00
|
|
|
if (retval < 0)
|
2007-07-19 02:48:16 -06:00
|
|
|
goto out;
|
2005-04-16 16:20:36 -06:00
|
|
|
current->mm->end_code = end_code;
|
|
|
|
|
current->mm->start_code = start_code;
|
|
|
|
|
current->mm->start_data = start_data;
|
|
|
|
|
current->mm->end_data = end_data;
|
|
|
|
|
current->mm->start_stack = bprm->p;
|
|
|
|
|
|
2011-04-14 16:22:09 -06:00
|
|
|
if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) {
|
2019-05-14 16:43:57 -06:00
|
|
|
/*
|
|
|
|
|
* For architectures with ELF randomization, when executing
|
|
|
|
|
* a loader directly (i.e. no interpreter listed in ELF
|
|
|
|
|
* headers), move the brk area out of the mmap region
|
|
|
|
|
* (since it grows up, and may collide early with the stack
|
|
|
|
|
* growing down), and into the unused ELF_ET_DYN_BASE region.
|
|
|
|
|
*/
|
2019-09-26 11:15:25 -06:00
|
|
|
if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
|
|
|
|
|
loc->elf_ex.e_type == ET_DYN && !interpreter)
|
2019-05-14 16:43:57 -06:00
|
|
|
current->mm->brk = current->mm->start_brk =
|
|
|
|
|
ELF_ET_DYN_BASE;
|
|
|
|
|
|
2008-01-30 05:30:40 -07:00
|
|
|
current->mm->brk = current->mm->start_brk =
|
|
|
|
|
arch_randomize_brk(current->mm);
|
2015-04-14 16:48:12 -06:00
|
|
|
#ifdef compat_brk_randomized
|
2011-04-14 16:22:09 -06:00
|
|
|
current->brk_randomized = 1;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
2008-01-30 05:30:40 -07:00
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
if (current->personality & MMAP_PAGE_ZERO) {
|
|
|
|
|
/* Why this, you ask??? Well SVr4 maps page 0 as read-only,
|
|
|
|
|
and some applications "depend" upon this behavior.
|
|
|
|
|
Since we do not have the power to recompile these, we
|
2006-06-23 03:05:35 -06:00
|
|
|
emulate the SVr4 behavior. Sigh. */
|
2012-04-20 18:13:58 -06:00
|
|
|
error = vm_mmap(NULL, 0, PAGE_SIZE, PROT_READ | PROT_EXEC,
|
2005-04-16 16:20:36 -06:00
|
|
|
MAP_FIXED | MAP_PRIVATE, 0);
|
|
|
|
|
}
|
|
|
|
|
|
2019-05-14 16:43:54 -06:00
|
|
|
regs = current_pt_regs();
|
2005-04-16 16:20:36 -06:00
|
|
|
#ifdef ELF_PLAT_INIT
|
|
|
|
|
/*
|
|
|
|
|
* The ABI may specify that certain registers be set up in special
|
|
|
|
|
* ways (on i386 %edx is the address of a DT_FINI function, for
|
|
|
|
|
* example. In addition, it may also specify (eg, PowerPC64 ELF)
|
|
|
|
|
* that the e_entry field is the address of the function descriptor
|
|
|
|
|
* for the startup routine, rather than the address of the startup
|
|
|
|
|
* routine itself. This macro performs whatever initialization to
|
|
|
|
|
* the regs structure is required as well as any relocations to the
|
|
|
|
|
* function descriptor entries when executing dynamically links apps.
|
|
|
|
|
*/
|
|
|
|
|
ELF_PLAT_INIT(regs, reloc_func_desc);
|
|
|
|
|
#endif
|
|
|
|
|
|
2018-04-10 17:34:57 -06:00
|
|
|
finalize_exec(bprm);
|
2005-04-16 16:20:36 -06:00
|
|
|
start_thread(regs, elf_entry, bprm->p);
|
|
|
|
|
retval = 0;
|
|
|
|
|
out:
|
|
|
|
|
kfree(loc);
|
|
|
|
|
out_ret:
|
|
|
|
|
return retval;
|
|
|
|
|
|
|
|
|
|
/* error cleanup */
|
|
|
|
|
out_free_dentry:
|
2014-09-11 01:30:15 -06:00
|
|
|
kfree(interp_elf_phdata);
|
2005-04-16 16:20:36 -06:00
|
|
|
allow_write_access(interpreter);
|
|
|
|
|
if (interpreter)
|
|
|
|
|
fput(interpreter);
|
|
|
|
|
out_free_ph:
|
|
|
|
|
kfree(elf_phdata);
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
2014-04-03 15:48:27 -06:00
|
|
|
#ifdef CONFIG_USELIB
|
2005-04-16 16:20:36 -06:00
|
|
|
/* This is really simpleminded and specialized - we are loading an
|
|
|
|
|
a.out library that is given an ELF header. */
|
|
|
|
|
static int load_elf_library(struct file *file)
|
|
|
|
|
{
|
|
|
|
|
struct elf_phdr *elf_phdata;
|
|
|
|
|
struct elf_phdr *eppnt;
|
|
|
|
|
unsigned long elf_bss, bss, len;
|
|
|
|
|
int retval, error, i, j;
|
|
|
|
|
struct elfhdr elf_ex;
|
2017-09-01 09:39:13 -06:00
|
|
|
loff_t pos = 0;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
error = -ENOEXEC;
|
2017-09-01 09:39:13 -06:00
|
|
|
retval = kernel_read(file, &elf_ex, sizeof(elf_ex), &pos);
|
2005-04-16 16:20:36 -06:00
|
|
|
if (retval != sizeof(elf_ex))
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
if (memcmp(elf_ex.e_ident, ELFMAG, SELFMAG) != 0)
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
/* First of all, some simple consistency checks */
|
|
|
|
|
if (elf_ex.e_type != ET_EXEC || elf_ex.e_phnum > 2 ||
|
2013-09-22 14:27:52 -06:00
|
|
|
!elf_check_arch(&elf_ex) || !file->f_op->mmap)
|
2005-04-16 16:20:36 -06:00
|
|
|
goto out;
|
2017-08-16 14:05:13 -06:00
|
|
|
if (elf_check_fdpic(&elf_ex))
|
|
|
|
|
goto out;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
/* Now read in all of the header information */
|
|
|
|
|
|
|
|
|
|
j = sizeof(struct elf_phdr) * elf_ex.e_phnum;
|
|
|
|
|
/* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */
|
|
|
|
|
|
|
|
|
|
error = -ENOMEM;
|
|
|
|
|
elf_phdata = kmalloc(j, GFP_KERNEL);
|
|
|
|
|
if (!elf_phdata)
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
eppnt = elf_phdata;
|
|
|
|
|
error = -ENOEXEC;
|
2017-09-01 09:39:13 -06:00
|
|
|
pos = elf_ex.e_phoff;
|
|
|
|
|
retval = kernel_read(file, eppnt, j, &pos);
|
2005-04-16 16:20:36 -06:00
|
|
|
if (retval != j)
|
|
|
|
|
goto out_free_ph;
|
|
|
|
|
|
|
|
|
|
for (j = 0, i = 0; i<elf_ex.e_phnum; i++)
|
|
|
|
|
if ((eppnt + i)->p_type == PT_LOAD)
|
|
|
|
|
j++;
|
|
|
|
|
if (j != 1)
|
|
|
|
|
goto out_free_ph;
|
|
|
|
|
|
|
|
|
|
while (eppnt->p_type != PT_LOAD)
|
|
|
|
|
eppnt++;
|
|
|
|
|
|
|
|
|
|
/* Now use mmap to map the library into memory. */
|
2012-04-20 18:13:58 -06:00
|
|
|
error = vm_mmap(file,
|
2005-04-16 16:20:36 -06:00
|
|
|
ELF_PAGESTART(eppnt->p_vaddr),
|
|
|
|
|
(eppnt->p_filesz +
|
|
|
|
|
ELF_PAGEOFFSET(eppnt->p_vaddr)),
|
|
|
|
|
PROT_READ | PROT_WRITE | PROT_EXEC,
|
2018-04-10 17:36:01 -06:00
|
|
|
MAP_FIXED_NOREPLACE | MAP_PRIVATE | MAP_DENYWRITE,
|
2005-04-16 16:20:36 -06:00
|
|
|
(eppnt->p_offset -
|
|
|
|
|
ELF_PAGEOFFSET(eppnt->p_vaddr)));
|
|
|
|
|
if (error != ELF_PAGESTART(eppnt->p_vaddr))
|
|
|
|
|
goto out_free_ph;
|
|
|
|
|
|
|
|
|
|
elf_bss = eppnt->p_vaddr + eppnt->p_filesz;
|
|
|
|
|
if (padzero(elf_bss)) {
|
|
|
|
|
error = -EFAULT;
|
|
|
|
|
goto out_free_ph;
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-13 17:59:13 -06:00
|
|
|
len = ELF_PAGEALIGN(eppnt->p_filesz + eppnt->p_vaddr);
|
|
|
|
|
bss = ELF_PAGEALIGN(eppnt->p_memsz + eppnt->p_vaddr);
|
2016-05-23 17:25:39 -06:00
|
|
|
if (bss > len) {
|
|
|
|
|
error = vm_brk(len, bss - len);
|
2016-05-27 16:57:31 -06:00
|
|
|
if (error)
|
2016-05-23 17:25:39 -06:00
|
|
|
goto out_free_ph;
|
|
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
error = 0;
|
|
|
|
|
|
|
|
|
|
out_free_ph:
|
|
|
|
|
kfree(elf_phdata);
|
|
|
|
|
out:
|
|
|
|
|
return error;
|
|
|
|
|
}
|
2014-04-03 15:48:27 -06:00
|
|
|
#endif /* #ifdef CONFIG_USELIB */
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2009-12-15 17:47:37 -07:00
|
|
|
#ifdef CONFIG_ELF_CORE
|
2005-04-16 16:20:36 -06:00
|
|
|
/*
|
|
|
|
|
* ELF core dumper
|
|
|
|
|
*
|
|
|
|
|
* Modelled on fs/exec.c:aout_core_dump()
|
|
|
|
|
* Jeremy Fitzhardinge <jeremy@sw.oz.au>
|
|
|
|
|
*/
|
|
|
|
|
|
coredump: remove VM_ALWAYSDUMP flag
The motivation for this patchset was that I was looking at a way for a
qemu-kvm process, to exclude the guest memory from its core dump, which
can be quite large. There are already a number of filter flags in
/proc/<pid>/coredump_filter, however, these allow one to specify 'types'
of kernel memory, not specific address ranges (which is needed in this
case).
Since there are no more vma flags available, the first patch eliminates
the need for the 'VM_ALWAYSDUMP' flag. The flag is used internally by
the kernel to mark vdso and vsyscall pages. However, it is simple
enough to check if a vma covers a vdso or vsyscall page without the need
for this flag.
The second patch then replaces the 'VM_ALWAYSDUMP' flag with a new
'VM_NODUMP' flag, which can be set by userspace using new madvise flags:
'MADV_DONTDUMP', and unset via 'MADV_DODUMP'. The core dump filters
continue to work the same as before unless 'MADV_DONTDUMP' is set on the
region.
The qemu code which implements this features is at:
http://people.redhat.com/~jbaron/qemu-dump/qemu-dump.patch
In my testing the qemu core dump shrunk from 383MB -> 13MB with this
patch.
I also believe that the 'MADV_DONTDUMP' flag might be useful for
security sensitive apps, which might want to select which areas are
dumped.
This patch:
The VM_ALWAYSDUMP flag is currently used by the coredump code to
indicate that a vma is part of a vsyscall or vdso section. However, we
can determine if a vma is in one these sections by checking it against
the gate_vma and checking for a non-NULL return value from
arch_vma_name(). Thus, freeing a valuable vma bit.
Signed-off-by: Jason Baron <jbaron@redhat.com>
Acked-by: Roland McGrath <roland@hack.frob.com>
Cc: Chris Metcalf <cmetcalf@tilera.com>
Cc: Avi Kivity <avi@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-03-23 16:02:51 -06:00
|
|
|
/*
|
|
|
|
|
* The purpose of always_dump_vma() is to make sure that special kernel mappings
|
|
|
|
|
* that are useful for post-mortem analysis are included in every core dump.
|
|
|
|
|
* In that way we ensure that the core dump is fully interpretable later
|
|
|
|
|
* without matching up the same kernel and hardware config to see what PC values
|
|
|
|
|
* meant. These special mappings include - vDSO, vsyscall, and other
|
|
|
|
|
* architecture specific mappings
|
|
|
|
|
*/
|
|
|
|
|
static bool always_dump_vma(struct vm_area_struct *vma)
|
|
|
|
|
{
|
|
|
|
|
/* Any vsyscall mappings? */
|
|
|
|
|
if (vma == get_gate_vma(vma->vm_mm))
|
|
|
|
|
return true;
|
2014-05-19 16:58:32 -06:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Assume that all vmas with a .name op should always be dumped.
|
|
|
|
|
* If this changes, a new vm_ops field can easily be added.
|
|
|
|
|
*/
|
|
|
|
|
if (vma->vm_ops && vma->vm_ops->name && vma->vm_ops->name(vma))
|
|
|
|
|
return true;
|
|
|
|
|
|
coredump: remove VM_ALWAYSDUMP flag
The motivation for this patchset was that I was looking at a way for a
qemu-kvm process, to exclude the guest memory from its core dump, which
can be quite large. There are already a number of filter flags in
/proc/<pid>/coredump_filter, however, these allow one to specify 'types'
of kernel memory, not specific address ranges (which is needed in this
case).
Since there are no more vma flags available, the first patch eliminates
the need for the 'VM_ALWAYSDUMP' flag. The flag is used internally by
the kernel to mark vdso and vsyscall pages. However, it is simple
enough to check if a vma covers a vdso or vsyscall page without the need
for this flag.
The second patch then replaces the 'VM_ALWAYSDUMP' flag with a new
'VM_NODUMP' flag, which can be set by userspace using new madvise flags:
'MADV_DONTDUMP', and unset via 'MADV_DODUMP'. The core dump filters
continue to work the same as before unless 'MADV_DONTDUMP' is set on the
region.
The qemu code which implements this features is at:
http://people.redhat.com/~jbaron/qemu-dump/qemu-dump.patch
In my testing the qemu core dump shrunk from 383MB -> 13MB with this
patch.
I also believe that the 'MADV_DONTDUMP' flag might be useful for
security sensitive apps, which might want to select which areas are
dumped.
This patch:
The VM_ALWAYSDUMP flag is currently used by the coredump code to
indicate that a vma is part of a vsyscall or vdso section. However, we
can determine if a vma is in one these sections by checking it against
the gate_vma and checking for a non-NULL return value from
arch_vma_name(). Thus, freeing a valuable vma bit.
Signed-off-by: Jason Baron <jbaron@redhat.com>
Acked-by: Roland McGrath <roland@hack.frob.com>
Cc: Chris Metcalf <cmetcalf@tilera.com>
Cc: Avi Kivity <avi@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-03-23 16:02:51 -06:00
|
|
|
/*
|
|
|
|
|
* arch_vma_name() returns non-NULL for special architecture mappings,
|
|
|
|
|
* such as vDSO sections.
|
|
|
|
|
*/
|
|
|
|
|
if (arch_vma_name(vma))
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
/*
|
2007-10-17 00:27:02 -06:00
|
|
|
* Decide what to dump of a segment, part, all or none.
|
2005-04-16 16:20:36 -06:00
|
|
|
*/
|
2007-10-17 00:27:02 -06:00
|
|
|
static unsigned long vma_dump_size(struct vm_area_struct *vma,
|
|
|
|
|
unsigned long mm_flags)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
coredump_filter: add hugepage dumping
Presently hugepage's vma has a VM_RESERVED flag in order not to be
swapped. But a VM_RESERVED vma isn't core dumped because this flag is
often used for some kernel vmas (e.g. vmalloc, sound related).
Thus hugepages are never dumped and it can't be debugged easily. Many
developers want hugepages to be included into core-dump.
However, We can't read generic VM_RESERVED area because this area is often
IO mapping area. then these area reading may change device state. it is
definitly undesiable side-effect.
So adding a hugepage specific bit to the coredump filter is better. It
will be able to hugepage core dumping and doesn't cause any side-effect to
any i/o devices.
In additional, libhugetlb use hugetlb private mapping pages as anonymous
page. Then, hugepage private mapping pages should be core dumped by
default.
Then, /proc/[pid]/core_dump_filter has two new bits.
- bit 5 mean hugetlb private mapping pages are dumped or not. (default: yes)
- bit 6 mean hugetlb shared mapping pages are dumped or not. (default: no)
I tested by following method.
% ulimit -c unlimited
% ./crash_hugepage 50
% ./crash_hugepage 50 -p
% ls -lh
% gdb ./crash_hugepage core
%
% echo 0x43 > /proc/self/coredump_filter
% ./crash_hugepage 50
% ./crash_hugepage 50 -p
% ls -lh
% gdb ./crash_hugepage core
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/mman.h>
#include <string.h>
#include "hugetlbfs.h"
int main(int argc, char** argv){
char* p;
int ch;
int mmap_flags = MAP_SHARED;
int fd;
int nr_pages;
while((ch = getopt(argc, argv, "p")) != -1) {
switch (ch) {
case 'p':
mmap_flags &= ~MAP_SHARED;
mmap_flags |= MAP_PRIVATE;
break;
default:
/* nothing*/
break;
}
}
argc -= optind;
argv += optind;
if (argc == 0){
printf("need # of pages\n");
exit(1);
}
nr_pages = atoi(argv[0]);
if (nr_pages < 2) {
printf("nr_pages must >2\n");
exit(1);
}
fd = hugetlbfs_unlinked_fd();
p = mmap(NULL, nr_pages * gethugepagesize(),
PROT_READ|PROT_WRITE, mmap_flags, fd, 0);
sleep(2);
*(p + gethugepagesize()) = 1; /* COW */
sleep(2);
/* crash! */
*(int*)0 = 1;
return 0;
}
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Reviewed-by: Kawai Hidehiro <hidehiro.kawai.ez@hitachi.com>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: William Irwin <wli@holomorphy.com>
Cc: Adam Litke <agl@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-10-18 21:27:08 -06:00
|
|
|
#define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
|
|
|
|
|
|
coredump: remove VM_ALWAYSDUMP flag
The motivation for this patchset was that I was looking at a way for a
qemu-kvm process, to exclude the guest memory from its core dump, which
can be quite large. There are already a number of filter flags in
/proc/<pid>/coredump_filter, however, these allow one to specify 'types'
of kernel memory, not specific address ranges (which is needed in this
case).
Since there are no more vma flags available, the first patch eliminates
the need for the 'VM_ALWAYSDUMP' flag. The flag is used internally by
the kernel to mark vdso and vsyscall pages. However, it is simple
enough to check if a vma covers a vdso or vsyscall page without the need
for this flag.
The second patch then replaces the 'VM_ALWAYSDUMP' flag with a new
'VM_NODUMP' flag, which can be set by userspace using new madvise flags:
'MADV_DONTDUMP', and unset via 'MADV_DODUMP'. The core dump filters
continue to work the same as before unless 'MADV_DONTDUMP' is set on the
region.
The qemu code which implements this features is at:
http://people.redhat.com/~jbaron/qemu-dump/qemu-dump.patch
In my testing the qemu core dump shrunk from 383MB -> 13MB with this
patch.
I also believe that the 'MADV_DONTDUMP' flag might be useful for
security sensitive apps, which might want to select which areas are
dumped.
This patch:
The VM_ALWAYSDUMP flag is currently used by the coredump code to
indicate that a vma is part of a vsyscall or vdso section. However, we
can determine if a vma is in one these sections by checking it against
the gate_vma and checking for a non-NULL return value from
arch_vma_name(). Thus, freeing a valuable vma bit.
Signed-off-by: Jason Baron <jbaron@redhat.com>
Acked-by: Roland McGrath <roland@hack.frob.com>
Cc: Chris Metcalf <cmetcalf@tilera.com>
Cc: Avi Kivity <avi@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-03-23 16:02:51 -06:00
|
|
|
/* always dump the vdso and vsyscall sections */
|
|
|
|
|
if (always_dump_vma(vma))
|
2007-10-17 00:27:02 -06:00
|
|
|
goto whole;
|
2007-01-26 01:56:48 -07:00
|
|
|
|
2012-10-08 17:28:59 -06:00
|
|
|
if (vma->vm_flags & VM_DONTDUMP)
|
2012-03-23 16:02:51 -06:00
|
|
|
return 0;
|
|
|
|
|
|
2015-10-05 16:33:36 -06:00
|
|
|
/* support for DAX */
|
|
|
|
|
if (vma_is_dax(vma)) {
|
|
|
|
|
if ((vma->vm_flags & VM_SHARED) && FILTER(DAX_SHARED))
|
|
|
|
|
goto whole;
|
|
|
|
|
if (!(vma->vm_flags & VM_SHARED) && FILTER(DAX_PRIVATE))
|
|
|
|
|
goto whole;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
coredump_filter: add hugepage dumping
Presently hugepage's vma has a VM_RESERVED flag in order not to be
swapped. But a VM_RESERVED vma isn't core dumped because this flag is
often used for some kernel vmas (e.g. vmalloc, sound related).
Thus hugepages are never dumped and it can't be debugged easily. Many
developers want hugepages to be included into core-dump.
However, We can't read generic VM_RESERVED area because this area is often
IO mapping area. then these area reading may change device state. it is
definitly undesiable side-effect.
So adding a hugepage specific bit to the coredump filter is better. It
will be able to hugepage core dumping and doesn't cause any side-effect to
any i/o devices.
In additional, libhugetlb use hugetlb private mapping pages as anonymous
page. Then, hugepage private mapping pages should be core dumped by
default.
Then, /proc/[pid]/core_dump_filter has two new bits.
- bit 5 mean hugetlb private mapping pages are dumped or not. (default: yes)
- bit 6 mean hugetlb shared mapping pages are dumped or not. (default: no)
I tested by following method.
% ulimit -c unlimited
% ./crash_hugepage 50
% ./crash_hugepage 50 -p
% ls -lh
% gdb ./crash_hugepage core
%
% echo 0x43 > /proc/self/coredump_filter
% ./crash_hugepage 50
% ./crash_hugepage 50 -p
% ls -lh
% gdb ./crash_hugepage core
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/mman.h>
#include <string.h>
#include "hugetlbfs.h"
int main(int argc, char** argv){
char* p;
int ch;
int mmap_flags = MAP_SHARED;
int fd;
int nr_pages;
while((ch = getopt(argc, argv, "p")) != -1) {
switch (ch) {
case 'p':
mmap_flags &= ~MAP_SHARED;
mmap_flags |= MAP_PRIVATE;
break;
default:
/* nothing*/
break;
}
}
argc -= optind;
argv += optind;
if (argc == 0){
printf("need # of pages\n");
exit(1);
}
nr_pages = atoi(argv[0]);
if (nr_pages < 2) {
printf("nr_pages must >2\n");
exit(1);
}
fd = hugetlbfs_unlinked_fd();
p = mmap(NULL, nr_pages * gethugepagesize(),
PROT_READ|PROT_WRITE, mmap_flags, fd, 0);
sleep(2);
*(p + gethugepagesize()) = 1; /* COW */
sleep(2);
/* crash! */
*(int*)0 = 1;
return 0;
}
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Reviewed-by: Kawai Hidehiro <hidehiro.kawai.ez@hitachi.com>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: William Irwin <wli@holomorphy.com>
Cc: Adam Litke <agl@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-10-18 21:27:08 -06:00
|
|
|
/* Hugetlb memory check */
|
|
|
|
|
if (vma->vm_flags & VM_HUGETLB) {
|
|
|
|
|
if ((vma->vm_flags & VM_SHARED) && FILTER(HUGETLB_SHARED))
|
|
|
|
|
goto whole;
|
|
|
|
|
if (!(vma->vm_flags & VM_SHARED) && FILTER(HUGETLB_PRIVATE))
|
|
|
|
|
goto whole;
|
2013-04-17 16:58:28 -06:00
|
|
|
return 0;
|
coredump_filter: add hugepage dumping
Presently hugepage's vma has a VM_RESERVED flag in order not to be
swapped. But a VM_RESERVED vma isn't core dumped because this flag is
often used for some kernel vmas (e.g. vmalloc, sound related).
Thus hugepages are never dumped and it can't be debugged easily. Many
developers want hugepages to be included into core-dump.
However, We can't read generic VM_RESERVED area because this area is often
IO mapping area. then these area reading may change device state. it is
definitly undesiable side-effect.
So adding a hugepage specific bit to the coredump filter is better. It
will be able to hugepage core dumping and doesn't cause any side-effect to
any i/o devices.
In additional, libhugetlb use hugetlb private mapping pages as anonymous
page. Then, hugepage private mapping pages should be core dumped by
default.
Then, /proc/[pid]/core_dump_filter has two new bits.
- bit 5 mean hugetlb private mapping pages are dumped or not. (default: yes)
- bit 6 mean hugetlb shared mapping pages are dumped or not. (default: no)
I tested by following method.
% ulimit -c unlimited
% ./crash_hugepage 50
% ./crash_hugepage 50 -p
% ls -lh
% gdb ./crash_hugepage core
%
% echo 0x43 > /proc/self/coredump_filter
% ./crash_hugepage 50
% ./crash_hugepage 50 -p
% ls -lh
% gdb ./crash_hugepage core
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/mman.h>
#include <string.h>
#include "hugetlbfs.h"
int main(int argc, char** argv){
char* p;
int ch;
int mmap_flags = MAP_SHARED;
int fd;
int nr_pages;
while((ch = getopt(argc, argv, "p")) != -1) {
switch (ch) {
case 'p':
mmap_flags &= ~MAP_SHARED;
mmap_flags |= MAP_PRIVATE;
break;
default:
/* nothing*/
break;
}
}
argc -= optind;
argv += optind;
if (argc == 0){
printf("need # of pages\n");
exit(1);
}
nr_pages = atoi(argv[0]);
if (nr_pages < 2) {
printf("nr_pages must >2\n");
exit(1);
}
fd = hugetlbfs_unlinked_fd();
p = mmap(NULL, nr_pages * gethugepagesize(),
PROT_READ|PROT_WRITE, mmap_flags, fd, 0);
sleep(2);
*(p + gethugepagesize()) = 1; /* COW */
sleep(2);
/* crash! */
*(int*)0 = 1;
return 0;
}
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Reviewed-by: Kawai Hidehiro <hidehiro.kawai.ez@hitachi.com>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: William Irwin <wli@holomorphy.com>
Cc: Adam Litke <agl@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-10-18 21:27:08 -06:00
|
|
|
}
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
/* Do not dump I/O mapped devices or special mappings */
|
mm: kill vma flag VM_RESERVED and mm->reserved_vm counter
A long time ago, in v2.4, VM_RESERVED kept swapout process off VMA,
currently it lost original meaning but still has some effects:
| effect | alternative flags
-+------------------------+---------------------------------------------
1| account as reserved_vm | VM_IO
2| skip in core dump | VM_IO, VM_DONTDUMP
3| do not merge or expand | VM_IO, VM_DONTEXPAND, VM_HUGETLB, VM_PFNMAP
4| do not mlock | VM_IO, VM_DONTEXPAND, VM_HUGETLB, VM_PFNMAP
This patch removes reserved_vm counter from mm_struct. Seems like nobody
cares about it, it does not exported into userspace directly, it only
reduces total_vm showed in proc.
Thus VM_RESERVED can be replaced with VM_IO or pair VM_DONTEXPAND | VM_DONTDUMP.
remap_pfn_range() and io_remap_pfn_range() set VM_IO|VM_DONTEXPAND|VM_DONTDUMP.
remap_vmalloc_range() set VM_DONTEXPAND | VM_DONTDUMP.
[akpm@linux-foundation.org: drivers/vfio/pci/vfio_pci.c fixup]
Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Carsten Otte <cotte@de.ibm.com>
Cc: Chris Metcalf <cmetcalf@tilera.com>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: Eric Paris <eparis@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Morris <james.l.morris@oracle.com>
Cc: Jason Baron <jbaron@redhat.com>
Cc: Kentaro Takeda <takedakn@nttdata.co.jp>
Cc: Matt Helsley <matthltc@us.ibm.com>
Cc: Nick Piggin <npiggin@kernel.dk>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Robert Richter <robert.richter@amd.com>
Cc: Suresh Siddha <suresh.b.siddha@intel.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Venkatesh Pallipadi <venki@google.com>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-10-08 17:29:02 -06:00
|
|
|
if (vma->vm_flags & VM_IO)
|
2005-04-16 16:20:36 -06:00
|
|
|
return 0;
|
|
|
|
|
|
2007-07-19 02:48:29 -06:00
|
|
|
/* By default, dump shared memory if mapped from an anonymous file. */
|
|
|
|
|
if (vma->vm_flags & VM_SHARED) {
|
2013-01-23 15:07:38 -07:00
|
|
|
if (file_inode(vma->vm_file)->i_nlink == 0 ?
|
2007-10-17 00:27:02 -06:00
|
|
|
FILTER(ANON_SHARED) : FILTER(MAPPED_SHARED))
|
|
|
|
|
goto whole;
|
|
|
|
|
return 0;
|
2007-07-19 02:48:29 -06:00
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2007-10-17 00:27:02 -06:00
|
|
|
/* Dump segments that have been written to. */
|
|
|
|
|
if (vma->anon_vma && FILTER(ANON_PRIVATE))
|
|
|
|
|
goto whole;
|
|
|
|
|
if (vma->vm_file == NULL)
|
|
|
|
|
return 0;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2007-10-17 00:27:02 -06:00
|
|
|
if (FILTER(MAPPED_PRIVATE))
|
|
|
|
|
goto whole;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If this looks like the beginning of a DSO or executable mapping,
|
|
|
|
|
* check for an ELF header. If we find one, dump the first page to
|
|
|
|
|
* aid in determining what was mapped here.
|
|
|
|
|
*/
|
2009-02-06 18:34:07 -07:00
|
|
|
if (FILTER(ELF_HEADERS) &&
|
|
|
|
|
vma->vm_pgoff == 0 && (vma->vm_flags & VM_READ)) {
|
2007-10-17 00:27:02 -06:00
|
|
|
u32 __user *header = (u32 __user *) vma->vm_start;
|
|
|
|
|
u32 word;
|
2009-02-06 18:34:07 -07:00
|
|
|
mm_segment_t fs = get_fs();
|
2007-10-17 00:27:02 -06:00
|
|
|
/*
|
|
|
|
|
* Doing it this way gets the constant folded by GCC.
|
|
|
|
|
*/
|
|
|
|
|
union {
|
|
|
|
|
u32 cmp;
|
|
|
|
|
char elfmag[SELFMAG];
|
|
|
|
|
} magic;
|
|
|
|
|
BUILD_BUG_ON(SELFMAG != sizeof word);
|
|
|
|
|
magic.elfmag[EI_MAG0] = ELFMAG0;
|
|
|
|
|
magic.elfmag[EI_MAG1] = ELFMAG1;
|
|
|
|
|
magic.elfmag[EI_MAG2] = ELFMAG2;
|
|
|
|
|
magic.elfmag[EI_MAG3] = ELFMAG3;
|
2009-02-06 18:34:07 -07:00
|
|
|
/*
|
|
|
|
|
* Switch to the user "segment" for get_user(),
|
|
|
|
|
* then put back what elf_core_dump() had in place.
|
|
|
|
|
*/
|
|
|
|
|
set_fs(USER_DS);
|
|
|
|
|
if (unlikely(get_user(word, header)))
|
|
|
|
|
word = 0;
|
|
|
|
|
set_fs(fs);
|
|
|
|
|
if (word == magic.cmp)
|
2007-10-17 00:27:02 -06:00
|
|
|
return PAGE_SIZE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#undef FILTER
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
whole:
|
|
|
|
|
return vma->vm_end - vma->vm_start;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* An ELF note in memory */
|
|
|
|
|
struct memelfnote
|
|
|
|
|
{
|
|
|
|
|
const char *name;
|
|
|
|
|
int type;
|
|
|
|
|
unsigned int datasz;
|
|
|
|
|
void *data;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int notesize(struct memelfnote *en)
|
|
|
|
|
{
|
|
|
|
|
int sz;
|
|
|
|
|
|
|
|
|
|
sz = sizeof(struct elf_note);
|
|
|
|
|
sz += roundup(strlen(en->name) + 1, 4);
|
|
|
|
|
sz += roundup(en->datasz, 4);
|
|
|
|
|
|
|
|
|
|
return sz;
|
|
|
|
|
}
|
|
|
|
|
|
2013-10-05 13:32:35 -06:00
|
|
|
static int writenote(struct memelfnote *men, struct coredump_params *cprm)
|
2006-10-01 00:29:28 -06:00
|
|
|
{
|
|
|
|
|
struct elf_note en;
|
2005-04-16 16:20:36 -06:00
|
|
|
en.n_namesz = strlen(men->name) + 1;
|
|
|
|
|
en.n_descsz = men->datasz;
|
|
|
|
|
en.n_type = men->type;
|
|
|
|
|
|
2013-10-05 13:32:35 -06:00
|
|
|
return dump_emit(cprm, &en, sizeof(en)) &&
|
2013-10-08 09:05:01 -06:00
|
|
|
dump_emit(cprm, men->name, en.n_namesz) && dump_align(cprm, 4) &&
|
|
|
|
|
dump_emit(cprm, men->data, men->datasz) && dump_align(cprm, 4);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
2008-01-30 05:31:44 -07:00
|
|
|
static void fill_elf_header(struct elfhdr *elf, int segs,
|
2013-02-21 17:44:20 -07:00
|
|
|
u16 machine, u32 flags)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2008-04-29 02:01:18 -06:00
|
|
|
memset(elf, 0, sizeof(*elf));
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
memcpy(elf->e_ident, ELFMAG, SELFMAG);
|
|
|
|
|
elf->e_ident[EI_CLASS] = ELF_CLASS;
|
|
|
|
|
elf->e_ident[EI_DATA] = ELF_DATA;
|
|
|
|
|
elf->e_ident[EI_VERSION] = EV_CURRENT;
|
|
|
|
|
elf->e_ident[EI_OSABI] = ELF_OSABI;
|
|
|
|
|
|
|
|
|
|
elf->e_type = ET_CORE;
|
2008-01-30 05:31:44 -07:00
|
|
|
elf->e_machine = machine;
|
2005-04-16 16:20:36 -06:00
|
|
|
elf->e_version = EV_CURRENT;
|
|
|
|
|
elf->e_phoff = sizeof(struct elfhdr);
|
2008-01-30 05:31:44 -07:00
|
|
|
elf->e_flags = flags;
|
2005-04-16 16:20:36 -06:00
|
|
|
elf->e_ehsize = sizeof(struct elfhdr);
|
|
|
|
|
elf->e_phentsize = sizeof(struct elf_phdr);
|
|
|
|
|
elf->e_phnum = segs;
|
|
|
|
|
}
|
|
|
|
|
|
2006-09-26 00:32:04 -06:00
|
|
|
static void fill_elf_note_phdr(struct elf_phdr *phdr, int sz, loff_t offset)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
|
|
|
|
phdr->p_type = PT_NOTE;
|
|
|
|
|
phdr->p_offset = offset;
|
|
|
|
|
phdr->p_vaddr = 0;
|
|
|
|
|
phdr->p_paddr = 0;
|
|
|
|
|
phdr->p_filesz = sz;
|
|
|
|
|
phdr->p_memsz = 0;
|
|
|
|
|
phdr->p_flags = 0;
|
|
|
|
|
phdr->p_align = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void fill_note(struct memelfnote *note, const char *name, int type,
|
|
|
|
|
unsigned int sz, void *data)
|
|
|
|
|
{
|
|
|
|
|
note->name = name;
|
|
|
|
|
note->type = type;
|
|
|
|
|
note->datasz = sz;
|
|
|
|
|
note->data = data;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2006-06-23 03:05:35 -06:00
|
|
|
* fill up all the fields in prstatus from the given task struct, except
|
|
|
|
|
* registers which need to be filled up separately.
|
2005-04-16 16:20:36 -06:00
|
|
|
*/
|
|
|
|
|
static void fill_prstatus(struct elf_prstatus *prstatus,
|
2006-06-23 03:05:35 -06:00
|
|
|
struct task_struct *p, long signr)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
|
|
|
|
prstatus->pr_info.si_signo = prstatus->pr_cursig = signr;
|
|
|
|
|
prstatus->pr_sigpend = p->pending.signal.sig[0];
|
|
|
|
|
prstatus->pr_sighold = p->blocked.sig[0];
|
2009-06-17 17:27:38 -06:00
|
|
|
rcu_read_lock();
|
|
|
|
|
prstatus->pr_ppid = task_pid_vnr(rcu_dereference(p->real_parent));
|
|
|
|
|
rcu_read_unlock();
|
2007-10-19 00:40:14 -06:00
|
|
|
prstatus->pr_pid = task_pid_vnr(p);
|
|
|
|
|
prstatus->pr_pgrp = task_pgrp_vnr(p);
|
|
|
|
|
prstatus->pr_sid = task_session_vnr(p);
|
2005-04-16 16:20:36 -06:00
|
|
|
if (thread_group_leader(p)) {
|
2017-01-30 20:09:27 -07:00
|
|
|
struct task_cputime cputime;
|
timers: fix itimer/many thread hang
Overview
This patch reworks the handling of POSIX CPU timers, including the
ITIMER_PROF, ITIMER_VIRT timers and rlimit handling. It was put together
with the help of Roland McGrath, the owner and original writer of this code.
The problem we ran into, and the reason for this rework, has to do with using
a profiling timer in a process with a large number of threads. It appears
that the performance of the old implementation of run_posix_cpu_timers() was
at least O(n*3) (where "n" is the number of threads in a process) or worse.
Everything is fine with an increasing number of threads until the time taken
for that routine to run becomes the same as or greater than the tick time, at
which point things degrade rather quickly.
This patch fixes bug 9906, "Weird hang with NPTL and SIGPROF."
Code Changes
This rework corrects the implementation of run_posix_cpu_timers() to make it
run in constant time for a particular machine. (Performance may vary between
one machine and another depending upon whether the kernel is built as single-
or multiprocessor and, in the latter case, depending upon the number of
running processors.) To do this, at each tick we now update fields in
signal_struct as well as task_struct. The run_posix_cpu_timers() function
uses those fields to make its decisions.
We define a new structure, "task_cputime," to contain user, system and
scheduler times and use these in appropriate places:
struct task_cputime {
cputime_t utime;
cputime_t stime;
unsigned long long sum_exec_runtime;
};
This is included in the structure "thread_group_cputime," which is a new
substructure of signal_struct and which varies for uniprocessor versus
multiprocessor kernels. For uniprocessor kernels, it uses "task_cputime" as
a simple substructure, while for multiprocessor kernels it is a pointer:
struct thread_group_cputime {
struct task_cputime totals;
};
struct thread_group_cputime {
struct task_cputime *totals;
};
We also add a new task_cputime substructure directly to signal_struct, to
cache the earliest expiration of process-wide timers, and task_cputime also
replaces the it_*_expires fields of task_struct (used for earliest expiration
of thread timers). The "thread_group_cputime" structure contains process-wide
timers that are updated via account_user_time() and friends. In the non-SMP
case the structure is a simple aggregator; unfortunately in the SMP case that
simplicity was not achievable due to cache-line contention between CPUs (in
one measured case performance was actually _worse_ on a 16-cpu system than
the same test on a 4-cpu system, due to this contention). For SMP, the
thread_group_cputime counters are maintained as a per-cpu structure allocated
using alloc_percpu(). The timer functions update only the timer field in
the structure corresponding to the running CPU, obtained using per_cpu_ptr().
We define a set of inline functions in sched.h that we use to maintain the
thread_group_cputime structure and hide the differences between UP and SMP
implementations from the rest of the kernel. The thread_group_cputime_init()
function initializes the thread_group_cputime structure for the given task.
The thread_group_cputime_alloc() is a no-op for UP; for SMP it calls the
out-of-line function thread_group_cputime_alloc_smp() to allocate and fill
in the per-cpu structures and fields. The thread_group_cputime_free()
function, also a no-op for UP, in SMP frees the per-cpu structures. The
thread_group_cputime_clone_thread() function (also a UP no-op) for SMP calls
thread_group_cputime_alloc() if the per-cpu structures haven't yet been
allocated. The thread_group_cputime() function fills the task_cputime
structure it is passed with the contents of the thread_group_cputime fields;
in UP it's that simple but in SMP it must also safely check that tsk->signal
is non-NULL (if it is it just uses the appropriate fields of task_struct) and,
if so, sums the per-cpu values for each online CPU. Finally, the three
functions account_group_user_time(), account_group_system_time() and
account_group_exec_runtime() are used by timer functions to update the
respective fields of the thread_group_cputime structure.
Non-SMP operation is trivial and will not be mentioned further.
The per-cpu structure is always allocated when a task creates its first new
thread, via a call to thread_group_cputime_clone_thread() from copy_signal().
It is freed at process exit via a call to thread_group_cputime_free() from
cleanup_signal().
All functions that formerly summed utime/stime/sum_sched_runtime values from
from all threads in the thread group now use thread_group_cputime() to
snapshot the values in the thread_group_cputime structure or the values in
the task structure itself if the per-cpu structure hasn't been allocated.
Finally, the code in kernel/posix-cpu-timers.c has changed quite a bit.
The run_posix_cpu_timers() function has been split into a fast path and a
slow path; the former safely checks whether there are any expired thread
timers and, if not, just returns, while the slow path does the heavy lifting.
With the dedicated thread group fields, timers are no longer "rebalanced" and
the process_timer_rebalance() function and related code has gone away. All
summing loops are gone and all code that used them now uses the
thread_group_cputime() inline. When process-wide timers are set, the new
task_cputime structure in signal_struct is used to cache the earliest
expiration; this is checked in the fast path.
Performance
The fix appears not to add significant overhead to existing operations. It
generally performs the same as the current code except in two cases, one in
which it performs slightly worse (Case 5 below) and one in which it performs
very significantly better (Case 2 below). Overall it's a wash except in those
two cases.
I've since done somewhat more involved testing on a dual-core Opteron system.
Case 1: With no itimer running, for a test with 100,000 threads, the fixed
kernel took 1428.5 seconds, 513 seconds more than the unfixed system,
all of which was spent in the system. There were twice as many
voluntary context switches with the fix as without it.
Case 2: With an itimer running at .01 second ticks and 4000 threads (the most
an unmodified kernel can handle), the fixed kernel ran the test in
eight percent of the time (5.8 seconds as opposed to 70 seconds) and
had better tick accuracy (.012 seconds per tick as opposed to .023
seconds per tick).
Case 3: A 4000-thread test with an initial timer tick of .01 second and an
interval of 10,000 seconds (i.e. a timer that ticks only once) had
very nearly the same performance in both cases: 6.3 seconds elapsed
for the fixed kernel versus 5.5 seconds for the unfixed kernel.
With fewer threads (eight in these tests), the Case 1 test ran in essentially
the same time on both the modified and unmodified kernels (5.2 seconds versus
5.8 seconds). The Case 2 test ran in about the same time as well, 5.9 seconds
versus 5.4 seconds but again with much better tick accuracy, .013 seconds per
tick versus .025 seconds per tick for the unmodified kernel.
Since the fix affected the rlimit code, I also tested soft and hard CPU limits.
Case 4: With a hard CPU limit of 20 seconds and eight threads (and an itimer
running), the modified kernel was very slightly favored in that while
it killed the process in 19.997 seconds of CPU time (5.002 seconds of
wall time), only .003 seconds of that was system time, the rest was
user time. The unmodified kernel killed the process in 20.001 seconds
of CPU (5.014 seconds of wall time) of which .016 seconds was system
time. Really, though, the results were too close to call. The results
were essentially the same with no itimer running.
Case 5: With a soft limit of 20 seconds and a hard limit of 2000 seconds
(where the hard limit would never be reached) and an itimer running,
the modified kernel exhibited worse tick accuracy than the unmodified
kernel: .050 seconds/tick versus .028 seconds/tick. Otherwise,
performance was almost indistinguishable. With no itimer running this
test exhibited virtually identical behavior and times in both cases.
In times past I did some limited performance testing. those results are below.
On a four-cpu Opteron system without this fix, a sixteen-thread test executed
in 3569.991 seconds, of which user was 3568.435s and system was 1.556s. On
the same system with the fix, user and elapsed time were about the same, but
system time dropped to 0.007 seconds. Performance with eight, four and one
thread were comparable. Interestingly, the timer ticks with the fix seemed
more accurate: The sixteen-thread test with the fix received 149543 ticks
for 0.024 seconds per tick, while the same test without the fix received 58720
for 0.061 seconds per tick. Both cases were configured for an interval of
0.01 seconds. Again, the other tests were comparable. Each thread in this
test computed the primes up to 25,000,000.
I also did a test with a large number of threads, 100,000 threads, which is
impossible without the fix. In this case each thread computed the primes only
up to 10,000 (to make the runtime manageable). System time dominated, at
1546.968 seconds out of a total 2176.906 seconds (giving a user time of
629.938s). It received 147651 ticks for 0.015 seconds per tick, still quite
accurate. There is obviously no comparable test without the fix.
Signed-off-by: Frank Mayhar <fmayhar@google.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-09-12 10:54:39 -06:00
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
/*
|
timers: fix itimer/many thread hang
Overview
This patch reworks the handling of POSIX CPU timers, including the
ITIMER_PROF, ITIMER_VIRT timers and rlimit handling. It was put together
with the help of Roland McGrath, the owner and original writer of this code.
The problem we ran into, and the reason for this rework, has to do with using
a profiling timer in a process with a large number of threads. It appears
that the performance of the old implementation of run_posix_cpu_timers() was
at least O(n*3) (where "n" is the number of threads in a process) or worse.
Everything is fine with an increasing number of threads until the time taken
for that routine to run becomes the same as or greater than the tick time, at
which point things degrade rather quickly.
This patch fixes bug 9906, "Weird hang with NPTL and SIGPROF."
Code Changes
This rework corrects the implementation of run_posix_cpu_timers() to make it
run in constant time for a particular machine. (Performance may vary between
one machine and another depending upon whether the kernel is built as single-
or multiprocessor and, in the latter case, depending upon the number of
running processors.) To do this, at each tick we now update fields in
signal_struct as well as task_struct. The run_posix_cpu_timers() function
uses those fields to make its decisions.
We define a new structure, "task_cputime," to contain user, system and
scheduler times and use these in appropriate places:
struct task_cputime {
cputime_t utime;
cputime_t stime;
unsigned long long sum_exec_runtime;
};
This is included in the structure "thread_group_cputime," which is a new
substructure of signal_struct and which varies for uniprocessor versus
multiprocessor kernels. For uniprocessor kernels, it uses "task_cputime" as
a simple substructure, while for multiprocessor kernels it is a pointer:
struct thread_group_cputime {
struct task_cputime totals;
};
struct thread_group_cputime {
struct task_cputime *totals;
};
We also add a new task_cputime substructure directly to signal_struct, to
cache the earliest expiration of process-wide timers, and task_cputime also
replaces the it_*_expires fields of task_struct (used for earliest expiration
of thread timers). The "thread_group_cputime" structure contains process-wide
timers that are updated via account_user_time() and friends. In the non-SMP
case the structure is a simple aggregator; unfortunately in the SMP case that
simplicity was not achievable due to cache-line contention between CPUs (in
one measured case performance was actually _worse_ on a 16-cpu system than
the same test on a 4-cpu system, due to this contention). For SMP, the
thread_group_cputime counters are maintained as a per-cpu structure allocated
using alloc_percpu(). The timer functions update only the timer field in
the structure corresponding to the running CPU, obtained using per_cpu_ptr().
We define a set of inline functions in sched.h that we use to maintain the
thread_group_cputime structure and hide the differences between UP and SMP
implementations from the rest of the kernel. The thread_group_cputime_init()
function initializes the thread_group_cputime structure for the given task.
The thread_group_cputime_alloc() is a no-op for UP; for SMP it calls the
out-of-line function thread_group_cputime_alloc_smp() to allocate and fill
in the per-cpu structures and fields. The thread_group_cputime_free()
function, also a no-op for UP, in SMP frees the per-cpu structures. The
thread_group_cputime_clone_thread() function (also a UP no-op) for SMP calls
thread_group_cputime_alloc() if the per-cpu structures haven't yet been
allocated. The thread_group_cputime() function fills the task_cputime
structure it is passed with the contents of the thread_group_cputime fields;
in UP it's that simple but in SMP it must also safely check that tsk->signal
is non-NULL (if it is it just uses the appropriate fields of task_struct) and,
if so, sums the per-cpu values for each online CPU. Finally, the three
functions account_group_user_time(), account_group_system_time() and
account_group_exec_runtime() are used by timer functions to update the
respective fields of the thread_group_cputime structure.
Non-SMP operation is trivial and will not be mentioned further.
The per-cpu structure is always allocated when a task creates its first new
thread, via a call to thread_group_cputime_clone_thread() from copy_signal().
It is freed at process exit via a call to thread_group_cputime_free() from
cleanup_signal().
All functions that formerly summed utime/stime/sum_sched_runtime values from
from all threads in the thread group now use thread_group_cputime() to
snapshot the values in the thread_group_cputime structure or the values in
the task structure itself if the per-cpu structure hasn't been allocated.
Finally, the code in kernel/posix-cpu-timers.c has changed quite a bit.
The run_posix_cpu_timers() function has been split into a fast path and a
slow path; the former safely checks whether there are any expired thread
timers and, if not, just returns, while the slow path does the heavy lifting.
With the dedicated thread group fields, timers are no longer "rebalanced" and
the process_timer_rebalance() function and related code has gone away. All
summing loops are gone and all code that used them now uses the
thread_group_cputime() inline. When process-wide timers are set, the new
task_cputime structure in signal_struct is used to cache the earliest
expiration; this is checked in the fast path.
Performance
The fix appears not to add significant overhead to existing operations. It
generally performs the same as the current code except in two cases, one in
which it performs slightly worse (Case 5 below) and one in which it performs
very significantly better (Case 2 below). Overall it's a wash except in those
two cases.
I've since done somewhat more involved testing on a dual-core Opteron system.
Case 1: With no itimer running, for a test with 100,000 threads, the fixed
kernel took 1428.5 seconds, 513 seconds more than the unfixed system,
all of which was spent in the system. There were twice as many
voluntary context switches with the fix as without it.
Case 2: With an itimer running at .01 second ticks and 4000 threads (the most
an unmodified kernel can handle), the fixed kernel ran the test in
eight percent of the time (5.8 seconds as opposed to 70 seconds) and
had better tick accuracy (.012 seconds per tick as opposed to .023
seconds per tick).
Case 3: A 4000-thread test with an initial timer tick of .01 second and an
interval of 10,000 seconds (i.e. a timer that ticks only once) had
very nearly the same performance in both cases: 6.3 seconds elapsed
for the fixed kernel versus 5.5 seconds for the unfixed kernel.
With fewer threads (eight in these tests), the Case 1 test ran in essentially
the same time on both the modified and unmodified kernels (5.2 seconds versus
5.8 seconds). The Case 2 test ran in about the same time as well, 5.9 seconds
versus 5.4 seconds but again with much better tick accuracy, .013 seconds per
tick versus .025 seconds per tick for the unmodified kernel.
Since the fix affected the rlimit code, I also tested soft and hard CPU limits.
Case 4: With a hard CPU limit of 20 seconds and eight threads (and an itimer
running), the modified kernel was very slightly favored in that while
it killed the process in 19.997 seconds of CPU time (5.002 seconds of
wall time), only .003 seconds of that was system time, the rest was
user time. The unmodified kernel killed the process in 20.001 seconds
of CPU (5.014 seconds of wall time) of which .016 seconds was system
time. Really, though, the results were too close to call. The results
were essentially the same with no itimer running.
Case 5: With a soft limit of 20 seconds and a hard limit of 2000 seconds
(where the hard limit would never be reached) and an itimer running,
the modified kernel exhibited worse tick accuracy than the unmodified
kernel: .050 seconds/tick versus .028 seconds/tick. Otherwise,
performance was almost indistinguishable. With no itimer running this
test exhibited virtually identical behavior and times in both cases.
In times past I did some limited performance testing. those results are below.
On a four-cpu Opteron system without this fix, a sixteen-thread test executed
in 3569.991 seconds, of which user was 3568.435s and system was 1.556s. On
the same system with the fix, user and elapsed time were about the same, but
system time dropped to 0.007 seconds. Performance with eight, four and one
thread were comparable. Interestingly, the timer ticks with the fix seemed
more accurate: The sixteen-thread test with the fix received 149543 ticks
for 0.024 seconds per tick, while the same test without the fix received 58720
for 0.061 seconds per tick. Both cases were configured for an interval of
0.01 seconds. Again, the other tests were comparable. Each thread in this
test computed the primes up to 25,000,000.
I also did a test with a large number of threads, 100,000 threads, which is
impossible without the fix. In this case each thread computed the primes only
up to 10,000 (to make the runtime manageable). System time dominated, at
1546.968 seconds out of a total 2176.906 seconds (giving a user time of
629.938s). It received 147651 ticks for 0.015 seconds per tick, still quite
accurate. There is obviously no comparable test without the fix.
Signed-off-by: Frank Mayhar <fmayhar@google.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-09-12 10:54:39 -06:00
|
|
|
* This is the record for the group leader. It shows the
|
|
|
|
|
* group-wide total, not its individual thread total.
|
2005-04-16 16:20:36 -06:00
|
|
|
*/
|
2017-01-30 20:09:27 -07:00
|
|
|
thread_group_cputime(p, &cputime);
|
|
|
|
|
prstatus->pr_utime = ns_to_timeval(cputime.utime);
|
|
|
|
|
prstatus->pr_stime = ns_to_timeval(cputime.stime);
|
2005-04-16 16:20:36 -06:00
|
|
|
} else {
|
2017-01-30 20:09:27 -07:00
|
|
|
u64 utime, stime;
|
2012-11-13 06:20:55 -07:00
|
|
|
|
2017-01-30 20:09:27 -07:00
|
|
|
task_cputime(p, &utime, &stime);
|
|
|
|
|
prstatus->pr_utime = ns_to_timeval(utime);
|
|
|
|
|
prstatus->pr_stime = ns_to_timeval(stime);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
2017-01-30 20:09:23 -07:00
|
|
|
|
2017-01-30 20:09:27 -07:00
|
|
|
prstatus->pr_cutime = ns_to_timeval(p->signal->cutime);
|
|
|
|
|
prstatus->pr_cstime = ns_to_timeval(p->signal->cstime);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
|
|
|
|
|
struct mm_struct *mm)
|
|
|
|
|
{
|
2008-11-13 16:39:19 -07:00
|
|
|
const struct cred *cred;
|
2005-05-11 01:10:44 -06:00
|
|
|
unsigned int i, len;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
/* first copy the parameters from user space */
|
|
|
|
|
memset(psinfo, 0, sizeof(struct elf_prpsinfo));
|
|
|
|
|
|
|
|
|
|
len = mm->arg_end - mm->arg_start;
|
|
|
|
|
if (len >= ELF_PRARGSZ)
|
|
|
|
|
len = ELF_PRARGSZ-1;
|
|
|
|
|
if (copy_from_user(&psinfo->pr_psargs,
|
|
|
|
|
(const char __user *)mm->arg_start, len))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
for(i = 0; i < len; i++)
|
|
|
|
|
if (psinfo->pr_psargs[i] == 0)
|
|
|
|
|
psinfo->pr_psargs[i] = ' ';
|
|
|
|
|
psinfo->pr_psargs[len] = 0;
|
|
|
|
|
|
2009-06-17 17:27:38 -06:00
|
|
|
rcu_read_lock();
|
|
|
|
|
psinfo->pr_ppid = task_pid_vnr(rcu_dereference(p->real_parent));
|
|
|
|
|
rcu_read_unlock();
|
2007-10-19 00:40:14 -06:00
|
|
|
psinfo->pr_pid = task_pid_vnr(p);
|
|
|
|
|
psinfo->pr_pgrp = task_pgrp_vnr(p);
|
|
|
|
|
psinfo->pr_sid = task_session_vnr(p);
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
i = p->state ? ffz(~p->state) + 1 : 0;
|
|
|
|
|
psinfo->pr_state = i;
|
2006-03-25 04:08:22 -07:00
|
|
|
psinfo->pr_sname = (i > 5) ? '.' : "RSDTZW"[i];
|
2005-04-16 16:20:36 -06:00
|
|
|
psinfo->pr_zomb = psinfo->pr_sname == 'Z';
|
|
|
|
|
psinfo->pr_nice = task_nice(p);
|
|
|
|
|
psinfo->pr_flag = p->flags;
|
2008-11-13 16:39:19 -07:00
|
|
|
rcu_read_lock();
|
|
|
|
|
cred = __task_cred(p);
|
2012-02-07 19:36:10 -07:00
|
|
|
SET_UID(psinfo->pr_uid, from_kuid_munged(cred->user_ns, cred->uid));
|
|
|
|
|
SET_GID(psinfo->pr_gid, from_kgid_munged(cred->user_ns, cred->gid));
|
2008-11-13 16:39:19 -07:00
|
|
|
rcu_read_unlock();
|
2005-04-16 16:20:36 -06:00
|
|
|
strncpy(psinfo->pr_fname, p->comm, sizeof(psinfo->pr_fname));
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2008-01-30 05:31:44 -07:00
|
|
|
static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
|
|
|
|
|
{
|
|
|
|
|
elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
|
|
|
|
|
int i = 0;
|
|
|
|
|
do
|
|
|
|
|
i += 2;
|
|
|
|
|
while (auxv[i - 2] != AT_NULL);
|
|
|
|
|
fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
|
|
|
|
|
}
|
|
|
|
|
|
2012-10-04 18:15:35 -06:00
|
|
|
static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
|
2018-09-25 03:27:20 -06:00
|
|
|
const kernel_siginfo_t *siginfo)
|
2012-10-04 18:15:35 -06:00
|
|
|
{
|
|
|
|
|
mm_segment_t old_fs = get_fs();
|
|
|
|
|
set_fs(KERNEL_DS);
|
|
|
|
|
copy_siginfo_to_user((user_siginfo_t __user *) csigdata, siginfo);
|
|
|
|
|
set_fs(old_fs);
|
|
|
|
|
fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata);
|
|
|
|
|
}
|
|
|
|
|
|
2012-10-04 18:15:36 -06:00
|
|
|
#define MAX_FILE_NOTE_SIZE (4*1024*1024)
|
|
|
|
|
/*
|
|
|
|
|
* Format of NT_FILE note:
|
|
|
|
|
*
|
|
|
|
|
* long count -- how many files are mapped
|
|
|
|
|
* long page_size -- units for file_ofs
|
|
|
|
|
* array of [COUNT] elements of
|
|
|
|
|
* long start
|
|
|
|
|
* long end
|
|
|
|
|
* long file_ofs
|
|
|
|
|
* followed by COUNT filenames in ASCII: "FILE1" NUL "FILE2" NUL...
|
|
|
|
|
*/
|
2013-09-30 14:45:02 -06:00
|
|
|
static int fill_files_note(struct memelfnote *note)
|
2012-10-04 18:15:36 -06:00
|
|
|
{
|
|
|
|
|
struct vm_area_struct *vma;
|
|
|
|
|
unsigned count, size, names_ofs, remaining, n;
|
|
|
|
|
user_long_t *data;
|
|
|
|
|
user_long_t *start_end_ofs;
|
|
|
|
|
char *name_base, *name_curpos;
|
|
|
|
|
|
|
|
|
|
/* *Estimated* file count and total data size needed */
|
|
|
|
|
count = current->mm->map_count;
|
2018-02-06 16:39:13 -07:00
|
|
|
if (count > UINT_MAX / 64)
|
|
|
|
|
return -EINVAL;
|
2012-10-04 18:15:36 -06:00
|
|
|
size = count * 64;
|
|
|
|
|
|
|
|
|
|
names_ofs = (2 + 3 * count) * sizeof(data[0]);
|
|
|
|
|
alloc:
|
|
|
|
|
if (size >= MAX_FILE_NOTE_SIZE) /* paranoia check */
|
2013-09-30 14:45:02 -06:00
|
|
|
return -EINVAL;
|
2012-10-04 18:15:36 -06:00
|
|
|
size = round_up(size, PAGE_SIZE);
|
2018-06-14 16:27:24 -06:00
|
|
|
data = kvmalloc(size, GFP_KERNEL);
|
|
|
|
|
if (ZERO_OR_NULL_PTR(data))
|
2013-09-30 14:45:02 -06:00
|
|
|
return -ENOMEM;
|
2012-10-04 18:15:36 -06:00
|
|
|
|
|
|
|
|
start_end_ofs = data + 2;
|
|
|
|
|
name_base = name_curpos = ((char *)data) + names_ofs;
|
|
|
|
|
remaining = size - names_ofs;
|
|
|
|
|
count = 0;
|
|
|
|
|
for (vma = current->mm->mmap; vma != NULL; vma = vma->vm_next) {
|
|
|
|
|
struct file *file;
|
|
|
|
|
const char *filename;
|
|
|
|
|
|
|
|
|
|
file = vma->vm_file;
|
|
|
|
|
if (!file)
|
|
|
|
|
continue;
|
2015-06-19 02:29:13 -06:00
|
|
|
filename = file_path(file, name_curpos, remaining);
|
2012-10-04 18:15:36 -06:00
|
|
|
if (IS_ERR(filename)) {
|
|
|
|
|
if (PTR_ERR(filename) == -ENAMETOOLONG) {
|
2018-06-14 16:27:24 -06:00
|
|
|
kvfree(data);
|
2012-10-04 18:15:36 -06:00
|
|
|
size = size * 5 / 4;
|
|
|
|
|
goto alloc;
|
|
|
|
|
}
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-19 02:29:13 -06:00
|
|
|
/* file_path() fills at the end, move name down */
|
2012-10-04 18:15:36 -06:00
|
|
|
/* n = strlen(filename) + 1: */
|
|
|
|
|
n = (name_curpos + remaining) - filename;
|
|
|
|
|
remaining = filename - name_curpos;
|
|
|
|
|
memmove(name_curpos, filename, n);
|
|
|
|
|
name_curpos += n;
|
|
|
|
|
|
|
|
|
|
*start_end_ofs++ = vma->vm_start;
|
|
|
|
|
*start_end_ofs++ = vma->vm_end;
|
|
|
|
|
*start_end_ofs++ = vma->vm_pgoff;
|
|
|
|
|
count++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Now we know exact count of files, can store it */
|
|
|
|
|
data[0] = count;
|
|
|
|
|
data[1] = PAGE_SIZE;
|
|
|
|
|
/*
|
|
|
|
|
* Count usually is less than current->mm->map_count,
|
|
|
|
|
* we need to move filenames down.
|
|
|
|
|
*/
|
|
|
|
|
n = current->mm->map_count - count;
|
|
|
|
|
if (n != 0) {
|
|
|
|
|
unsigned shift_bytes = n * 3 * sizeof(data[0]);
|
|
|
|
|
memmove(name_base - shift_bytes, name_base,
|
|
|
|
|
name_curpos - name_base);
|
|
|
|
|
name_curpos -= shift_bytes;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
size = name_curpos - (char *)data;
|
|
|
|
|
fill_note(note, "CORE", NT_FILE, size, data);
|
2013-09-30 14:45:02 -06:00
|
|
|
return 0;
|
2012-10-04 18:15:36 -06:00
|
|
|
}
|
|
|
|
|
|
2008-01-30 05:31:45 -07:00
|
|
|
#ifdef CORE_DUMP_USE_REGSET
|
|
|
|
|
#include <linux/regset.h>
|
|
|
|
|
|
|
|
|
|
struct elf_thread_core_info {
|
|
|
|
|
struct elf_thread_core_info *next;
|
|
|
|
|
struct task_struct *task;
|
|
|
|
|
struct elf_prstatus prstatus;
|
|
|
|
|
struct memelfnote notes[0];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct elf_note_info {
|
|
|
|
|
struct elf_thread_core_info *thread;
|
|
|
|
|
struct memelfnote psinfo;
|
2012-10-04 18:15:35 -06:00
|
|
|
struct memelfnote signote;
|
2008-01-30 05:31:45 -07:00
|
|
|
struct memelfnote auxv;
|
2012-10-04 18:15:36 -06:00
|
|
|
struct memelfnote files;
|
2012-10-04 18:15:35 -06:00
|
|
|
user_siginfo_t csigdata;
|
2008-01-30 05:31:45 -07:00
|
|
|
size_t size;
|
|
|
|
|
int thread_notes;
|
|
|
|
|
};
|
|
|
|
|
|
2008-03-04 15:28:30 -07:00
|
|
|
/*
|
|
|
|
|
* When a regset has a writeback hook, we call it on each thread before
|
|
|
|
|
* dumping user memory. On register window machines, this makes sure the
|
|
|
|
|
* user memory backing the register data is up to date before we read it.
|
|
|
|
|
*/
|
|
|
|
|
static void do_thread_regset_writeback(struct task_struct *task,
|
|
|
|
|
const struct user_regset *regset)
|
|
|
|
|
{
|
|
|
|
|
if (regset->writeback)
|
|
|
|
|
regset->writeback(task, regset, 1);
|
|
|
|
|
}
|
|
|
|
|
|
2012-02-14 14:34:52 -07:00
|
|
|
#ifndef PRSTATUS_SIZE
|
2016-09-05 07:33:06 -06:00
|
|
|
#define PRSTATUS_SIZE(S, R) sizeof(S)
|
2012-02-14 14:34:52 -07:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#ifndef SET_PR_FPVALID
|
2016-09-05 07:33:06 -06:00
|
|
|
#define SET_PR_FPVALID(S, V, R) ((S)->pr_fpvalid = (V))
|
2012-02-14 14:34:52 -07:00
|
|
|
#endif
|
|
|
|
|
|
2008-01-30 05:31:45 -07:00
|
|
|
static int fill_thread_core_info(struct elf_thread_core_info *t,
|
|
|
|
|
const struct user_regset_view *view,
|
|
|
|
|
long signr, size_t *total)
|
|
|
|
|
{
|
|
|
|
|
unsigned int i;
|
2017-10-31 09:50:53 -06:00
|
|
|
unsigned int regset0_size = regset_size(t->task, &view->regsets[0]);
|
2008-01-30 05:31:45 -07:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* NT_PRSTATUS is the one special case, because the regset data
|
|
|
|
|
* goes into the pr_reg field inside the note contents, rather
|
|
|
|
|
* than being the whole note contents. We fill the reset in here.
|
|
|
|
|
* We assume that regset 0 is NT_PRSTATUS.
|
|
|
|
|
*/
|
|
|
|
|
fill_prstatus(&t->prstatus, t->task, signr);
|
2017-10-31 09:50:53 -06:00
|
|
|
(void) view->regsets[0].get(t->task, &view->regsets[0], 0, regset0_size,
|
2016-09-05 07:33:06 -06:00
|
|
|
&t->prstatus.pr_reg, NULL);
|
2008-01-30 05:31:45 -07:00
|
|
|
|
|
|
|
|
fill_note(&t->notes[0], "CORE", NT_PRSTATUS,
|
2017-10-31 09:50:53 -06:00
|
|
|
PRSTATUS_SIZE(t->prstatus, regset0_size), &t->prstatus);
|
2008-01-30 05:31:45 -07:00
|
|
|
*total += notesize(&t->notes[0]);
|
|
|
|
|
|
2008-03-04 15:28:30 -07:00
|
|
|
do_thread_regset_writeback(t->task, &view->regsets[0]);
|
|
|
|
|
|
2008-01-30 05:31:45 -07:00
|
|
|
/*
|
|
|
|
|
* Each other regset might generate a note too. For each regset
|
|
|
|
|
* that has no core_note_type or is inactive, we leave t->notes[i]
|
|
|
|
|
* all zero and we'll know to skip writing it later.
|
|
|
|
|
*/
|
|
|
|
|
for (i = 1; i < view->n; ++i) {
|
|
|
|
|
const struct user_regset *regset = &view->regsets[i];
|
2008-03-04 15:28:30 -07:00
|
|
|
do_thread_regset_writeback(t->task, regset);
|
2012-03-02 11:43:48 -07:00
|
|
|
if (regset->core_note_type && regset->get &&
|
2018-05-15 16:32:45 -06:00
|
|
|
(!regset->active || regset->active(t->task, regset) > 0)) {
|
2008-01-30 05:31:45 -07:00
|
|
|
int ret;
|
2017-10-31 09:50:53 -06:00
|
|
|
size_t size = regset_size(t->task, regset);
|
2020-05-27 23:20:52 -06:00
|
|
|
void *data = kzalloc(size, GFP_KERNEL);
|
2008-01-30 05:31:45 -07:00
|
|
|
if (unlikely(!data))
|
|
|
|
|
return 0;
|
|
|
|
|
ret = regset->get(t->task, regset,
|
|
|
|
|
0, size, data, NULL);
|
|
|
|
|
if (unlikely(ret))
|
|
|
|
|
kfree(data);
|
|
|
|
|
else {
|
|
|
|
|
if (regset->core_note_type != NT_PRFPREG)
|
|
|
|
|
fill_note(&t->notes[i], "LINUX",
|
|
|
|
|
regset->core_note_type,
|
|
|
|
|
size, data);
|
|
|
|
|
else {
|
2016-09-05 07:33:06 -06:00
|
|
|
SET_PR_FPVALID(&t->prstatus,
|
2017-10-31 09:50:53 -06:00
|
|
|
1, regset0_size);
|
2008-01-30 05:31:45 -07:00
|
|
|
fill_note(&t->notes[i], "CORE",
|
|
|
|
|
NT_PRFPREG, size, data);
|
|
|
|
|
}
|
|
|
|
|
*total += notesize(&t->notes[i]);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int fill_note_info(struct elfhdr *elf, int phdrs,
|
|
|
|
|
struct elf_note_info *info,
|
2018-09-25 03:27:20 -06:00
|
|
|
const kernel_siginfo_t *siginfo, struct pt_regs *regs)
|
2008-01-30 05:31:45 -07:00
|
|
|
{
|
|
|
|
|
struct task_struct *dump_task = current;
|
|
|
|
|
const struct user_regset_view *view = task_user_regset_view(dump_task);
|
|
|
|
|
struct elf_thread_core_info *t;
|
|
|
|
|
struct elf_prpsinfo *psinfo;
|
2008-07-25 02:47:45 -06:00
|
|
|
struct core_thread *ct;
|
2008-01-30 05:31:45 -07:00
|
|
|
unsigned int i;
|
|
|
|
|
|
|
|
|
|
info->size = 0;
|
|
|
|
|
info->thread = NULL;
|
|
|
|
|
|
|
|
|
|
psinfo = kmalloc(sizeof(*psinfo), GFP_KERNEL);
|
2012-12-17 17:02:09 -07:00
|
|
|
if (psinfo == NULL) {
|
|
|
|
|
info->psinfo.data = NULL; /* So we don't free this wrongly */
|
2008-01-30 05:31:45 -07:00
|
|
|
return 0;
|
2012-12-17 17:02:09 -07:00
|
|
|
}
|
2008-01-30 05:31:45 -07:00
|
|
|
|
2009-06-30 23:06:26 -06:00
|
|
|
fill_note(&info->psinfo, "CORE", NT_PRPSINFO, sizeof(*psinfo), psinfo);
|
|
|
|
|
|
2008-01-30 05:31:45 -07:00
|
|
|
/*
|
|
|
|
|
* Figure out how many notes we're going to need for each thread.
|
|
|
|
|
*/
|
|
|
|
|
info->thread_notes = 0;
|
|
|
|
|
for (i = 0; i < view->n; ++i)
|
|
|
|
|
if (view->regsets[i].core_note_type != 0)
|
|
|
|
|
++info->thread_notes;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Sanity check. We rely on regset 0 being in NT_PRSTATUS,
|
|
|
|
|
* since it is our one special case.
|
|
|
|
|
*/
|
|
|
|
|
if (unlikely(info->thread_notes == 0) ||
|
|
|
|
|
unlikely(view->regsets[0].core_note_type != NT_PRSTATUS)) {
|
|
|
|
|
WARN_ON(1);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Initialize the ELF file header.
|
|
|
|
|
*/
|
|
|
|
|
fill_elf_header(elf, phdrs,
|
2013-02-21 17:44:20 -07:00
|
|
|
view->e_machine, view->e_flags);
|
2008-01-30 05:31:45 -07:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Allocate a structure for each thread.
|
|
|
|
|
*/
|
2008-07-25 02:47:45 -06:00
|
|
|
for (ct = &dump_task->mm->core_state->dumper; ct; ct = ct->next) {
|
|
|
|
|
t = kzalloc(offsetof(struct elf_thread_core_info,
|
|
|
|
|
notes[info->thread_notes]),
|
|
|
|
|
GFP_KERNEL);
|
|
|
|
|
if (unlikely(!t))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
t->task = ct->task;
|
|
|
|
|
if (ct->task == dump_task || !info->thread) {
|
|
|
|
|
t->next = info->thread;
|
|
|
|
|
info->thread = t;
|
|
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* Make sure to keep the original task at
|
|
|
|
|
* the head of the list.
|
|
|
|
|
*/
|
|
|
|
|
t->next = info->thread->next;
|
|
|
|
|
info->thread->next = t;
|
2008-01-30 05:31:45 -07:00
|
|
|
}
|
2008-07-25 02:47:45 -06:00
|
|
|
}
|
2008-01-30 05:31:45 -07:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Now fill in each thread's information.
|
|
|
|
|
*/
|
|
|
|
|
for (t = info->thread; t != NULL; t = t->next)
|
2012-10-04 18:15:29 -06:00
|
|
|
if (!fill_thread_core_info(t, view, siginfo->si_signo, &info->size))
|
2008-01-30 05:31:45 -07:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Fill in the two process-wide notes.
|
|
|
|
|
*/
|
|
|
|
|
fill_psinfo(psinfo, dump_task->group_leader, dump_task->mm);
|
|
|
|
|
info->size += notesize(&info->psinfo);
|
|
|
|
|
|
2012-10-04 18:15:35 -06:00
|
|
|
fill_siginfo_note(&info->signote, &info->csigdata, siginfo);
|
|
|
|
|
info->size += notesize(&info->signote);
|
|
|
|
|
|
2008-01-30 05:31:45 -07:00
|
|
|
fill_auxv_note(&info->auxv, current->mm);
|
|
|
|
|
info->size += notesize(&info->auxv);
|
|
|
|
|
|
2013-09-30 14:45:02 -06:00
|
|
|
if (fill_files_note(&info->files) == 0)
|
|
|
|
|
info->size += notesize(&info->files);
|
2012-10-04 18:15:36 -06:00
|
|
|
|
2008-01-30 05:31:45 -07:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static size_t get_note_info_size(struct elf_note_info *info)
|
|
|
|
|
{
|
|
|
|
|
return info->size;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Write all the notes for each thread. When writing the first thread, the
|
|
|
|
|
* process-wide notes are interleaved after the first thread-specific note.
|
|
|
|
|
*/
|
|
|
|
|
static int write_note_info(struct elf_note_info *info,
|
2013-10-05 13:32:35 -06:00
|
|
|
struct coredump_params *cprm)
|
2008-01-30 05:31:45 -07:00
|
|
|
{
|
2014-06-04 17:12:14 -06:00
|
|
|
bool first = true;
|
2008-01-30 05:31:45 -07:00
|
|
|
struct elf_thread_core_info *t = info->thread;
|
|
|
|
|
|
|
|
|
|
do {
|
|
|
|
|
int i;
|
|
|
|
|
|
2013-10-05 13:32:35 -06:00
|
|
|
if (!writenote(&t->notes[0], cprm))
|
2008-01-30 05:31:45 -07:00
|
|
|
return 0;
|
|
|
|
|
|
2013-10-05 13:32:35 -06:00
|
|
|
if (first && !writenote(&info->psinfo, cprm))
|
2008-01-30 05:31:45 -07:00
|
|
|
return 0;
|
2013-10-05 13:32:35 -06:00
|
|
|
if (first && !writenote(&info->signote, cprm))
|
2012-10-04 18:15:35 -06:00
|
|
|
return 0;
|
2013-10-05 13:32:35 -06:00
|
|
|
if (first && !writenote(&info->auxv, cprm))
|
2008-01-30 05:31:45 -07:00
|
|
|
return 0;
|
2013-09-30 14:45:02 -06:00
|
|
|
if (first && info->files.data &&
|
2013-10-05 13:32:35 -06:00
|
|
|
!writenote(&info->files, cprm))
|
2012-10-04 18:15:36 -06:00
|
|
|
return 0;
|
2008-01-30 05:31:45 -07:00
|
|
|
|
|
|
|
|
for (i = 1; i < info->thread_notes; ++i)
|
|
|
|
|
if (t->notes[i].data &&
|
2013-10-05 13:32:35 -06:00
|
|
|
!writenote(&t->notes[i], cprm))
|
2008-01-30 05:31:45 -07:00
|
|
|
return 0;
|
|
|
|
|
|
2014-06-04 17:12:14 -06:00
|
|
|
first = false;
|
2008-01-30 05:31:45 -07:00
|
|
|
t = t->next;
|
|
|
|
|
} while (t);
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void free_note_info(struct elf_note_info *info)
|
|
|
|
|
{
|
|
|
|
|
struct elf_thread_core_info *threads = info->thread;
|
|
|
|
|
while (threads) {
|
|
|
|
|
unsigned int i;
|
|
|
|
|
struct elf_thread_core_info *t = threads;
|
|
|
|
|
threads = t->next;
|
|
|
|
|
WARN_ON(t->notes[0].data && t->notes[0].data != &t->prstatus);
|
|
|
|
|
for (i = 1; i < info->thread_notes; ++i)
|
|
|
|
|
kfree(t->notes[i].data);
|
|
|
|
|
kfree(t);
|
|
|
|
|
}
|
|
|
|
|
kfree(info->psinfo.data);
|
2018-06-14 16:27:24 -06:00
|
|
|
kvfree(info->files.data);
|
2008-01-30 05:31:45 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#else
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
/* Here is the structure in which status of each thread is captured. */
|
|
|
|
|
struct elf_thread_status
|
|
|
|
|
{
|
|
|
|
|
struct list_head list;
|
|
|
|
|
struct elf_prstatus prstatus; /* NT_PRSTATUS */
|
|
|
|
|
elf_fpregset_t fpu; /* NT_PRFPREG */
|
|
|
|
|
struct task_struct *thread;
|
|
|
|
|
#ifdef ELF_CORE_COPY_XFPREGS
|
2007-10-17 00:25:39 -06:00
|
|
|
elf_fpxregset_t xfpu; /* ELF_CORE_XFPREG_TYPE */
|
2005-04-16 16:20:36 -06:00
|
|
|
#endif
|
|
|
|
|
struct memelfnote notes[3];
|
|
|
|
|
int num_notes;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* In order to add the specific thread information for the elf file format,
|
2006-06-23 03:05:35 -06:00
|
|
|
* we need to keep a linked list of every threads pr_status and then create
|
|
|
|
|
* a single section for them in the final core file.
|
2005-04-16 16:20:36 -06:00
|
|
|
*/
|
|
|
|
|
static int elf_dump_thread_status(long signr, struct elf_thread_status *t)
|
|
|
|
|
{
|
|
|
|
|
int sz = 0;
|
|
|
|
|
struct task_struct *p = t->thread;
|
|
|
|
|
t->num_notes = 0;
|
|
|
|
|
|
|
|
|
|
fill_prstatus(&t->prstatus, p, signr);
|
|
|
|
|
elf_core_copy_task_regs(p, &t->prstatus.pr_reg);
|
|
|
|
|
|
2006-06-23 03:05:35 -06:00
|
|
|
fill_note(&t->notes[0], "CORE", NT_PRSTATUS, sizeof(t->prstatus),
|
|
|
|
|
&(t->prstatus));
|
2005-04-16 16:20:36 -06:00
|
|
|
t->num_notes++;
|
|
|
|
|
sz += notesize(&t->notes[0]);
|
|
|
|
|
|
2006-06-23 03:05:35 -06:00
|
|
|
if ((t->prstatus.pr_fpvalid = elf_core_copy_task_fpregs(p, NULL,
|
|
|
|
|
&t->fpu))) {
|
|
|
|
|
fill_note(&t->notes[1], "CORE", NT_PRFPREG, sizeof(t->fpu),
|
|
|
|
|
&(t->fpu));
|
2005-04-16 16:20:36 -06:00
|
|
|
t->num_notes++;
|
|
|
|
|
sz += notesize(&t->notes[1]);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifdef ELF_CORE_COPY_XFPREGS
|
|
|
|
|
if (elf_core_copy_task_xfpregs(p, &t->xfpu)) {
|
2007-10-17 00:25:39 -06:00
|
|
|
fill_note(&t->notes[2], "LINUX", ELF_CORE_XFPREG_TYPE,
|
|
|
|
|
sizeof(t->xfpu), &t->xfpu);
|
2005-04-16 16:20:36 -06:00
|
|
|
t->num_notes++;
|
|
|
|
|
sz += notesize(&t->notes[2]);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
return sz;
|
|
|
|
|
}
|
|
|
|
|
|
2008-01-30 05:31:44 -07:00
|
|
|
struct elf_note_info {
|
|
|
|
|
struct memelfnote *notes;
|
2013-09-30 14:45:02 -06:00
|
|
|
struct memelfnote *notes_files;
|
2008-01-30 05:31:44 -07:00
|
|
|
struct elf_prstatus *prstatus; /* NT_PRSTATUS */
|
|
|
|
|
struct elf_prpsinfo *psinfo; /* NT_PRPSINFO */
|
|
|
|
|
struct list_head thread_list;
|
|
|
|
|
elf_fpregset_t *fpu;
|
|
|
|
|
#ifdef ELF_CORE_COPY_XFPREGS
|
|
|
|
|
elf_fpxregset_t *xfpu;
|
|
|
|
|
#endif
|
2012-10-04 18:15:35 -06:00
|
|
|
user_siginfo_t csigdata;
|
2008-01-30 05:31:44 -07:00
|
|
|
int thread_status_size;
|
|
|
|
|
int numnote;
|
|
|
|
|
};
|
|
|
|
|
|
2009-09-23 16:57:05 -06:00
|
|
|
static int elf_note_info_init(struct elf_note_info *info)
|
2008-01-30 05:31:44 -07:00
|
|
|
{
|
2009-09-23 16:57:05 -06:00
|
|
|
memset(info, 0, sizeof(*info));
|
2008-01-30 05:31:44 -07:00
|
|
|
INIT_LIST_HEAD(&info->thread_list);
|
|
|
|
|
|
2012-10-04 18:15:35 -06:00
|
|
|
/* Allocate space for ELF notes */
|
treewide: kmalloc() -> kmalloc_array()
The kmalloc() function has a 2-factor argument form, kmalloc_array(). This
patch replaces cases of:
kmalloc(a * b, gfp)
with:
kmalloc_array(a * b, gfp)
as well as handling cases of:
kmalloc(a * b * c, gfp)
with:
kmalloc(array3_size(a, b, c), gfp)
as it's slightly less ugly than:
kmalloc_array(array_size(a, b), c, gfp)
This does, however, attempt to ignore constant size factors like:
kmalloc(4 * 1024, gfp)
though any constants defined via macros get caught up in the conversion.
Any factors with a sizeof() of "unsigned char", "char", and "u8" were
dropped, since they're redundant.
The tools/ directory was manually excluded, since it has its own
implementation of kmalloc().
The Coccinelle script used for this was:
// Fix redundant parens around sizeof().
@@
type TYPE;
expression THING, E;
@@
(
kmalloc(
- (sizeof(TYPE)) * E
+ sizeof(TYPE) * E
, ...)
|
kmalloc(
- (sizeof(THING)) * E
+ sizeof(THING) * E
, ...)
)
// Drop single-byte sizes and redundant parens.
@@
expression COUNT;
typedef u8;
typedef __u8;
@@
(
kmalloc(
- sizeof(u8) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(__u8) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(char) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(unsigned char) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(u8) * COUNT
+ COUNT
, ...)
|
kmalloc(
- sizeof(__u8) * COUNT
+ COUNT
, ...)
|
kmalloc(
- sizeof(char) * COUNT
+ COUNT
, ...)
|
kmalloc(
- sizeof(unsigned char) * COUNT
+ COUNT
, ...)
)
// 2-factor product with sizeof(type/expression) and identifier or constant.
@@
type TYPE;
expression THING;
identifier COUNT_ID;
constant COUNT_CONST;
@@
(
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * (COUNT_ID)
+ COUNT_ID, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * COUNT_ID
+ COUNT_ID, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * (COUNT_CONST)
+ COUNT_CONST, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * COUNT_CONST
+ COUNT_CONST, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * (COUNT_ID)
+ COUNT_ID, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * COUNT_ID
+ COUNT_ID, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * (COUNT_CONST)
+ COUNT_CONST, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * COUNT_CONST
+ COUNT_CONST, sizeof(THING)
, ...)
)
// 2-factor product, only identifiers.
@@
identifier SIZE, COUNT;
@@
- kmalloc
+ kmalloc_array
(
- SIZE * COUNT
+ COUNT, SIZE
, ...)
// 3-factor product with 1 sizeof(type) or sizeof(expression), with
// redundant parens removed.
@@
expression THING;
identifier STRIDE, COUNT;
type TYPE;
@@
(
kmalloc(
- sizeof(TYPE) * (COUNT) * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(TYPE) * (COUNT) * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(TYPE) * COUNT * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(TYPE) * COUNT * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(THING) * (COUNT) * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
kmalloc(
- sizeof(THING) * (COUNT) * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
kmalloc(
- sizeof(THING) * COUNT * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
kmalloc(
- sizeof(THING) * COUNT * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
)
// 3-factor product with 2 sizeof(variable), with redundant parens removed.
@@
expression THING1, THING2;
identifier COUNT;
type TYPE1, TYPE2;
@@
(
kmalloc(
- sizeof(TYPE1) * sizeof(TYPE2) * COUNT
+ array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
, ...)
|
kmalloc(
- sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
, ...)
|
kmalloc(
- sizeof(THING1) * sizeof(THING2) * COUNT
+ array3_size(COUNT, sizeof(THING1), sizeof(THING2))
, ...)
|
kmalloc(
- sizeof(THING1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(THING1), sizeof(THING2))
, ...)
|
kmalloc(
- sizeof(TYPE1) * sizeof(THING2) * COUNT
+ array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
, ...)
|
kmalloc(
- sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
, ...)
)
// 3-factor product, only identifiers, with redundant parens removed.
@@
identifier STRIDE, SIZE, COUNT;
@@
(
kmalloc(
- (COUNT) * STRIDE * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * (STRIDE) * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * STRIDE * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- (COUNT) * (STRIDE) * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * (STRIDE) * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- (COUNT) * STRIDE * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- (COUNT) * (STRIDE) * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * STRIDE * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
)
// Any remaining multi-factor products, first at least 3-factor products,
// when they're not all constants...
@@
expression E1, E2, E3;
constant C1, C2, C3;
@@
(
kmalloc(C1 * C2 * C3, ...)
|
kmalloc(
- (E1) * E2 * E3
+ array3_size(E1, E2, E3)
, ...)
|
kmalloc(
- (E1) * (E2) * E3
+ array3_size(E1, E2, E3)
, ...)
|
kmalloc(
- (E1) * (E2) * (E3)
+ array3_size(E1, E2, E3)
, ...)
|
kmalloc(
- E1 * E2 * E3
+ array3_size(E1, E2, E3)
, ...)
)
// And then all remaining 2 factors products when they're not all constants,
// keeping sizeof() as the second factor argument.
@@
expression THING, E1, E2;
type TYPE;
constant C1, C2, C3;
@@
(
kmalloc(sizeof(THING) * C2, ...)
|
kmalloc(sizeof(TYPE) * C2, ...)
|
kmalloc(C1 * C2 * C3, ...)
|
kmalloc(C1 * C2, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * (E2)
+ E2, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * E2
+ E2, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * (E2)
+ E2, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * E2
+ E2, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- (E1) * E2
+ E1, E2
, ...)
|
- kmalloc
+ kmalloc_array
(
- (E1) * (E2)
+ E1, E2
, ...)
|
- kmalloc
+ kmalloc_array
(
- E1 * E2
+ E1, E2
, ...)
)
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-06-12 14:55:00 -06:00
|
|
|
info->notes = kmalloc_array(8, sizeof(struct memelfnote), GFP_KERNEL);
|
2008-01-30 05:31:44 -07:00
|
|
|
if (!info->notes)
|
|
|
|
|
return 0;
|
|
|
|
|
info->psinfo = kmalloc(sizeof(*info->psinfo), GFP_KERNEL);
|
|
|
|
|
if (!info->psinfo)
|
2012-09-25 19:34:50 -06:00
|
|
|
return 0;
|
2008-01-30 05:31:44 -07:00
|
|
|
info->prstatus = kmalloc(sizeof(*info->prstatus), GFP_KERNEL);
|
|
|
|
|
if (!info->prstatus)
|
2012-09-25 19:34:50 -06:00
|
|
|
return 0;
|
2008-01-30 05:31:44 -07:00
|
|
|
info->fpu = kmalloc(sizeof(*info->fpu), GFP_KERNEL);
|
|
|
|
|
if (!info->fpu)
|
2012-09-25 19:34:50 -06:00
|
|
|
return 0;
|
2008-01-30 05:31:44 -07:00
|
|
|
#ifdef ELF_CORE_COPY_XFPREGS
|
|
|
|
|
info->xfpu = kmalloc(sizeof(*info->xfpu), GFP_KERNEL);
|
|
|
|
|
if (!info->xfpu)
|
2012-09-25 19:34:50 -06:00
|
|
|
return 0;
|
2008-01-30 05:31:44 -07:00
|
|
|
#endif
|
2009-09-23 16:57:05 -06:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int fill_note_info(struct elfhdr *elf, int phdrs,
|
|
|
|
|
struct elf_note_info *info,
|
2018-09-25 03:27:20 -06:00
|
|
|
const kernel_siginfo_t *siginfo, struct pt_regs *regs)
|
2009-09-23 16:57:05 -06:00
|
|
|
{
|
2013-10-14 05:39:56 -06:00
|
|
|
struct core_thread *ct;
|
|
|
|
|
struct elf_thread_status *ets;
|
2009-09-23 16:57:05 -06:00
|
|
|
|
|
|
|
|
if (!elf_note_info_init(info))
|
|
|
|
|
return 0;
|
2008-01-30 05:31:44 -07:00
|
|
|
|
2013-10-14 05:39:56 -06:00
|
|
|
for (ct = current->mm->core_state->dumper.next;
|
|
|
|
|
ct; ct = ct->next) {
|
|
|
|
|
ets = kzalloc(sizeof(*ets), GFP_KERNEL);
|
|
|
|
|
if (!ets)
|
|
|
|
|
return 0;
|
2008-07-25 02:47:45 -06:00
|
|
|
|
2013-10-14 05:39:56 -06:00
|
|
|
ets->thread = ct->task;
|
|
|
|
|
list_add(&ets->list, &info->thread_list);
|
|
|
|
|
}
|
2008-07-25 02:47:45 -06:00
|
|
|
|
2019-03-07 17:28:59 -07:00
|
|
|
list_for_each_entry(ets, &info->thread_list, list) {
|
2013-10-14 05:39:56 -06:00
|
|
|
int sz;
|
2008-01-30 05:31:44 -07:00
|
|
|
|
2013-10-14 05:39:56 -06:00
|
|
|
sz = elf_dump_thread_status(siginfo->si_signo, ets);
|
|
|
|
|
info->thread_status_size += sz;
|
2008-01-30 05:31:44 -07:00
|
|
|
}
|
|
|
|
|
/* now collect the dump for the current */
|
|
|
|
|
memset(info->prstatus, 0, sizeof(*info->prstatus));
|
2012-10-04 18:15:29 -06:00
|
|
|
fill_prstatus(info->prstatus, current, siginfo->si_signo);
|
2008-01-30 05:31:44 -07:00
|
|
|
elf_core_copy_regs(&info->prstatus->pr_reg, regs);
|
|
|
|
|
|
|
|
|
|
/* Set up header */
|
2013-02-21 17:44:20 -07:00
|
|
|
fill_elf_header(elf, phdrs, ELF_ARCH, ELF_CORE_EFLAGS);
|
2008-01-30 05:31:44 -07:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set up the notes in similar form to SVR4 core dumps made
|
|
|
|
|
* with info from their /proc.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
fill_note(info->notes + 0, "CORE", NT_PRSTATUS,
|
|
|
|
|
sizeof(*info->prstatus), info->prstatus);
|
|
|
|
|
fill_psinfo(info->psinfo, current->group_leader, current->mm);
|
|
|
|
|
fill_note(info->notes + 1, "CORE", NT_PRPSINFO,
|
|
|
|
|
sizeof(*info->psinfo), info->psinfo);
|
|
|
|
|
|
2012-10-04 18:15:36 -06:00
|
|
|
fill_siginfo_note(info->notes + 2, &info->csigdata, siginfo);
|
|
|
|
|
fill_auxv_note(info->notes + 3, current->mm);
|
2013-09-30 14:45:02 -06:00
|
|
|
info->numnote = 4;
|
2008-01-30 05:31:44 -07:00
|
|
|
|
2013-09-30 14:45:02 -06:00
|
|
|
if (fill_files_note(info->notes + info->numnote) == 0) {
|
|
|
|
|
info->notes_files = info->notes + info->numnote;
|
|
|
|
|
info->numnote++;
|
|
|
|
|
}
|
2008-01-30 05:31:44 -07:00
|
|
|
|
|
|
|
|
/* Try to dump the FPU. */
|
|
|
|
|
info->prstatus->pr_fpvalid = elf_core_copy_task_fpregs(current, regs,
|
|
|
|
|
info->fpu);
|
|
|
|
|
if (info->prstatus->pr_fpvalid)
|
|
|
|
|
fill_note(info->notes + info->numnote++,
|
|
|
|
|
"CORE", NT_PRFPREG, sizeof(*info->fpu), info->fpu);
|
|
|
|
|
#ifdef ELF_CORE_COPY_XFPREGS
|
|
|
|
|
if (elf_core_copy_task_xfpregs(current, info->xfpu))
|
|
|
|
|
fill_note(info->notes + info->numnote++,
|
|
|
|
|
"LINUX", ELF_CORE_XFPREG_TYPE,
|
|
|
|
|
sizeof(*info->xfpu), info->xfpu);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static size_t get_note_info_size(struct elf_note_info *info)
|
|
|
|
|
{
|
|
|
|
|
int sz = 0;
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < info->numnote; i++)
|
|
|
|
|
sz += notesize(info->notes + i);
|
|
|
|
|
|
|
|
|
|
sz += info->thread_status_size;
|
|
|
|
|
|
|
|
|
|
return sz;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int write_note_info(struct elf_note_info *info,
|
2013-10-05 13:32:35 -06:00
|
|
|
struct coredump_params *cprm)
|
2008-01-30 05:31:44 -07:00
|
|
|
{
|
2019-03-07 17:28:59 -07:00
|
|
|
struct elf_thread_status *ets;
|
2008-01-30 05:31:44 -07:00
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < info->numnote; i++)
|
2013-10-05 13:32:35 -06:00
|
|
|
if (!writenote(info->notes + i, cprm))
|
2008-01-30 05:31:44 -07:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/* write out the thread status notes section */
|
2019-03-07 17:28:59 -07:00
|
|
|
list_for_each_entry(ets, &info->thread_list, list) {
|
|
|
|
|
for (i = 0; i < ets->num_notes; i++)
|
|
|
|
|
if (!writenote(&ets->notes[i], cprm))
|
2008-01-30 05:31:44 -07:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void free_note_info(struct elf_note_info *info)
|
|
|
|
|
{
|
|
|
|
|
while (!list_empty(&info->thread_list)) {
|
|
|
|
|
struct list_head *tmp = info->thread_list.next;
|
|
|
|
|
list_del(tmp);
|
|
|
|
|
kfree(list_entry(tmp, struct elf_thread_status, list));
|
|
|
|
|
}
|
|
|
|
|
|
2013-09-30 14:45:02 -06:00
|
|
|
/* Free data possibly allocated by fill_files_note(): */
|
|
|
|
|
if (info->notes_files)
|
2018-06-14 16:27:24 -06:00
|
|
|
kvfree(info->notes_files->data);
|
2012-10-04 18:15:36 -06:00
|
|
|
|
2008-01-30 05:31:44 -07:00
|
|
|
kfree(info->prstatus);
|
|
|
|
|
kfree(info->psinfo);
|
|
|
|
|
kfree(info->notes);
|
|
|
|
|
kfree(info->fpu);
|
|
|
|
|
#ifdef ELF_CORE_COPY_XFPREGS
|
|
|
|
|
kfree(info->xfpu);
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
2008-01-30 05:31:45 -07:00
|
|
|
#endif
|
|
|
|
|
|
2007-01-26 01:56:49 -07:00
|
|
|
static struct vm_area_struct *first_vma(struct task_struct *tsk,
|
|
|
|
|
struct vm_area_struct *gate_vma)
|
|
|
|
|
{
|
|
|
|
|
struct vm_area_struct *ret = tsk->mm->mmap;
|
|
|
|
|
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
return gate_vma;
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
* Helper function for iterating across a vma list. It ensures that the caller
|
|
|
|
|
* will visit `gate_vma' prior to terminating the search.
|
|
|
|
|
*/
|
|
|
|
|
static struct vm_area_struct *next_vma(struct vm_area_struct *this_vma,
|
|
|
|
|
struct vm_area_struct *gate_vma)
|
|
|
|
|
{
|
|
|
|
|
struct vm_area_struct *ret;
|
|
|
|
|
|
|
|
|
|
ret = this_vma->vm_next;
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
if (this_vma == gate_vma)
|
|
|
|
|
return NULL;
|
|
|
|
|
return gate_vma;
|
|
|
|
|
}
|
|
|
|
|
|
2010-03-05 14:44:10 -07:00
|
|
|
static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
|
|
|
|
|
elf_addr_t e_shoff, int segs)
|
|
|
|
|
{
|
|
|
|
|
elf->e_shoff = e_shoff;
|
|
|
|
|
elf->e_shentsize = sizeof(*shdr4extnum);
|
|
|
|
|
elf->e_shnum = 1;
|
|
|
|
|
elf->e_shstrndx = SHN_UNDEF;
|
|
|
|
|
|
|
|
|
|
memset(shdr4extnum, 0, sizeof(*shdr4extnum));
|
|
|
|
|
|
|
|
|
|
shdr4extnum->sh_type = SHT_NULL;
|
|
|
|
|
shdr4extnum->sh_size = elf->e_shnum;
|
|
|
|
|
shdr4extnum->sh_link = elf->e_shstrndx;
|
|
|
|
|
shdr4extnum->sh_info = segs;
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
/*
|
|
|
|
|
* Actual dumper
|
|
|
|
|
*
|
|
|
|
|
* This is a two-pass process; first we find the offsets of the bits,
|
|
|
|
|
* and then they are actually written out. If we run out of core limit
|
|
|
|
|
* we just truncate.
|
|
|
|
|
*/
|
2009-12-17 16:27:16 -07:00
|
|
|
static int elf_core_dump(struct coredump_params *cprm)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
|
|
|
|
int has_dumped = 0;
|
|
|
|
|
mm_segment_t fs;
|
2014-12-10 16:52:16 -07:00
|
|
|
int segs, i;
|
|
|
|
|
size_t vma_data_size = 0;
|
2007-01-26 01:56:49 -07:00
|
|
|
struct vm_area_struct *vma, *gate_vma;
|
2005-04-16 16:20:36 -06:00
|
|
|
struct elfhdr *elf = NULL;
|
2013-10-05 20:24:29 -06:00
|
|
|
loff_t offset = 0, dataoff;
|
2013-09-30 14:45:02 -06:00
|
|
|
struct elf_note_info info = { };
|
2010-03-05 14:44:09 -07:00
|
|
|
struct elf_phdr *phdr4note = NULL;
|
2010-03-05 14:44:10 -07:00
|
|
|
struct elf_shdr *shdr4extnum = NULL;
|
|
|
|
|
Elf_Half e_phnum;
|
|
|
|
|
elf_addr_t e_shoff;
|
2014-12-10 16:52:16 -07:00
|
|
|
elf_addr_t *vma_filesz = NULL;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We no longer stop all VM operations.
|
|
|
|
|
*
|
2006-06-23 03:05:35 -06:00
|
|
|
* This is because those proceses that could possibly change map_count
|
|
|
|
|
* or the mmap / vma pages are now blocked in do_exit on current
|
|
|
|
|
* finishing this core dump.
|
2005-04-16 16:20:36 -06:00
|
|
|
*
|
|
|
|
|
* Only ptrace can touch these memory addresses, but it doesn't change
|
2006-06-23 03:05:35 -06:00
|
|
|
* the map_count or the pages allocated. So no possibility of crashing
|
2005-04-16 16:20:36 -06:00
|
|
|
* exists while dumping the mm->vm_next areas to the core file.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/* alloc memory for large data structures: too large to be on stack */
|
|
|
|
|
elf = kmalloc(sizeof(*elf), GFP_KERNEL);
|
|
|
|
|
if (!elf)
|
2008-05-05 22:45:35 -06:00
|
|
|
goto out;
|
2009-06-30 12:41:23 -06:00
|
|
|
/*
|
|
|
|
|
* The number of segs are recored into ELF header as 16bit value.
|
|
|
|
|
* Please check DEFAULT_MAX_MAP_COUNT definition when you modify here.
|
|
|
|
|
*/
|
2005-04-16 16:20:36 -06:00
|
|
|
segs = current->mm->map_count;
|
2010-03-05 14:44:07 -07:00
|
|
|
segs += elf_core_extra_phdrs();
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2011-03-13 13:49:15 -06:00
|
|
|
gate_vma = get_gate_vma(current->mm);
|
2007-01-26 01:56:49 -07:00
|
|
|
if (gate_vma != NULL)
|
|
|
|
|
segs++;
|
|
|
|
|
|
2010-03-05 14:44:10 -07:00
|
|
|
/* for notes section */
|
|
|
|
|
segs++;
|
|
|
|
|
|
|
|
|
|
/* If segs > PN_XNUM(0xffff), then e_phnum overflows. To avoid
|
|
|
|
|
* this, kernel supports extended numbering. Have a look at
|
|
|
|
|
* include/linux/elf.h for further information. */
|
|
|
|
|
e_phnum = segs > PN_XNUM ? PN_XNUM : segs;
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
/*
|
2008-01-30 05:31:44 -07:00
|
|
|
* Collect all the non-memory information about the process for the
|
|
|
|
|
* notes. This also sets up the file header.
|
2005-04-16 16:20:36 -06:00
|
|
|
*/
|
2012-10-04 18:15:29 -06:00
|
|
|
if (!fill_note_info(elf, e_phnum, &info, cprm->siginfo, cprm->regs))
|
2008-01-30 05:31:44 -07:00
|
|
|
goto cleanup;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2008-01-30 05:31:44 -07:00
|
|
|
has_dumped = 1;
|
2013-04-30 16:28:16 -06:00
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
fs = get_fs();
|
|
|
|
|
set_fs(KERNEL_DS);
|
|
|
|
|
|
|
|
|
|
offset += sizeof(*elf); /* Elf header */
|
2010-03-05 14:44:10 -07:00
|
|
|
offset += segs * sizeof(struct elf_phdr); /* Program headers */
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
/* Write notes phdr entry */
|
|
|
|
|
{
|
2008-01-30 05:31:44 -07:00
|
|
|
size_t sz = get_note_info_size(&info);
|
2005-04-16 16:20:36 -06:00
|
|
|
|
[POWERPC] spufs: Cleanup ELF coredump extra notes logic
To start with, arch_notes_size() etc. is a little too ambiguous a name for
my liking, so change the function names to be more explicit.
Calling through macros is ugly, especially with hidden parameters, so don't
do that, call the routines directly.
Use ARCH_HAVE_EXTRA_ELF_NOTES as the only flag, and based on it decide
whether we want the extern declarations or the empty versions.
Since we have empty routines, actually use them in the coredump code to
save a few #ifdefs.
We want to change the handling of foffset so that the write routine updates
foffset as it goes, instead of using file->f_pos (so that writing to a pipe
works). So pass foffset to the write routine, and for now just set it to
file->f_pos at the end of writing.
It should also be possible for the write routine to fail, so change it to
return int and treat a non-zero return as failure.
Signed-off-by: Michael Ellerman <michael@ellerman.id.au>
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Paul Mackerras <paulus@samba.org>
2007-09-18 22:38:12 -06:00
|
|
|
sz += elf_coredump_extra_notes_size();
|
[POWERPC] coredump: Add SPU elf notes to coredump.
This patch adds SPU elf notes to the coredump. It creates a separate note
for each of /regs, /fpcr, /lslr, /decr, /decr_status, /mem, /signal1,
/signal1_type, /signal2, /signal2_type, /event_mask, /event_status,
/mbox_info, /ibox_info, /wbox_info, /dma_info, /proxydma_info, /object-id.
A new macro, ARCH_HAVE_EXTRA_NOTES, was created for architectures to
specify they have extra elf core notes.
A new macro, ELF_CORE_EXTRA_NOTES_SIZE, was created so the size of the
additional notes could be calculated and added to the notes phdr entry.
A new macro, ELF_CORE_WRITE_EXTRA_NOTES, was created so the new notes
would be written after the existing notes.
The SPU coredump code resides in spufs. Stub functions are provided in the
kernel which are hooked into the spufs code which does the actual work via
register_arch_coredump_calls().
A new set of __spufs_<file>_read/get() functions was provided to allow the
coredump code to read from the spufs files without having to lock the
SPU context for each file read from.
Cc: <linux-arch@vger.kernel.org>
Signed-off-by: Dwayne Grant McConnell <decimal@us.ibm.com>
Signed-off-by: Arnd Bergmann <arnd.bergmann@de.ibm.com>
2006-11-22 16:46:37 -07:00
|
|
|
|
2010-03-05 14:44:09 -07:00
|
|
|
phdr4note = kmalloc(sizeof(*phdr4note), GFP_KERNEL);
|
|
|
|
|
if (!phdr4note)
|
2010-03-05 14:44:06 -07:00
|
|
|
goto end_coredump;
|
2010-03-05 14:44:09 -07:00
|
|
|
|
|
|
|
|
fill_elf_note_phdr(phdr4note, sz, offset);
|
|
|
|
|
offset += sz;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
|
|
|
|
|
|
2016-12-12 17:46:40 -07:00
|
|
|
if (segs - 1 > ULONG_MAX / sizeof(*vma_filesz))
|
|
|
|
|
goto end_coredump;
|
2018-06-14 16:27:24 -06:00
|
|
|
vma_filesz = kvmalloc(array_size(sizeof(*vma_filesz), (segs - 1)),
|
|
|
|
|
GFP_KERNEL);
|
|
|
|
|
if (ZERO_OR_NULL_PTR(vma_filesz))
|
2014-12-10 16:52:16 -07:00
|
|
|
goto end_coredump;
|
|
|
|
|
|
|
|
|
|
for (i = 0, vma = first_vma(current, gate_vma); vma != NULL;
|
|
|
|
|
vma = next_vma(vma, gate_vma)) {
|
|
|
|
|
unsigned long dump_size;
|
|
|
|
|
|
|
|
|
|
dump_size = vma_dump_size(vma, cprm->mm_flags);
|
|
|
|
|
vma_filesz[i++] = dump_size;
|
|
|
|
|
vma_data_size += dump_size;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
offset += vma_data_size;
|
2010-03-05 14:44:10 -07:00
|
|
|
offset += elf_core_extra_data_size();
|
|
|
|
|
e_shoff = offset;
|
|
|
|
|
|
|
|
|
|
if (e_phnum == PN_XNUM) {
|
|
|
|
|
shdr4extnum = kmalloc(sizeof(*shdr4extnum), GFP_KERNEL);
|
|
|
|
|
if (!shdr4extnum)
|
|
|
|
|
goto end_coredump;
|
|
|
|
|
fill_extnum_info(elf, shdr4extnum, e_shoff, segs);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
offset = dataoff;
|
|
|
|
|
|
2013-10-05 13:32:35 -06:00
|
|
|
if (!dump_emit(cprm, elf, sizeof(*elf)))
|
2010-03-05 14:44:09 -07:00
|
|
|
goto end_coredump;
|
|
|
|
|
|
2013-10-05 13:32:35 -06:00
|
|
|
if (!dump_emit(cprm, phdr4note, sizeof(*phdr4note)))
|
2010-03-05 14:44:09 -07:00
|
|
|
goto end_coredump;
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
/* Write program headers for segments dump */
|
2014-12-10 16:52:16 -07:00
|
|
|
for (i = 0, vma = first_vma(current, gate_vma); vma != NULL;
|
2007-01-26 01:56:49 -07:00
|
|
|
vma = next_vma(vma, gate_vma)) {
|
2005-04-16 16:20:36 -06:00
|
|
|
struct elf_phdr phdr;
|
|
|
|
|
|
|
|
|
|
phdr.p_type = PT_LOAD;
|
|
|
|
|
phdr.p_offset = offset;
|
|
|
|
|
phdr.p_vaddr = vma->vm_start;
|
|
|
|
|
phdr.p_paddr = 0;
|
2014-12-10 16:52:16 -07:00
|
|
|
phdr.p_filesz = vma_filesz[i++];
|
2007-10-17 00:27:02 -06:00
|
|
|
phdr.p_memsz = vma->vm_end - vma->vm_start;
|
2005-04-16 16:20:36 -06:00
|
|
|
offset += phdr.p_filesz;
|
|
|
|
|
phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
|
2006-06-23 03:05:35 -06:00
|
|
|
if (vma->vm_flags & VM_WRITE)
|
|
|
|
|
phdr.p_flags |= PF_W;
|
|
|
|
|
if (vma->vm_flags & VM_EXEC)
|
|
|
|
|
phdr.p_flags |= PF_X;
|
2005-04-16 16:20:36 -06:00
|
|
|
phdr.p_align = ELF_EXEC_PAGESIZE;
|
|
|
|
|
|
2013-10-05 13:32:35 -06:00
|
|
|
if (!dump_emit(cprm, &phdr, sizeof(phdr)))
|
2010-03-05 14:44:06 -07:00
|
|
|
goto end_coredump;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
2013-10-05 15:22:57 -06:00
|
|
|
if (!elf_core_write_extra_phdrs(cprm, offset))
|
2010-03-05 14:44:07 -07:00
|
|
|
goto end_coredump;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
/* write out the notes section */
|
2013-10-05 13:32:35 -06:00
|
|
|
if (!write_note_info(&info, cprm))
|
2008-01-30 05:31:44 -07:00
|
|
|
goto end_coredump;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2013-10-05 20:24:29 -06:00
|
|
|
if (elf_coredump_extra_notes_write(cprm))
|
[POWERPC] spufs: Cleanup ELF coredump extra notes logic
To start with, arch_notes_size() etc. is a little too ambiguous a name for
my liking, so change the function names to be more explicit.
Calling through macros is ugly, especially with hidden parameters, so don't
do that, call the routines directly.
Use ARCH_HAVE_EXTRA_ELF_NOTES as the only flag, and based on it decide
whether we want the extern declarations or the empty versions.
Since we have empty routines, actually use them in the coredump code to
save a few #ifdefs.
We want to change the handling of foffset so that the write routine updates
foffset as it goes, instead of using file->f_pos (so that writing to a pipe
works). So pass foffset to the write routine, and for now just set it to
file->f_pos at the end of writing.
It should also be possible for the write routine to fail, so change it to
return int and treat a non-zero return as failure.
Signed-off-by: Michael Ellerman <michael@ellerman.id.au>
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Paul Mackerras <paulus@samba.org>
2007-09-18 22:38:12 -06:00
|
|
|
goto end_coredump;
|
[POWERPC] coredump: Add SPU elf notes to coredump.
This patch adds SPU elf notes to the coredump. It creates a separate note
for each of /regs, /fpcr, /lslr, /decr, /decr_status, /mem, /signal1,
/signal1_type, /signal2, /signal2_type, /event_mask, /event_status,
/mbox_info, /ibox_info, /wbox_info, /dma_info, /proxydma_info, /object-id.
A new macro, ARCH_HAVE_EXTRA_NOTES, was created for architectures to
specify they have extra elf core notes.
A new macro, ELF_CORE_EXTRA_NOTES_SIZE, was created so the size of the
additional notes could be calculated and added to the notes phdr entry.
A new macro, ELF_CORE_WRITE_EXTRA_NOTES, was created so the new notes
would be written after the existing notes.
The SPU coredump code resides in spufs. Stub functions are provided in the
kernel which are hooked into the spufs code which does the actual work via
register_arch_coredump_calls().
A new set of __spufs_<file>_read/get() functions was provided to allow the
coredump code to read from the spufs files without having to lock the
SPU context for each file read from.
Cc: <linux-arch@vger.kernel.org>
Signed-off-by: Dwayne Grant McConnell <decimal@us.ibm.com>
Signed-off-by: Arnd Bergmann <arnd.bergmann@de.ibm.com>
2006-11-22 16:46:37 -07:00
|
|
|
|
2006-10-01 00:29:28 -06:00
|
|
|
/* Align to page */
|
2016-06-05 15:14:14 -06:00
|
|
|
if (!dump_skip(cprm, dataoff - cprm->pos))
|
2009-09-21 18:03:25 -06:00
|
|
|
goto end_coredump;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2014-12-10 16:52:16 -07:00
|
|
|
for (i = 0, vma = first_vma(current, gate_vma); vma != NULL;
|
2007-01-26 01:56:49 -07:00
|
|
|
vma = next_vma(vma, gate_vma)) {
|
2005-04-16 16:20:36 -06:00
|
|
|
unsigned long addr;
|
2007-10-17 00:27:02 -06:00
|
|
|
unsigned long end;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2014-12-10 16:52:16 -07:00
|
|
|
end = vma->vm_start + vma_filesz[i++];
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2007-10-17 00:27:02 -06:00
|
|
|
for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
|
2006-06-23 03:05:35 -06:00
|
|
|
struct page *page;
|
2009-09-21 18:03:25 -06:00
|
|
|
int stop;
|
|
|
|
|
|
|
|
|
|
page = get_dump_page(addr);
|
|
|
|
|
if (page) {
|
|
|
|
|
void *kaddr = kmap(page);
|
2013-10-05 16:08:47 -06:00
|
|
|
stop = !dump_emit(cprm, kaddr, PAGE_SIZE);
|
2009-09-21 18:03:25 -06:00
|
|
|
kunmap(page);
|
mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros
PAGE_CACHE_{SIZE,SHIFT,MASK,ALIGN} macros were introduced *long* time
ago with promise that one day it will be possible to implement page
cache with bigger chunks than PAGE_SIZE.
This promise never materialized. And unlikely will.
We have many places where PAGE_CACHE_SIZE assumed to be equal to
PAGE_SIZE. And it's constant source of confusion on whether
PAGE_CACHE_* or PAGE_* constant should be used in a particular case,
especially on the border between fs and mm.
Global switching to PAGE_CACHE_SIZE != PAGE_SIZE would cause to much
breakage to be doable.
Let's stop pretending that pages in page cache are special. They are
not.
The changes are pretty straight-forward:
- <foo> << (PAGE_CACHE_SHIFT - PAGE_SHIFT) -> <foo>;
- <foo> >> (PAGE_CACHE_SHIFT - PAGE_SHIFT) -> <foo>;
- PAGE_CACHE_{SIZE,SHIFT,MASK,ALIGN} -> PAGE_{SIZE,SHIFT,MASK,ALIGN};
- page_cache_get() -> get_page();
- page_cache_release() -> put_page();
This patch contains automated changes generated with coccinelle using
script below. For some reason, coccinelle doesn't patch header files.
I've called spatch for them manually.
The only adjustment after coccinelle is revert of changes to
PAGE_CAHCE_ALIGN definition: we are going to drop it later.
There are few places in the code where coccinelle didn't reach. I'll
fix them manually in a separate patch. Comments and documentation also
will be addressed with the separate patch.
virtual patch
@@
expression E;
@@
- E << (PAGE_CACHE_SHIFT - PAGE_SHIFT)
+ E
@@
expression E;
@@
- E >> (PAGE_CACHE_SHIFT - PAGE_SHIFT)
+ E
@@
@@
- PAGE_CACHE_SHIFT
+ PAGE_SHIFT
@@
@@
- PAGE_CACHE_SIZE
+ PAGE_SIZE
@@
@@
- PAGE_CACHE_MASK
+ PAGE_MASK
@@
expression E;
@@
- PAGE_CACHE_ALIGN(E)
+ PAGE_ALIGN(E)
@@
expression E;
@@
- page_cache_get(E)
+ get_page(E)
@@
expression E;
@@
- page_cache_release(E)
+ put_page(E)
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-01 06:29:47 -06:00
|
|
|
put_page(page);
|
2009-09-21 18:03:25 -06:00
|
|
|
} else
|
2013-10-08 07:26:08 -06:00
|
|
|
stop = !dump_skip(cprm, PAGE_SIZE);
|
2009-09-21 18:03:25 -06:00
|
|
|
if (stop)
|
|
|
|
|
goto end_coredump;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
}
|
2017-01-11 12:25:00 -07:00
|
|
|
dump_truncate(cprm);
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2013-10-05 15:50:15 -06:00
|
|
|
if (!elf_core_write_extra_data(cprm))
|
2010-03-05 14:44:07 -07:00
|
|
|
goto end_coredump;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2010-03-05 14:44:10 -07:00
|
|
|
if (e_phnum == PN_XNUM) {
|
2013-10-05 16:08:47 -06:00
|
|
|
if (!dump_emit(cprm, shdr4extnum, sizeof(*shdr4extnum)))
|
2010-03-05 14:44:10 -07:00
|
|
|
goto end_coredump;
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
end_coredump:
|
|
|
|
|
set_fs(fs);
|
|
|
|
|
|
|
|
|
|
cleanup:
|
2008-01-30 05:31:44 -07:00
|
|
|
free_note_info(&info);
|
2010-03-05 14:44:10 -07:00
|
|
|
kfree(shdr4extnum);
|
2018-06-14 16:27:24 -06:00
|
|
|
kvfree(vma_filesz);
|
2010-03-05 14:44:09 -07:00
|
|
|
kfree(phdr4note);
|
2008-05-05 22:45:35 -06:00
|
|
|
kfree(elf);
|
|
|
|
|
out:
|
2005-04-16 16:20:36 -06:00
|
|
|
return has_dumped;
|
|
|
|
|
}
|
|
|
|
|
|
2009-12-15 17:47:37 -07:00
|
|
|
#endif /* CONFIG_ELF_CORE */
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
static int __init init_elf_binfmt(void)
|
|
|
|
|
{
|
2012-03-17 01:05:16 -06:00
|
|
|
register_binfmt(&elf_format);
|
|
|
|
|
return 0;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __exit exit_elf_binfmt(void)
|
|
|
|
|
{
|
|
|
|
|
/* Remove the COFF and ELF loaders. */
|
|
|
|
|
unregister_binfmt(&elf_format);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
core_initcall(init_elf_binfmt);
|
|
|
|
|
module_exit(exit_elf_binfmt);
|
|
|
|
|
MODULE_LICENSE("GPL");
|