1
// SPDX-License-Identifier: GPL-2.0-only
2
/*
3
 * linux/fs/binfmt_elf.c
4
 *
5
 * These are the functions used to load ELF format executables as used
6
 * on SVr4 machines.  Information on the format may be found in the book
7
 * "UNIX SYSTEM V RELEASE 4 Programmers Guide: Ansi C and Programming Support
8
 * Tools".
9
 *
10
 * Copyright 1993, 1994: Eric Youngdale ([email protected]).
11
 */
12

13
#include <linux/module.h>
14
#include <linux/kernel.h>
15
#include <linux/fs.h>
16
#include <linux/log2.h>
17
#include <linux/mm.h>
18
#include <linux/mman.h>
19
#include <linux/errno.h>
20
#include <linux/signal.h>
21
#include <linux/binfmts.h>
22
#include <linux/string.h>
23
#include <linux/file.h>
24
#include <linux/slab.h>
25
#include <linux/personality.h>
26
#include <linux/elfcore.h>
27
#include <linux/init.h>
28
#include <linux/highuid.h>
29
#include <linux/compiler.h>
30
#include <linux/highmem.h>
31
#include <linux/hugetlb.h>
32
#include <linux/pagemap.h>
33
#include <linux/vmalloc.h>
34
#include <linux/security.h>
35
#include <linux/random.h>
36
#include <linux/elf.h>
37
#include <linux/elf-randomize.h>
38
#include <linux/utsname.h>
39
#include <linux/coredump.h>
40
#include <linux/sched.h>
41
#include <linux/sched/coredump.h>
42
#include <linux/sched/task_stack.h>
43
#include <linux/sched/cputime.h>
44
#include <linux/sizes.h>
45
#include <linux/types.h>
46
#include <linux/cred.h>
47
#include <linux/dax.h>
48
#include <linux/uaccess.h>
49
#include <linux/rseq.h>
50
#include <asm/param.h>
51
#include <asm/page.h>
52

53
#ifndef ELF_COMPAT
54
#define ELF_COMPAT 0
55
#endif
56

57
#ifndef user_long_t
58
#define user_long_t long
59
#endif
60
#ifndef user_siginfo_t
61
#define user_siginfo_t siginfo_t
62
#endif
63

64
/* That's for binfmt_elf_fdpic to deal with */
65
#ifndef elf_check_fdpic
66
#define elf_check_fdpic(ex) false
67
#endif
68

69
static int load_elf_binary(struct linux_binprm *bprm);
70

71
/*
72
 * If we don't support core dumping, then supply a NULL so we
73
 * don't even try.
74
 */
75
#ifdef CONFIG_ELF_CORE
76
static int elf_core_dump(struct coredump_params *cprm);
77
#else
78
#define elf_core_dump	NULL
79
#endif
80

81
#if ELF_EXEC_PAGESIZE > PAGE_SIZE
82
#define ELF_MIN_ALIGN	ELF_EXEC_PAGESIZE
83
#else
84
#define ELF_MIN_ALIGN	PAGE_SIZE
85
#endif
86

87
#ifndef ELF_CORE_EFLAGS
88
#define ELF_CORE_EFLAGS	0
89
#endif
90

91
#define ELF_PAGESTART(_v) ((_v) & ~(int)(ELF_MIN_ALIGN-1))
92
#define ELF_PAGEOFFSET(_v) ((_v) & (ELF_MIN_ALIGN-1))
93
#define ELF_PAGEALIGN(_v) (((_v) + ELF_MIN_ALIGN - 1) & ~(ELF_MIN_ALIGN - 1))
94

95
static struct linux_binfmt elf_format = {
96
	.module		= THIS_MODULE,
97
	.load_binary	= load_elf_binary,
98
#ifdef CONFIG_COREDUMP
99
	.core_dump	= elf_core_dump,
100
	.min_coredump	= ELF_EXEC_PAGESIZE,
101
#endif
102
};
103

104
#define BAD_ADDR(x) (unlikely((unsigned long)(x) >= TASK_SIZE))
105

106
/*
107
 * We need to explicitly zero any trailing portion of the page that follows
108
 * p_filesz when it ends before the page ends (e.g. bss), otherwise this
109
 * memory will contain the junk from the file that should not be present.
110
 */
111
static int padzero(unsigned long address)
112
{
113
	unsigned long nbyte;
114

115
	nbyte = ELF_PAGEOFFSET(address);
116
	if (nbyte) {
117
		nbyte = ELF_MIN_ALIGN - nbyte;
118
		if (clear_user((void __user *)address, nbyte))
119
			return -EFAULT;
120
	}
121
	return 0;
122
}
123

124
/* Let's use some macros to make this stack manipulation a little clearer */
125
#ifdef CONFIG_STACK_GROWSUP
126
#define STACK_ADD(sp, items) ((elf_addr_t __user *)(sp) + (items))
127
#define STACK_ROUND(sp, items) \
128
	((15 + (unsigned long) ((sp) + (items))) &~ 15UL)
129
#define STACK_ALLOC(sp, len) ({ \
130
	elf_addr_t __user *old_sp = (elf_addr_t __user *)sp; sp += len; \
131
	old_sp; })
132
#else
133
#define STACK_ADD(sp, items) ((elf_addr_t __user *)(sp) - (items))
134
#define STACK_ROUND(sp, items) \
135
	(((unsigned long) (sp - items)) &~ 15UL)
136
#define STACK_ALLOC(sp, len) (sp -= len)
137
#endif
138

139
#ifndef ELF_BASE_PLATFORM
140
/*
141
 * AT_BASE_PLATFORM indicates the "real" hardware/microarchitecture.
142
 * If the arch defines ELF_BASE_PLATFORM (in asm/elf.h), the value
143
 * will be copied to the user stack in the same manner as AT_PLATFORM.
144
 */
145
#define ELF_BASE_PLATFORM NULL
146
#endif
147

148
static int
149
create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec,
150
		unsigned long interp_load_addr,
151
		unsigned long e_entry, unsigned long phdr_addr)
152
{
153
	struct mm_struct *mm = current->mm;
154
	unsigned long p = bprm->p;
155
	int argc = bprm->argc;
156
	int envc = bprm->envc;
157
	elf_addr_t __user *sp;
158
	elf_addr_t __user *u_platform;
159
	elf_addr_t __user *u_base_platform;
160
	elf_addr_t __user *u_rand_bytes;
161
	const char *k_platform = ELF_PLATFORM;
162
	const char *k_base_platform = ELF_BASE_PLATFORM;
163
	unsigned char k_rand_bytes[16];
164
	int items;
165
	elf_addr_t *elf_info;
166
	elf_addr_t flags = 0;
167
	int ei_index;
168
	const struct cred *cred = current_cred();
169
	struct vm_area_struct *vma;
170

171
	/*
172
	 * In some cases (e.g. Hyper-Threading), we want to avoid L1
173
	 * evictions by the processes running on the same package. One
174
	 * thing we can do is to shuffle the initial stack for them.
175
	 */
176

177
	p = arch_align_stack(p);
178

179
	/*
180
	 * If this architecture has a platform capability string, copy it
181
	 * to userspace.  In some cases (Sparc), this info is impossible
182
	 * for userspace to get any other way, in others (i386) it is
183
	 * merely difficult.
184
	 */
185
	u_platform = NULL;
186
	if (k_platform) {
187
		size_t len = strlen(k_platform) + 1;
188

189
		u_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);
190
		if (copy_to_user(u_platform, k_platform, len))
191
			return -EFAULT;
192
	}
193

194
	/*
195
	 * If this architecture has a "base" platform capability
196
	 * string, copy it to userspace.
197
	 */
198
	u_base_platform = NULL;
199
	if (k_base_platform) {
200
		size_t len = strlen(k_base_platform) + 1;
201

202
		u_base_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);
203
		if (copy_to_user(u_base_platform, k_base_platform, len))
204
			return -EFAULT;
205
	}
206

207
	/*
208
	 * Generate 16 random bytes for userspace PRNG seeding.
209
	 */
210
	get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
211
	u_rand_bytes = (elf_addr_t __user *)
212
		       STACK_ALLOC(p, sizeof(k_rand_bytes));
213
	if (copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
214
		return -EFAULT;
215

216
	/* Create the ELF interpreter info */
217
	elf_info = (elf_addr_t *)mm->saved_auxv;
218
	/* update AT_VECTOR_SIZE_BASE if the number of NEW_AUX_ENT() changes */
219
#define NEW_AUX_ENT(id, val) \
220
	do { \
221
		*elf_info++ = id; \
222
		*elf_info++ = val; \
223
	} while (0)
224

225
#ifdef ARCH_DLINFO
226
	/*
227
	 * ARCH_DLINFO must come first so PPC can do its special alignment of
228
	 * AUXV.
229
	 * update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT() in
230
	 * ARCH_DLINFO changes
231
	 */
232
	ARCH_DLINFO;
233
#endif
234
	NEW_AUX_ENT(AT_HWCAP, ELF_HWCAP);
235
	NEW_AUX_ENT(AT_PAGESZ, ELF_EXEC_PAGESIZE);
236
	NEW_AUX_ENT(AT_CLKTCK, CLOCKS_PER_SEC);
237
	NEW_AUX_ENT(AT_PHDR, phdr_addr);
238
	NEW_AUX_ENT(AT_PHENT, sizeof(struct elf_phdr));
239
	NEW_AUX_ENT(AT_PHNUM, exec->e_phnum);
240
	NEW_AUX_ENT(AT_BASE, interp_load_addr);
241
	if (bprm->interp_flags & BINPRM_FLAGS_PRESERVE_ARGV0)
242
		flags |= AT_FLAGS_PRESERVE_ARGV0;
243
	NEW_AUX_ENT(AT_FLAGS, flags);
244
	NEW_AUX_ENT(AT_ENTRY, e_entry);
245
	NEW_AUX_ENT(AT_UID, from_kuid_munged(cred->user_ns, cred->uid));
246
	NEW_AUX_ENT(AT_EUID, from_kuid_munged(cred->user_ns, cred->euid));
247
	NEW_AUX_ENT(AT_GID, from_kgid_munged(cred->user_ns, cred->gid));
248
	NEW_AUX_ENT(AT_EGID, from_kgid_munged(cred->user_ns, cred->egid));
249
	NEW_AUX_ENT(AT_SECURE, bprm->secureexec);
250
	NEW_AUX_ENT(AT_RANDOM, (elf_addr_t)(unsigned long)u_rand_bytes);
251
#ifdef ELF_HWCAP2
252
	NEW_AUX_ENT(AT_HWCAP2, ELF_HWCAP2);
253
#endif
254
#ifdef ELF_HWCAP3
255
	NEW_AUX_ENT(AT_HWCAP3, ELF_HWCAP3);
256
#endif
257
#ifdef ELF_HWCAP4
258
	NEW_AUX_ENT(AT_HWCAP4, ELF_HWCAP4);
259
#endif
260
	NEW_AUX_ENT(AT_EXECFN, bprm->exec);
261
	if (k_platform) {
262
		NEW_AUX_ENT(AT_PLATFORM,
263
			    (elf_addr_t)(unsigned long)u_platform);
264
	}
265
	if (k_base_platform) {
266
		NEW_AUX_ENT(AT_BASE_PLATFORM,
267
			    (elf_addr_t)(unsigned long)u_base_platform);
268
	}
269
	if (bprm->have_execfd) {
270
		NEW_AUX_ENT(AT_EXECFD, bprm->execfd);
271
	}
272
#ifdef CONFIG_RSEQ
273
	NEW_AUX_ENT(AT_RSEQ_FEATURE_SIZE, offsetof(struct rseq, end));
274
	NEW_AUX_ENT(AT_RSEQ_ALIGN, __alignof__(struct rseq));
275
#endif
276
#undef NEW_AUX_ENT
277
	/* AT_NULL is zero; clear the rest too */
278
	memset(elf_info, 0, (char *)mm->saved_auxv +
279
			sizeof(mm->saved_auxv) - (char *)elf_info);
280

281
	/* And advance past the AT_NULL entry.  */
282
	elf_info += 2;
283

284
	ei_index = elf_info - (elf_addr_t *)mm->saved_auxv;
285
	sp = STACK_ADD(p, ei_index);
286

287
	items = (argc + 1) + (envc + 1) + 1;
288
	bprm->p = STACK_ROUND(sp, items);
289

290
	/* Point sp at the lowest address on the stack */
291
#ifdef CONFIG_STACK_GROWSUP
292
	sp = (elf_addr_t __user *)bprm->p - items - ei_index;
293
	bprm->exec = (unsigned long)sp; /* XXX: PARISC HACK */
294
#else
295
	sp = (elf_addr_t __user *)bprm->p;
296
#endif
297

298

299
	/*
300
	 * Grow the stack manually; some architectures have a limit on how
301
	 * far ahead a user-space access may be in order to grow the stack.
302
	 */
303
	if (mmap_write_lock_killable(mm))
304
		return -EINTR;
305
	vma = find_extend_vma_locked(mm, bprm->p);
306
	mmap_write_unlock(mm);
307
	if (!vma)
308
		return -EFAULT;
309

310
	/* Now, let's put argc (and argv, envp if appropriate) on the stack */
311
	if (put_user(argc, sp++))
312
		return -EFAULT;
313

314
	/* Populate list of argv pointers back to argv strings. */
315
	p = mm->arg_end = mm->arg_start;
316
	while (argc-- > 0) {
317
		size_t len;
318
		if (put_user((elf_addr_t)p, sp++))
319
			return -EFAULT;
320
		len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
321
		if (!len || len > MAX_ARG_STRLEN)
322
			return -EINVAL;
323
		p += len;
324
	}
325
	if (put_user(0, sp++))
326
		return -EFAULT;
327
	mm->arg_end = p;
328

329
	/* Populate list of envp pointers back to envp strings. */
330
	mm->env_end = mm->env_start = p;
331
	while (envc-- > 0) {
332
		size_t len;
333
		if (put_user((elf_addr_t)p, sp++))
334
			return -EFAULT;
335
		len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
336
		if (!len || len > MAX_ARG_STRLEN)
337
			return -EINVAL;
338
		p += len;
339
	}
340
	if (put_user(0, sp++))
341
		return -EFAULT;
342
	mm->env_end = p;
343

344
	/* Put the elf_info on the stack in the right place.  */
345
	if (copy_to_user(sp, mm->saved_auxv, ei_index * sizeof(elf_addr_t)))
346
		return -EFAULT;
347
	return 0;
348
}
349

350
/*
351
 * Map "eppnt->p_filesz" bytes from "filep" offset "eppnt->p_offset"
352
 * into memory at "addr". (Note that p_filesz is rounded up to the
353
 * next page, so any extra bytes from the file must be wiped.)
354
 */
355
static unsigned long elf_map(struct file *filep, unsigned long addr,
356
		const struct elf_phdr *eppnt, int prot, int type,
357
		unsigned long total_size)
358
{
359
	unsigned long map_addr;
360
	unsigned long size = eppnt->p_filesz + ELF_PAGEOFFSET(eppnt->p_vaddr);
361
	unsigned long off = eppnt->p_offset - ELF_PAGEOFFSET(eppnt->p_vaddr);
362
	addr = ELF_PAGESTART(addr);
363
	size = ELF_PAGEALIGN(size);
364

365
	/* mmap() will return -EINVAL if given a zero size, but a
366
	 * segment with zero filesize is perfectly valid */
367
	if (!size)
368
		return addr;
369

370
	/*
371
	* total_size is the size of the ELF (interpreter) image.
372
	* The _first_ mmap needs to know the full size, otherwise
373
	* randomization might put this image into an overlapping
374
	* position with the ELF binary image. (since size < total_size)
375
	* So we first map the 'big' image - and unmap the remainder at
376
	* the end. (which unmap is needed for ELF images with holes.)
377
	*/
378
	if (total_size) {
379
		total_size = ELF_PAGEALIGN(total_size);
380
		map_addr = vm_mmap(filep, addr, total_size, prot, type, off);
381
		if (!BAD_ADDR(map_addr))
382
			vm_munmap(map_addr+size, total_size-size);
383
	} else
384
		map_addr = vm_mmap(filep, addr, size, prot, type, off);
385

386
	if ((type & MAP_FIXED_NOREPLACE) &&
387
	    PTR_ERR((void *)map_addr) == -EEXIST)
388
		pr_info("%d (%s): Uhuuh, elf segment at %px requested but the memory is mapped already\n",
389
			task_pid_nr(current), current->comm, (void *)addr);
390

391
	return(map_addr);
392
}
393

394
/*
395
 * Map "eppnt->p_filesz" bytes from "filep" offset "eppnt->p_offset"
396
 * into memory at "addr". Memory from "p_filesz" through "p_memsz"
397
 * rounded up to the next page is zeroed.
398
 */
399
static unsigned long elf_load(struct file *filep, unsigned long addr,
400
		const struct elf_phdr *eppnt, int prot, int type,
401
		unsigned long total_size)
402
{
403
	unsigned long zero_start, zero_end;
404
	unsigned long map_addr;
405

406
	if (eppnt->p_filesz) {
407
		map_addr = elf_map(filep, addr, eppnt, prot, type, total_size);
408
		if (BAD_ADDR(map_addr))
409
			return map_addr;
410
		if (eppnt->p_memsz > eppnt->p_filesz) {
411
			zero_start = map_addr + ELF_PAGEOFFSET(eppnt->p_vaddr) +
412
				eppnt->p_filesz;
413
			zero_end = map_addr + ELF_PAGEOFFSET(eppnt->p_vaddr) +
414
				eppnt->p_memsz;
415

416
			/*
417
			 * Zero the end of the last mapped page but ignore
418
			 * any errors if the segment isn't writable.
419
			 */
420
			if (padzero(zero_start) && (prot & PROT_WRITE))
421
				return -EFAULT;
422
		}
423
	} else {
424
		map_addr = zero_start = ELF_PAGESTART(addr);
425
		zero_end = zero_start + ELF_PAGEOFFSET(eppnt->p_vaddr) +
426
			eppnt->p_memsz;
427
	}
428
	if (eppnt->p_memsz > eppnt->p_filesz) {
429
		/*
430
		 * Map the last of the segment.
431
		 * If the header is requesting these pages to be
432
		 * executable, honour that (ppc32 needs this).
433
		 */
434
		int error;
435

436
		zero_start = ELF_PAGEALIGN(zero_start);
437
		zero_end = ELF_PAGEALIGN(zero_end);
438

439
		error = vm_brk_flags(zero_start, zero_end - zero_start,
440
				     prot & PROT_EXEC ? VM_EXEC : 0);
441
		if (error)
442
			map_addr = error;
443
	}
444
	return map_addr;
445
}
446

447

448
static unsigned long total_mapping_size(const struct elf_phdr *phdr, int nr)
449
{
450
	elf_addr_t min_addr = -1;
451
	elf_addr_t max_addr = 0;
452
	bool pt_load = false;
453
	int i;
454

455
	for (i = 0; i < nr; i++) {
456
		if (phdr[i].p_type == PT_LOAD) {
457
			min_addr = min(min_addr, ELF_PAGESTART(phdr[i].p_vaddr));
458
			max_addr = max(max_addr, phdr[i].p_vaddr + phdr[i].p_memsz);
459
			pt_load = true;
460
		}
461
	}
462
	return pt_load ? (max_addr - min_addr) : 0;
463
}
464

465
static int elf_read(struct file *file, void *buf, size_t len, loff_t pos)
466
{
467
	ssize_t rv;
468

469
	rv = kernel_read(file, buf, len, &pos);
470
	if (unlikely(rv != len)) {
471
		return (rv < 0) ? rv : -EIO;
472
	}
473
	return 0;
474
}
475

476
static unsigned long maximum_alignment(struct elf_phdr *cmds, int nr)
477
{
478
	unsigned long alignment = 0;
479
	int i;
480

481
	for (i = 0; i < nr; i++) {
482
		if (cmds[i].p_type == PT_LOAD) {
483
			unsigned long p_align = cmds[i].p_align;
484

485
			/* skip non-power of two alignments as invalid */
486
			if (!is_power_of_2(p_align))
487
				continue;
488
			alignment = max(alignment, p_align);
489
		}
490
	}
491

492
	/* ensure we align to at least one page */
493
	return ELF_PAGEALIGN(alignment);
494
}
495

496
/**
497
 * load_elf_phdrs() - load ELF program headers
498
 * @elf_ex:   ELF header of the binary whose program headers should be loaded
499
 * @elf_file: the opened ELF binary file
500
 *
501
 * Loads ELF program headers from the binary file elf_file, which has the ELF
502
 * header pointed to by elf_ex, into a newly allocated array. The caller is
503
 * responsible for freeing the allocated data. Returns NULL upon failure.
504
 */
505
static struct elf_phdr *load_elf_phdrs(const struct elfhdr *elf_ex,
506
				       struct file *elf_file)
507
{
508
	struct elf_phdr *elf_phdata = NULL;
509
	int retval = -1;
510
	unsigned int size;
511

512
	/*
513
	 * If the size of this structure has changed, then punt, since
514
	 * we will be doing the wrong thing.
515
	 */
516
	if (elf_ex->e_phentsize != sizeof(struct elf_phdr))
517
		goto out;
518

519
	/* Sanity check the number of program headers... */
520
	/* ...and their total size. */
521
	size = sizeof(struct elf_phdr) * elf_ex->e_phnum;
522
	if (size == 0 || size > 65536)
523
		goto out;
524

525
	elf_phdata = kmalloc(size, GFP_KERNEL);
526
	if (!elf_phdata)
527
		goto out;
528

529
	/* Read in the program headers */
530
	retval = elf_read(elf_file, elf_phdata, size, elf_ex->e_phoff);
531

532
out:
533
	if (retval) {
534
		kfree(elf_phdata);
535
		elf_phdata = NULL;
536
	}
537
	return elf_phdata;
538
}
539

540
#ifndef CONFIG_ARCH_BINFMT_ELF_STATE
541

542
/**
543
 * struct arch_elf_state - arch-specific ELF loading state
544
 *
545
 * This structure is used to preserve architecture specific data during
546
 * the loading of an ELF file, throughout the checking of architecture
547
 * specific ELF headers & through to the point where the ELF load is
548
 * known to be proceeding (ie. SET_PERSONALITY).
549
 *
550
 * This implementation is a dummy for architectures which require no
551
 * specific state.
552
 */
553
struct arch_elf_state {
554
};
555

556
#define INIT_ARCH_ELF_STATE {}
557

558
/**
559
 * arch_elf_pt_proc() - check a PT_LOPROC..PT_HIPROC ELF program header
560
 * @ehdr:	The main ELF header
561
 * @phdr:	The program header to check
562
 * @elf:	The open ELF file
563
 * @is_interp:	True if the phdr is from the interpreter of the ELF being
564
 *		loaded, else false.
565
 * @state:	Architecture-specific state preserved throughout the process
566
 *		of loading the ELF.
567
 *
568
 * Inspects the program header phdr to validate its correctness and/or
569
 * suitability for the system. Called once per ELF program header in the
570
 * range PT_LOPROC to PT_HIPROC, for both the ELF being loaded and its
571
 * interpreter.
572
 *
573
 * Return: Zero to proceed with the ELF load, non-zero to fail the ELF load
574
 *         with that return code.
575
 */
576
static inline int arch_elf_pt_proc(struct elfhdr *ehdr,
577
				   struct elf_phdr *phdr,
578
				   struct file *elf, bool is_interp,
579
				   struct arch_elf_state *state)
580
{
581
	/* Dummy implementation, always proceed */
582
	return 0;
583
}
584

585
/**
586
 * arch_check_elf() - check an ELF executable
587
 * @ehdr:	The main ELF header
588
 * @has_interp:	True if the ELF has an interpreter, else false.
589
 * @interp_ehdr: The interpreter's ELF header
590
 * @state:	Architecture-specific state preserved throughout the process
591
 *		of loading the ELF.
592
 *
593
 * Provides a final opportunity for architecture code to reject the loading
594
 * of the ELF & cause an exec syscall to return an error. This is called after
595
 * all program headers to be checked by arch_elf_pt_proc have been.
596
 *
597
 * Return: Zero to proceed with the ELF load, non-zero to fail the ELF load
598
 *         with that return code.
599
 */
600
static inline int arch_check_elf(struct elfhdr *ehdr, bool has_interp,
601
				 struct elfhdr *interp_ehdr,
602
				 struct arch_elf_state *state)
603
{
604
	/* Dummy implementation, always proceed */
605
	return 0;
606
}
607

608
#endif /* !CONFIG_ARCH_BINFMT_ELF_STATE */
609

610
static inline int make_prot(u32 p_flags, struct arch_elf_state *arch_state,
611
			    bool has_interp, bool is_interp)
612
{
613
	int prot = 0;
614

615
	if (p_flags & PF_R)
616
		prot |= PROT_READ;
617
	if (p_flags & PF_W)
618
		prot |= PROT_WRITE;
619
	if (p_flags & PF_X)
620
		prot |= PROT_EXEC;
621

622
	return arch_elf_adjust_prot(prot, arch_state, has_interp, is_interp);
623
}
624

625
/* This is much more generalized than the library routine read function,
626
   so we keep this separate.  Technically the library read function
627
   is only provided so that we can read a.out libraries that have
628
   an ELF header */
629

630
static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
631
		struct file *interpreter,
632
		unsigned long no_base, struct elf_phdr *interp_elf_phdata,
633
		struct arch_elf_state *arch_state)
634
{
635
	struct elf_phdr *eppnt;
636
	unsigned long load_addr = 0;
637
	int load_addr_set = 0;
638
	unsigned long error = ~0UL;
639
	unsigned long total_size;
640
	int i;
641

642
	/* First of all, some simple consistency checks */
643
	if (interp_elf_ex->e_type != ET_EXEC &&
644
	    interp_elf_ex->e_type != ET_DYN)
645
		goto out;
646
	if (!elf_check_arch(interp_elf_ex) ||
647
	    elf_check_fdpic(interp_elf_ex))
648
		goto out;
649
	if (!can_mmap_file(interpreter))
650
		goto out;
651

652
	total_size = total_mapping_size(interp_elf_phdata,
653
					interp_elf_ex->e_phnum);
654
	if (!total_size) {
655
		error = -EINVAL;
656
		goto out;
657
	}
658

659
	eppnt = interp_elf_phdata;
660
	for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
661
		if (eppnt->p_type == PT_LOAD) {
662
			int elf_type = MAP_PRIVATE;
663
			int elf_prot = make_prot(eppnt->p_flags, arch_state,
664
						 true, true);
665
			unsigned long vaddr = 0;
666
			unsigned long k, map_addr;
667

668
			vaddr = eppnt->p_vaddr;
669
			if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
670
				elf_type |= MAP_FIXED;
671
			else if (no_base && interp_elf_ex->e_type == ET_DYN)
672
				load_addr = -vaddr;
673

674
			map_addr = elf_load(interpreter, load_addr + vaddr,
675
					eppnt, elf_prot, elf_type, total_size);
676
			total_size = 0;
677
			error = map_addr;
678
			if (BAD_ADDR(map_addr))
679
				goto out;
680

681
			if (!load_addr_set &&
682
			    interp_elf_ex->e_type == ET_DYN) {
683
				load_addr = map_addr - ELF_PAGESTART(vaddr);
684
				load_addr_set = 1;
685
			}
686

687
			/*
688
			 * Check to see if the section's size will overflow the
689
			 * allowed task size. Note that p_filesz must always be
690
			 * <= p_memsize so it's only necessary to check p_memsz.
691
			 */
692
			k = load_addr + eppnt->p_vaddr;
693
			if (BAD_ADDR(k) ||
694
			    eppnt->p_filesz > eppnt->p_memsz ||
695
			    eppnt->p_memsz > TASK_SIZE ||
696
			    TASK_SIZE - eppnt->p_memsz < k) {
697
				error = -ENOMEM;
698
				goto out;
699
			}
700
		}
701
	}
702

703
	error = load_addr;
704
out:
705
	return error;
706
}
707

708
/*
709
 * These are the functions used to load ELF style executables and shared
710
 * libraries.  There is no binary dependent code anywhere else.
711
 */
712

713
static int parse_elf_property(const char *data, size_t *off, size_t datasz,
714
			      struct arch_elf_state *arch,
715
			      bool have_prev_type, u32 *prev_type)
716
{
717
	size_t o, step;
718
	const struct gnu_property *pr;
719
	int ret;
720

721
	if (*off == datasz)
722
		return -ENOENT;
723

724
	if (WARN_ON_ONCE(*off > datasz || *off % ELF_GNU_PROPERTY_ALIGN))
725
		return -EIO;
726
	o = *off;
727
	datasz -= *off;
728

729
	if (datasz < sizeof(*pr))
730
		return -ENOEXEC;
731
	pr = (const struct gnu_property *)(data + o);
732
	o += sizeof(*pr);
733
	datasz -= sizeof(*pr);
734

735
	if (pr->pr_datasz > datasz)
736
		return -ENOEXEC;
737

738
	WARN_ON_ONCE(o % ELF_GNU_PROPERTY_ALIGN);
739
	step = round_up(pr->pr_datasz, ELF_GNU_PROPERTY_ALIGN);
740
	if (step > datasz)
741
		return -ENOEXEC;
742

743
	/* Properties are supposed to be unique and sorted on pr_type: */
744
	if (have_prev_type && pr->pr_type <= *prev_type)
745
		return -ENOEXEC;
746
	*prev_type = pr->pr_type;
747

748
	ret = arch_parse_elf_property(pr->pr_type, data + o,
749
				      pr->pr_datasz, ELF_COMPAT, arch);
750
	if (ret)
751
		return ret;
752

753
	*off = o + step;
754
	return 0;
755
}
756

757
#define NOTE_DATA_SZ SZ_1K
758
#define NOTE_NAME_SZ (sizeof(NN_GNU_PROPERTY_TYPE_0))
759

760
static int parse_elf_properties(struct file *f, const struct elf_phdr *phdr,
761
				struct arch_elf_state *arch)
762
{
763
	union {
764
		struct elf_note nhdr;
765
		char data[NOTE_DATA_SZ];
766
	} note;
767
	loff_t pos;
768
	ssize_t n;
769
	size_t off, datasz;
770
	int ret;
771
	bool have_prev_type;
772
	u32 prev_type;
773

774
	if (!IS_ENABLED(CONFIG_ARCH_USE_GNU_PROPERTY) || !phdr)
775
		return 0;
776

777
	/* load_elf_binary() shouldn't call us unless this is true... */
778
	if (WARN_ON_ONCE(phdr->p_type != PT_GNU_PROPERTY))
779
		return -ENOEXEC;
780

781
	/* If the properties are crazy large, that's too bad (for now): */
782
	if (phdr->p_filesz > sizeof(note))
783
		return -ENOEXEC;
784

785
	pos = phdr->p_offset;
786
	n = kernel_read(f, &note, phdr->p_filesz, &pos);
787

788
	BUILD_BUG_ON(sizeof(note) < sizeof(note.nhdr) + NOTE_NAME_SZ);
789
	if (n < 0 || n < sizeof(note.nhdr) + NOTE_NAME_SZ)
790
		return -EIO;
791

792
	if (note.nhdr.n_type != NT_GNU_PROPERTY_TYPE_0 ||
793
	    note.nhdr.n_namesz != NOTE_NAME_SZ ||
794
	    strncmp(note.data + sizeof(note.nhdr),
795
		    NN_GNU_PROPERTY_TYPE_0, n - sizeof(note.nhdr)))
796
		return -ENOEXEC;
797

798
	off = round_up(sizeof(note.nhdr) + NOTE_NAME_SZ,
799
		       ELF_GNU_PROPERTY_ALIGN);
800
	if (off > n)
801
		return -ENOEXEC;
802

803
	if (note.nhdr.n_descsz > n - off)
804
		return -ENOEXEC;
805
	datasz = off + note.nhdr.n_descsz;
806

807
	have_prev_type = false;
808
	do {
809
		ret = parse_elf_property(note.data, &off, datasz, arch,
810
					 have_prev_type, &prev_type);
811
		have_prev_type = true;
812
	} while (!ret);
813

814
	return ret == -ENOENT ? 0 : ret;
815
}
816

817
static int load_elf_binary(struct linux_binprm *bprm)
818
{
819
	struct file *interpreter = NULL; /* to shut gcc up */
820
	unsigned long load_bias = 0, phdr_addr = 0;
821
	int first_pt_load = 1;
822
	unsigned long error;
823
	struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL;
824
	struct elf_phdr *elf_property_phdata = NULL;
825
	unsigned long elf_brk;
826
	bool brk_moved = false;
827
	int retval, i;
828
	unsigned long elf_entry;
829
	unsigned long e_entry;
830
	unsigned long interp_load_addr = 0;
831
	unsigned long start_code, end_code, start_data, end_data;
832
	unsigned long reloc_func_desc __maybe_unused = 0;
833
	int executable_stack = EXSTACK_DEFAULT;
834
	struct elfhdr *elf_ex = (struct elfhdr *)bprm->buf;
835
	struct elfhdr *interp_elf_ex = NULL;
836
	struct arch_elf_state arch_state = INIT_ARCH_ELF_STATE;
837
	struct mm_struct *mm;
838
	struct pt_regs *regs;
839

840
	retval = -ENOEXEC;
841
	/* First of all, some simple consistency checks */
842
	if (memcmp(elf_ex->e_ident, ELFMAG, SELFMAG) != 0)
843
		goto out;
844

845
	if (elf_ex->e_type != ET_EXEC && elf_ex->e_type != ET_DYN)
846
		goto out;
847
	if (!elf_check_arch(elf_ex))
848
		goto out;
849
	if (elf_check_fdpic(elf_ex))
850
		goto out;
851
	if (!can_mmap_file(bprm->file))
852
		goto out;
853

854
	elf_phdata = load_elf_phdrs(elf_ex, bprm->file);
855
	if (!elf_phdata)
856
		goto out;
857

858
	elf_ppnt = elf_phdata;
859
	for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++) {
860
		char *elf_interpreter;
861

862
		if (elf_ppnt->p_type == PT_GNU_PROPERTY) {
863
			elf_property_phdata = elf_ppnt;
864
			continue;
865
		}
866

867
		if (elf_ppnt->p_type != PT_INTERP)
868
			continue;
869

870
		/*
871
		 * This is the program interpreter used for shared libraries -
872
		 * for now assume that this is an a.out format binary.
873
		 */
874
		retval = -ENOEXEC;
875
		if (elf_ppnt->p_filesz > PATH_MAX || elf_ppnt->p_filesz < 2)
876
			goto out_free_ph;
877

878
		retval = -ENOMEM;
879
		elf_interpreter = kmalloc(elf_ppnt->p_filesz, GFP_KERNEL);
880
		if (!elf_interpreter)
881
			goto out_free_ph;
882

883
		retval = elf_read(bprm->file, elf_interpreter, elf_ppnt->p_filesz,
884
				  elf_ppnt->p_offset);
885
		if (retval < 0)
886
			goto out_free_interp;
887
		/* make sure path is NULL terminated */
888
		retval = -ENOEXEC;
889
		if (elf_interpreter[elf_ppnt->p_filesz - 1] != '\0')
890
			goto out_free_interp;
891

892
		interpreter = open_exec(elf_interpreter);
893
		kfree(elf_interpreter);
894
		retval = PTR_ERR(interpreter);
895
		if (IS_ERR(interpreter))
896
			goto out_free_ph;
897

898
		/*
899
		 * If the binary is not readable then enforce mm->dumpable = 0
900
		 * regardless of the interpreter's permissions.
901
		 */
902
		would_dump(bprm, interpreter);
903

904
		interp_elf_ex = kmalloc(sizeof(*interp_elf_ex), GFP_KERNEL);
905
		if (!interp_elf_ex) {
906
			retval = -ENOMEM;
907
			goto out_free_file;
908
		}
909

910
		/* Get the exec headers */
911
		retval = elf_read(interpreter, interp_elf_ex,
912
				  sizeof(*interp_elf_ex), 0);
913
		if (retval < 0)
914
			goto out_free_dentry;
915

916
		break;
917

918
out_free_interp:
919
		kfree(elf_interpreter);
920
		goto out_free_ph;
921
	}
922

923
	elf_ppnt = elf_phdata;
924
	for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++)
925
		switch (elf_ppnt->p_type) {
926
		case PT_GNU_STACK:
927
			if (elf_ppnt->p_flags & PF_X)
928
				executable_stack = EXSTACK_ENABLE_X;
929
			else
930
				executable_stack = EXSTACK_DISABLE_X;
931
			break;
932

933
		case PT_LOPROC ... PT_HIPROC:
934
			retval = arch_elf_pt_proc(elf_ex, elf_ppnt,
935
						  bprm->file, false,
936
						  &arch_state);
937
			if (retval)
938
				goto out_free_dentry;
939
			break;
940
		}
941

942
	/* Some simple consistency checks for the interpreter */
943
	if (interpreter) {
944
		retval = -ELIBBAD;
945
		/* Not an ELF interpreter */
946
		if (memcmp(interp_elf_ex->e_ident, ELFMAG, SELFMAG) != 0)
947
			goto out_free_dentry;
948
		/* Verify the interpreter has a valid arch */
949
		if (!elf_check_arch(interp_elf_ex) ||
950
		    elf_check_fdpic(interp_elf_ex))
951
			goto out_free_dentry;
952

953
		/* Load the interpreter program headers */
954
		interp_elf_phdata = load_elf_phdrs(interp_elf_ex,
955
						   interpreter);
956
		if (!interp_elf_phdata)
957
			goto out_free_dentry;
958

959
		/* Pass PT_LOPROC..PT_HIPROC headers to arch code */
960
		elf_property_phdata = NULL;
961
		elf_ppnt = interp_elf_phdata;
962
		for (i = 0; i < interp_elf_ex->e_phnum; i++, elf_ppnt++)
963
			switch (elf_ppnt->p_type) {
964
			case PT_GNU_PROPERTY:
965
				elf_property_phdata = elf_ppnt;
966
				break;
967

968
			case PT_LOPROC ... PT_HIPROC:
969
				retval = arch_elf_pt_proc(interp_elf_ex,
970
							  elf_ppnt, interpreter,
971
							  true, &arch_state);
972
				if (retval)
973
					goto out_free_dentry;
974
				break;
975
			}
976
	}
977

978
	retval = parse_elf_properties(interpreter ?: bprm->file,
979
				      elf_property_phdata, &arch_state);
980
	if (retval)
981
		goto out_free_dentry;
982

983
	/*
984
	 * Allow arch code to reject the ELF at this point, whilst it's
985
	 * still possible to return an error to the code that invoked
986
	 * the exec syscall.
987
	 */
988
	retval = arch_check_elf(elf_ex,
989
				!!interpreter, interp_elf_ex,
990
				&arch_state);
991
	if (retval)
992
		goto out_free_dentry;
993

994
	/* Flush all traces of the currently running executable */
995
	retval = begin_new_exec(bprm);
996
	if (retval)
997
		goto out_free_dentry;
998

999
	/* Do this immediately, since STACK_TOP as used in setup_arg_pages
1000
	   may depend on the personality.  */
1001
	SET_PERSONALITY2(*elf_ex, &arch_state);
1002
	if (elf_read_implies_exec(*elf_ex, executable_stack))
1003
		current->personality |= READ_IMPLIES_EXEC;
1004

1005
	const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space);
1006
	if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space)
1007
		current->flags |= PF_RANDOMIZE;
1008

1009
	setup_new_exec(bprm);
1010

1011
	/* Do this so that we can load the interpreter, if need be.  We will
1012
	   change some of these later */
1013
	retval = setup_arg_pages(bprm, randomize_stack_top(STACK_TOP),
1014
				 executable_stack);
1015
	if (retval < 0)
1016
		goto out_free_dentry;
1017

1018
	elf_brk = 0;
1019

1020
	start_code = ~0UL;
1021
	end_code = 0;
1022
	start_data = 0;
1023
	end_data = 0;
1024

1025
	/* Now we do a little grungy work by mmapping the ELF image into
1026
	   the correct location in memory. */
1027
	for(i = 0, elf_ppnt = elf_phdata;
1028
	    i < elf_ex->e_phnum; i++, elf_ppnt++) {
1029
		int elf_prot, elf_flags;
1030
		unsigned long k, vaddr;
1031
		unsigned long total_size = 0;
1032
		unsigned long alignment;
1033

1034
		if (elf_ppnt->p_type != PT_LOAD)
1035
			continue;
1036

1037
		elf_prot = make_prot(elf_ppnt->p_flags, &arch_state,
1038
				     !!interpreter, false);
1039

1040
		elf_flags = MAP_PRIVATE;
1041

1042
		vaddr = elf_ppnt->p_vaddr;
1043
		/*
1044
		 * The first time through the loop, first_pt_load is true:
1045
		 * layout will be calculated. Once set, use MAP_FIXED since
1046
		 * we know we've already safely mapped the entire region with
1047
		 * MAP_FIXED_NOREPLACE in the once-per-binary logic following.
1048
		 */
1049
		if (!first_pt_load) {
1050
			elf_flags |= MAP_FIXED;
1051
		} else if (elf_ex->e_type == ET_EXEC) {
1052
			/*
1053
			 * This logic is run once for the first LOAD Program
1054
			 * Header for ET_EXEC binaries. No special handling
1055
			 * is needed.
1056
			 */
1057
			elf_flags |= MAP_FIXED_NOREPLACE;
1058
		} else if (elf_ex->e_type == ET_DYN) {
1059
			/*
1060
			 * This logic is run once for the first LOAD Program
1061
			 * Header for ET_DYN binaries to calculate the
1062
			 * randomization (load_bias) for all the LOAD
1063
			 * Program Headers.
1064
			 */
1065

1066
			/*
1067
			 * Calculate the entire size of the ELF mapping
1068
			 * (total_size), used for the initial mapping,
1069
			 * due to load_addr_set which is set to true later
1070
			 * once the initial mapping is performed.
1071
			 *
1072
			 * Note that this is only sensible when the LOAD
1073
			 * segments are contiguous (or overlapping). If
1074
			 * used for LOADs that are far apart, this would
1075
			 * cause the holes between LOADs to be mapped,
1076
			 * running the risk of having the mapping fail,
1077
			 * as it would be larger than the ELF file itself.
1078
			 *
1079
			 * As a result, only ET_DYN does this, since
1080
			 * some ET_EXEC (e.g. ia64) may have large virtual
1081
			 * memory holes between LOADs.
1082
			 *
1083
			 */
1084
			total_size = total_mapping_size(elf_phdata,
1085
							elf_ex->e_phnum);
1086
			if (!total_size) {
1087
				retval = -EINVAL;
1088
				goto out_free_dentry;
1089
			}
1090

1091
			/* Calculate any requested alignment. */
1092
			alignment = maximum_alignment(elf_phdata, elf_ex->e_phnum);
1093

1094
			/**
1095
			 * DOC: PIE handling
1096
			 *
1097
			 * There are effectively two types of ET_DYN ELF
1098
			 * binaries: programs (i.e. PIE: ET_DYN with
1099
			 * PT_INTERP) and loaders (i.e. static PIE: ET_DYN
1100
			 * without PT_INTERP, usually the ELF interpreter
1101
			 * itself). Loaders must be loaded away from programs
1102
			 * since the program may otherwise collide with the
1103
			 * loader (especially for ET_EXEC which does not have
1104
			 * a randomized position).
1105
			 *
1106
			 * For example, to handle invocations of
1107
			 * "./ld.so someprog" to test out a new version of
1108
			 * the loader, the subsequent program that the
1109
			 * loader loads must avoid the loader itself, so
1110
			 * they cannot share the same load range. Sufficient
1111
			 * room for the brk must be allocated with the
1112
			 * loader as well, since brk must be available with
1113
			 * the loader.
1114
			 *
1115
			 * Therefore, programs are loaded offset from
1116
			 * ELF_ET_DYN_BASE and loaders are loaded into the
1117
			 * independently randomized mmap region (0 load_bias
1118
			 * without MAP_FIXED nor MAP_FIXED_NOREPLACE).
1119
			 *
1120
			 * See below for "brk" handling details, which is
1121
			 * also affected by program vs loader and ASLR.
1122
			 */
1123
			if (interpreter) {
1124
				/* On ET_DYN with PT_INTERP, we do the ASLR. */
1125
				load_bias = ELF_ET_DYN_BASE;
1126
				if (current->flags & PF_RANDOMIZE)
1127
					load_bias += arch_mmap_rnd();
1128
				/* Adjust alignment as requested. */
1129
				if (alignment)
1130
					load_bias &= ~(alignment - 1);
1131
				elf_flags |= MAP_FIXED_NOREPLACE;
1132
			} else {
1133
				/*
1134
				 * For ET_DYN without PT_INTERP, we rely on
1135
				 * the architectures's (potentially ASLR) mmap
1136
				 * base address (via a load_bias of 0).
1137
				 *
1138
				 * When a large alignment is requested, we
1139
				 * must do the allocation at address "0" right
1140
				 * now to discover where things will load so
1141
				 * that we can adjust the resulting alignment.
1142
				 * In this case (load_bias != 0), we can use
1143
				 * MAP_FIXED_NOREPLACE to make sure the mapping
1144
				 * doesn't collide with anything.
1145
				 */
1146
				if (alignment > ELF_MIN_ALIGN) {
1147
					load_bias = elf_load(bprm->file, 0, elf_ppnt,
1148
							     elf_prot, elf_flags, total_size);
1149
					if (BAD_ADDR(load_bias)) {
1150
						retval = IS_ERR_VALUE(load_bias) ?
1151
							 PTR_ERR((void*)load_bias) : -EINVAL;
1152
						goto out_free_dentry;
1153
					}
1154
					vm_munmap(load_bias, total_size);
1155
					/* Adjust alignment as requested. */
1156
					if (alignment)
1157
						load_bias &= ~(alignment - 1);
1158
					elf_flags |= MAP_FIXED_NOREPLACE;
1159
				} else
1160
					load_bias = 0;
1161
			}
1162

1163
			/*
1164
			 * Since load_bias is used for all subsequent loading
1165
			 * calculations, we must lower it by the first vaddr
1166
			 * so that the remaining calculations based on the
1167
			 * ELF vaddrs will be correctly offset. The result
1168
			 * is then page aligned.
1169
			 */
1170
			load_bias = ELF_PAGESTART(load_bias - vaddr);
1171
		}
1172

1173
		error = elf_load(bprm->file, load_bias + vaddr, elf_ppnt,
1174
				elf_prot, elf_flags, total_size);
1175
		if (BAD_ADDR(error)) {
1176
			retval = IS_ERR_VALUE(error) ?
1177
				PTR_ERR((void*)error) : -EINVAL;
1178
			goto out_free_dentry;
1179
		}
1180

1181
		if (first_pt_load) {
1182
			first_pt_load = 0;
1183
			if (elf_ex->e_type == ET_DYN) {
1184
				load_bias += error -
1185
				             ELF_PAGESTART(load_bias + vaddr);
1186
				reloc_func_desc = load_bias;
1187
			}
1188
		}
1189

1190
		/*
1191
		 * Figure out which segment in the file contains the Program
1192
		 * Header table, and map to the associated memory address.
1193
		 */
1194
		if (elf_ppnt->p_offset <= elf_ex->e_phoff &&
1195
		    elf_ex->e_phoff < elf_ppnt->p_offset + elf_ppnt->p_filesz) {
1196
			phdr_addr = elf_ex->e_phoff - elf_ppnt->p_offset +
1197
				    elf_ppnt->p_vaddr;
1198
		}
1199

1200
		k = elf_ppnt->p_vaddr;
1201
		if ((elf_ppnt->p_flags & PF_X) && k < start_code)
1202
			start_code = k;
1203
		if (start_data < k)
1204
			start_data = k;
1205

1206
		/*
1207
		 * Check to see if the section's size will overflow the
1208
		 * allowed task size. Note that p_filesz must always be
1209
		 * <= p_memsz so it is only necessary to check p_memsz.
1210
		 */
1211
		if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
1212
		    elf_ppnt->p_memsz > TASK_SIZE ||
1213
		    TASK_SIZE - elf_ppnt->p_memsz < k) {
1214
			/* set_brk can never work. Avoid overflows. */
1215
			retval = -EINVAL;
1216
			goto out_free_dentry;
1217
		}
1218

1219
		k = elf_ppnt->p_vaddr + elf_ppnt->p_filesz;
1220

1221
		if ((elf_ppnt->p_flags & PF_X) && end_code < k)
1222
			end_code = k;
1223
		if (end_data < k)
1224
			end_data = k;
1225
		k = elf_ppnt->p_vaddr + elf_ppnt->p_memsz;
1226
		if (k > elf_brk)
1227
			elf_brk = k;
1228
	}
1229

1230
	e_entry = elf_ex->e_entry + load_bias;
1231
	phdr_addr += load_bias;
1232
	elf_brk += load_bias;
1233
	start_code += load_bias;
1234
	end_code += load_bias;
1235
	start_data += load_bias;
1236
	end_data += load_bias;
1237

1238
	if (interpreter) {
1239
		elf_entry = load_elf_interp(interp_elf_ex,
1240
					    interpreter,
1241
					    load_bias, interp_elf_phdata,
1242
					    &arch_state);
1243
		if (!IS_ERR_VALUE(elf_entry)) {
1244
			/*
1245
			 * load_elf_interp() returns relocation
1246
			 * adjustment
1247
			 */
1248
			interp_load_addr = elf_entry;
1249
			elf_entry += interp_elf_ex->e_entry;
1250
		}
1251
		if (BAD_ADDR(elf_entry)) {
1252
			retval = IS_ERR_VALUE(elf_entry) ?
1253
					(int)elf_entry : -EINVAL;
1254
			goto out_free_dentry;
1255
		}
1256
		reloc_func_desc = interp_load_addr;
1257

1258
		exe_file_allow_write_access(interpreter);
1259
		fput(interpreter);
1260

1261
		kfree(interp_elf_ex);
1262
		kfree(interp_elf_phdata);
1263
	} else {
1264
		elf_entry = e_entry;
1265
		if (BAD_ADDR(elf_entry)) {
1266
			retval = -EINVAL;
1267
			goto out_free_dentry;
1268
		}
1269
	}
1270

1271
	kfree(elf_phdata);
1272

1273
	set_binfmt(&elf_format);
1274

1275
#ifdef ARCH_HAS_SETUP_ADDITIONAL_PAGES
1276
	retval = ARCH_SETUP_ADDITIONAL_PAGES(bprm, elf_ex, !!interpreter);
1277
	if (retval < 0)
1278
		goto out;
1279
#endif /* ARCH_HAS_SETUP_ADDITIONAL_PAGES */
1280

1281
	retval = create_elf_tables(bprm, elf_ex, interp_load_addr,
1282
				   e_entry, phdr_addr);
1283
	if (retval < 0)
1284
		goto out;
1285

1286
	mm = current->mm;
1287
	mm->end_code = end_code;
1288
	mm->start_code = start_code;
1289
	mm->start_data = start_data;
1290
	mm->end_data = end_data;
1291
	mm->start_stack = bprm->p;
1292

1293
	/**
1294
	 * DOC: "brk" handling
1295
	 *
1296
	 * For architectures with ELF randomization, when executing a
1297
	 * loader directly (i.e. static PIE: ET_DYN without PT_INTERP),
1298
	 * move the brk area out of the mmap region and into the unused
1299
	 * ELF_ET_DYN_BASE region. Since "brk" grows up it may collide
1300
	 * early with the stack growing down or other regions being put
1301
	 * into the mmap region by the kernel (e.g. vdso).
1302
	 *
1303
	 * In the CONFIG_COMPAT_BRK case, though, everything is turned
1304
	 * off because we're not allowed to move the brk at all.
1305
	 */
1306
	if (!IS_ENABLED(CONFIG_COMPAT_BRK) &&
1307
	    IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
1308
	    elf_ex->e_type == ET_DYN && !interpreter) {
1309
		elf_brk = ELF_ET_DYN_BASE;
1310
		/* This counts as moving the brk, so let brk(2) know. */
1311
		brk_moved = true;
1312
	}
1313
	mm->start_brk = mm->brk = ELF_PAGEALIGN(elf_brk);
1314

1315
	if ((current->flags & PF_RANDOMIZE) && snapshot_randomize_va_space > 1) {
1316
		/*
1317
		 * If we didn't move the brk to ELF_ET_DYN_BASE (above),
1318
		 * leave a gap between .bss and brk.
1319
		 */
1320
		if (!brk_moved)
1321
			mm->brk = mm->start_brk = mm->brk + PAGE_SIZE;
1322

1323
		mm->brk = mm->start_brk = arch_randomize_brk(mm);
1324
		brk_moved = true;
1325
	}
1326

1327
#ifdef compat_brk_randomized
1328
	if (brk_moved)
1329
		current->brk_randomized = 1;
1330
#endif
1331

1332
	if (current->personality & MMAP_PAGE_ZERO) {
1333
		/* Why this, you ask???  Well SVr4 maps page 0 as read-only,
1334
		   and some applications "depend" upon this behavior.
1335
		   Since we do not have the power to recompile these, we
1336
		   emulate the SVr4 behavior. Sigh. */
1337
		error = vm_mmap(NULL, 0, PAGE_SIZE, PROT_READ | PROT_EXEC,
1338
				MAP_FIXED | MAP_PRIVATE, 0);
1339

1340
		retval = do_mseal(0, PAGE_SIZE, 0);
1341
		if (retval)
1342
			pr_warn_ratelimited("pid=%d, couldn't seal address 0, ret=%d.\n",
1343
					    task_pid_nr(current), retval);
1344
	}
1345

1346
	regs = current_pt_regs();
1347
#ifdef ELF_PLAT_INIT
1348
	/*
1349
	 * The ABI may specify that certain registers be set up in special
1350
	 * ways (on i386 %edx is the address of a DT_FINI function, for
1351
	 * example.  In addition, it may also specify (eg, PowerPC64 ELF)
1352
	 * that the e_entry field is the address of the function descriptor
1353
	 * for the startup routine, rather than the address of the startup
1354
	 * routine itself.  This macro performs whatever initialization to
1355
	 * the regs structure is required as well as any relocations to the
1356
	 * function descriptor entries when executing dynamically links apps.
1357
	 */
1358
	ELF_PLAT_INIT(regs, reloc_func_desc);
1359
#endif
1360

1361
	finalize_exec(bprm);
1362
	START_THREAD(elf_ex, regs, elf_entry, bprm->p);
1363
	retval = 0;
1364
out:
1365
	return retval;
1366

1367
	/* error cleanup */
1368
out_free_dentry:
1369
	kfree(interp_elf_ex);
1370
	kfree(interp_elf_phdata);
1371
out_free_file:
1372
	exe_file_allow_write_access(interpreter);
1373
	if (interpreter)
1374
		fput(interpreter);
1375
out_free_ph:
1376
	kfree(elf_phdata);
1377
	goto out;
1378
}
1379

1380
#ifdef CONFIG_ELF_CORE
1381
/*
1382
 * ELF core dumper
1383
 *
1384
 * Modelled on fs/exec.c:aout_core_dump()
1385
 * Jeremy Fitzhardinge <[email protected]>
1386
 */
1387

1388
/* An ELF note in memory */
1389
struct memelfnote
1390
{
1391
	const char *name;
1392
	int type;
1393
	unsigned int datasz;
1394
	void *data;
1395
};
1396

1397
static int notesize(struct memelfnote *en)
1398
{
1399
	int sz;
1400

1401
	sz = sizeof(struct elf_note);
1402
	sz += roundup(strlen(en->name) + 1, 4);
1403
	sz += roundup(en->datasz, 4);
1404

1405
	return sz;
1406
}
1407

1408
static int writenote(struct memelfnote *men, struct coredump_params *cprm)
1409
{
1410
	struct elf_note en;
1411
	en.n_namesz = strlen(men->name) + 1;
1412
	en.n_descsz = men->datasz;
1413
	en.n_type = men->type;
1414

1415
	return dump_emit(cprm, &en, sizeof(en)) &&
1416
	    dump_emit(cprm, men->name, en.n_namesz) && dump_align(cprm, 4) &&
1417
	    dump_emit(cprm, men->data, men->datasz) && dump_align(cprm, 4);
1418
}
1419

1420
static void fill_elf_header(struct elfhdr *elf, int segs,
1421
			    u16 machine, u32 flags)
1422
{
1423
	memset(elf, 0, sizeof(*elf));
1424

1425
	memcpy(elf->e_ident, ELFMAG, SELFMAG);
1426
	elf->e_ident[EI_CLASS] = ELF_CLASS;
1427
	elf->e_ident[EI_DATA] = ELF_DATA;
1428
	elf->e_ident[EI_VERSION] = EV_CURRENT;
1429
	elf->e_ident[EI_OSABI] = ELF_OSABI;
1430

1431
	elf->e_type = ET_CORE;
1432
	elf->e_machine = machine;
1433
	elf->e_version = EV_CURRENT;
1434
	elf->e_phoff = sizeof(struct elfhdr);
1435
	elf->e_flags = flags;
1436
	elf->e_ehsize = sizeof(struct elfhdr);
1437
	elf->e_phentsize = sizeof(struct elf_phdr);
1438
	elf->e_phnum = segs;
1439
}
1440

1441
static void fill_elf_note_phdr(struct elf_phdr *phdr, int sz, loff_t offset)
1442
{
1443
	phdr->p_type = PT_NOTE;
1444
	phdr->p_offset = offset;
1445
	phdr->p_vaddr = 0;
1446
	phdr->p_paddr = 0;
1447
	phdr->p_filesz = sz;
1448
	phdr->p_memsz = 0;
1449
	phdr->p_flags = 0;
1450
	phdr->p_align = 4;
1451
}
1452

1453
static void __fill_note(struct memelfnote *note, const char *name, int type,
1454
			unsigned int sz, void *data)
1455
{
1456
	note->name = name;
1457
	note->type = type;
1458
	note->datasz = sz;
1459
	note->data = data;
1460
}
1461

1462
#define fill_note(note, type, sz, data) \
1463
	__fill_note(note, NN_ ## type, NT_ ## type, sz, data)
1464

1465
/*
1466
 * fill up all the fields in prstatus from the given task struct, except
1467
 * registers which need to be filled up separately.
1468
 */
1469
static void fill_prstatus(struct elf_prstatus_common *prstatus,
1470
		struct task_struct *p, long signr)
1471
{
1472
	prstatus->pr_info.si_signo = prstatus->pr_cursig = signr;
1473
	prstatus->pr_sigpend = p->pending.signal.sig[0];
1474
	prstatus->pr_sighold = p->blocked.sig[0];
1475
	rcu_read_lock();
1476
	prstatus->pr_ppid = task_pid_vnr(rcu_dereference(p->real_parent));
1477
	rcu_read_unlock();
1478
	prstatus->pr_pid = task_pid_vnr(p);
1479
	prstatus->pr_pgrp = task_pgrp_vnr(p);
1480
	prstatus->pr_sid = task_session_vnr(p);
1481
	if (thread_group_leader(p)) {
1482
		struct task_cputime cputime;
1483

1484
		/*
1485
		 * This is the record for the group leader.  It shows the
1486
		 * group-wide total, not its individual thread total.
1487
		 */
1488
		thread_group_cputime(p, &cputime);
1489
		prstatus->pr_utime = ns_to_kernel_old_timeval(cputime.utime);
1490
		prstatus->pr_stime = ns_to_kernel_old_timeval(cputime.stime);
1491
	} else {
1492
		u64 utime, stime;
1493

1494
		task_cputime(p, &utime, &stime);
1495
		prstatus->pr_utime = ns_to_kernel_old_timeval(utime);
1496
		prstatus->pr_stime = ns_to_kernel_old_timeval(stime);
1497
	}
1498

1499
	prstatus->pr_cutime = ns_to_kernel_old_timeval(p->signal->cutime);
1500
	prstatus->pr_cstime = ns_to_kernel_old_timeval(p->signal->cstime);
1501
}
1502

1503
static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
1504
		       struct mm_struct *mm)
1505
{
1506
	const struct cred *cred;
1507
	unsigned int i, len;
1508
	unsigned int state;
1509

1510
	/* first copy the parameters from user space */
1511
	memset(psinfo, 0, sizeof(struct elf_prpsinfo));
1512

1513
	len = mm->arg_end - mm->arg_start;
1514
	if (len >= ELF_PRARGSZ)
1515
		len = ELF_PRARGSZ-1;
1516
	if (copy_from_user(&psinfo->pr_psargs,
1517
		           (const char __user *)mm->arg_start, len))
1518
		return -EFAULT;
1519
	for(i = 0; i < len; i++)
1520
		if (psinfo->pr_psargs[i] == 0)
1521
			psinfo->pr_psargs[i] = ' ';
1522
	psinfo->pr_psargs[len] = 0;
1523

1524
	rcu_read_lock();
1525
	psinfo->pr_ppid = task_pid_vnr(rcu_dereference(p->real_parent));
1526
	rcu_read_unlock();
1527
	psinfo->pr_pid = task_pid_vnr(p);
1528
	psinfo->pr_pgrp = task_pgrp_vnr(p);
1529
	psinfo->pr_sid = task_session_vnr(p);
1530

1531
	state = READ_ONCE(p->__state);
1532
	i = state ? ffz(~state) + 1 : 0;
1533
	psinfo->pr_state = i;
1534
	psinfo->pr_sname = (i > 5) ? '.' : "RSDTZW"[i];
1535
	psinfo->pr_zomb = psinfo->pr_sname == 'Z';
1536
	psinfo->pr_nice = task_nice(p);
1537
	psinfo->pr_flag = p->flags;
1538
	rcu_read_lock();
1539
	cred = __task_cred(p);
1540
	SET_UID(psinfo->pr_uid, from_kuid_munged(cred->user_ns, cred->uid));
1541
	SET_GID(psinfo->pr_gid, from_kgid_munged(cred->user_ns, cred->gid));
1542
	rcu_read_unlock();
1543
	get_task_comm(psinfo->pr_fname, p);
1544

1545
	return 0;
1546
}
1547

1548
static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
1549
{
1550
	elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
1551
	int i = 0;
1552
	do
1553
		i += 2;
1554
	while (auxv[i - 2] != AT_NULL);
1555
	fill_note(note, AUXV, i * sizeof(elf_addr_t), auxv);
1556
}
1557

1558
static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
1559
		const kernel_siginfo_t *siginfo)
1560
{
1561
	copy_siginfo_to_external(csigdata, siginfo);
1562
	fill_note(note, SIGINFO, sizeof(*csigdata), csigdata);
1563
}
1564

1565
/*
1566
 * Format of NT_FILE note:
1567
 *
1568
 * long count     -- how many files are mapped
1569
 * long page_size -- units for file_ofs
1570
 * array of [COUNT] elements of
1571
 *   long start
1572
 *   long end
1573
 *   long file_ofs
1574
 * followed by COUNT filenames in ASCII: "FILE1" NUL "FILE2" NUL...
1575
 */
1576
static int fill_files_note(struct memelfnote *note, struct coredump_params *cprm)
1577
{
1578
	unsigned count, size, names_ofs, remaining, n;
1579
	user_long_t *data;
1580
	user_long_t *start_end_ofs;
1581
	char *name_base, *name_curpos;
1582
	int i;
1583

1584
	/* *Estimated* file count and total data size needed */
1585
	count = cprm->vma_count;
1586
	if (count > UINT_MAX / 64)
1587
		return -EINVAL;
1588
	size = count * 64;
1589

1590
	names_ofs = (2 + 3 * count) * sizeof(data[0]);
1591
 alloc:
1592
	/* paranoia check */
1593
	if (size >= core_file_note_size_limit) {
1594
		pr_warn_once("coredump Note size too large: %u (does kernel.core_file_note_size_limit sysctl need adjustment?\n",
1595
			      size);
1596
		return -EINVAL;
1597
	}
1598
	size = round_up(size, PAGE_SIZE);
1599
	/*
1600
	 * "size" can be 0 here legitimately.
1601
	 * Let it ENOMEM and omit NT_FILE section which will be empty anyway.
1602
	 */
1603
	data = kvmalloc(size, GFP_KERNEL);
1604
	if (ZERO_OR_NULL_PTR(data))
1605
		return -ENOMEM;
1606

1607
	start_end_ofs = data + 2;
1608
	name_base = name_curpos = ((char *)data) + names_ofs;
1609
	remaining = size - names_ofs;
1610
	count = 0;
1611
	for (i = 0; i < cprm->vma_count; i++) {
1612
		struct core_vma_metadata *m = &cprm->vma_meta[i];
1613
		struct file *file;
1614
		const char *filename;
1615

1616
		file = m->file;
1617
		if (!file)
1618
			continue;
1619
		filename = file_path(file, name_curpos, remaining);
1620
		if (IS_ERR(filename)) {
1621
			if (PTR_ERR(filename) == -ENAMETOOLONG) {
1622
				kvfree(data);
1623
				size = size * 5 / 4;
1624
				goto alloc;
1625
			}
1626
			continue;
1627
		}
1628

1629
		/* file_path() fills at the end, move name down */
1630
		/* n = strlen(filename) + 1: */
1631
		n = (name_curpos + remaining) - filename;
1632
		remaining = filename - name_curpos;
1633
		memmove(name_curpos, filename, n);
1634
		name_curpos += n;
1635

1636
		*start_end_ofs++ = m->start;
1637
		*start_end_ofs++ = m->end;
1638
		*start_end_ofs++ = m->pgoff;
1639
		count++;
1640
	}
1641

1642
	/* Now we know exact count of files, can store it */
1643
	data[0] = count;
1644
	data[1] = PAGE_SIZE;
1645
	/*
1646
	 * Count usually is less than mm->map_count,
1647
	 * we need to move filenames down.
1648
	 */
1649
	n = cprm->vma_count - count;
1650
	if (n != 0) {
1651
		unsigned shift_bytes = n * 3 * sizeof(data[0]);
1652
		memmove(name_base - shift_bytes, name_base,
1653
			name_curpos - name_base);
1654
		name_curpos -= shift_bytes;
1655
	}
1656

1657
	size = name_curpos - (char *)data;
1658
	fill_note(note, FILE, size, data);
1659
	return 0;
1660
}
1661

1662
#include <linux/regset.h>
1663

1664
struct elf_thread_core_info {
1665
	struct elf_thread_core_info *next;
1666
	struct task_struct *task;
1667
	struct elf_prstatus prstatus;
1668
	struct memelfnote notes[];
1669
};
1670

1671
struct elf_note_info {
1672
	struct elf_thread_core_info *thread;
1673
	struct memelfnote psinfo;
1674
	struct memelfnote signote;
1675
	struct memelfnote auxv;
1676
	struct memelfnote files;
1677
	user_siginfo_t csigdata;
1678
	size_t size;
1679
	int thread_notes;
1680
};
1681

1682
#ifdef CORE_DUMP_USE_REGSET
1683
/*
1684
 * When a regset has a writeback hook, we call it on each thread before
1685
 * dumping user memory.  On register window machines, this makes sure the
1686
 * user memory backing the register data is up to date before we read it.
1687
 */
1688
static void do_thread_regset_writeback(struct task_struct *task,
1689
				       const struct user_regset *regset)
1690
{
1691
	if (regset->writeback)
1692
		regset->writeback(task, regset, 1);
1693
}
1694

1695
#ifndef PRSTATUS_SIZE
1696
#define PRSTATUS_SIZE sizeof(struct elf_prstatus)
1697
#endif
1698

1699
#ifndef SET_PR_FPVALID
1700
#define SET_PR_FPVALID(S) ((S)->pr_fpvalid = 1)
1701
#endif
1702

1703
static int fill_thread_core_info(struct elf_thread_core_info *t,
1704
				 const struct user_regset_view *view,
1705
				 long signr, struct elf_note_info *info)
1706
{
1707
	unsigned int note_iter, view_iter;
1708

1709
	/*
1710
	 * NT_PRSTATUS is the one special case, because the regset data
1711
	 * goes into the pr_reg field inside the note contents, rather
1712
	 * than being the whole note contents.  We fill the regset in here.
1713
	 * We assume that regset 0 is NT_PRSTATUS.
1714
	 */
1715
	fill_prstatus(&t->prstatus.common, t->task, signr);
1716
	regset_get(t->task, &view->regsets[0],
1717
		   sizeof(t->prstatus.pr_reg), &t->prstatus.pr_reg);
1718

1719
	fill_note(&t->notes[0], PRSTATUS, PRSTATUS_SIZE, &t->prstatus);
1720
	info->size += notesize(&t->notes[0]);
1721

1722
	do_thread_regset_writeback(t->task, &view->regsets[0]);
1723

1724
	/*
1725
	 * Each other regset might generate a note too.  For each regset
1726
	 * that has no core_note_type or is inactive, skip it.
1727
	 */
1728
	note_iter = 1;
1729
	for (view_iter = 1; view_iter < view->n; ++view_iter) {
1730
		const struct user_regset *regset = &view->regsets[view_iter];
1731
		int note_type = regset->core_note_type;
1732
		const char *note_name = regset->core_note_name;
1733
		bool is_fpreg = note_type == NT_PRFPREG;
1734
		void *data;
1735
		int ret;
1736

1737
		do_thread_regset_writeback(t->task, regset);
1738
		if (!note_type) // not for coredumps
1739
			continue;
1740
		if (regset->active && regset->active(t->task, regset) <= 0)
1741
			continue;
1742

1743
		ret = regset_get_alloc(t->task, regset, ~0U, &data);
1744
		if (ret < 0)
1745
			continue;
1746

1747
		if (WARN_ON_ONCE(note_iter >= info->thread_notes))
1748
			break;
1749

1750
		if (is_fpreg)
1751
			SET_PR_FPVALID(&t->prstatus);
1752

1753
		/* There should be a note name, but if not, guess: */
1754
		if (WARN_ON_ONCE(!note_name))
1755
			note_name = "LINUX";
1756
		else
1757
			/* Warn on non-legacy-compatible names, for now. */
1758
			WARN_ON_ONCE(strcmp(note_name,
1759
					    is_fpreg ? "CORE" : "LINUX"));
1760

1761
		__fill_note(&t->notes[note_iter], note_name, note_type,
1762
			    ret, data);
1763

1764
		info->size += notesize(&t->notes[note_iter]);
1765
		note_iter++;
1766
	}
1767

1768
	return 1;
1769
}
1770
#else
1771
static int fill_thread_core_info(struct elf_thread_core_info *t,
1772
				 const struct user_regset_view *view,
1773
				 long signr, struct elf_note_info *info)
1774
{
1775
	struct task_struct *p = t->task;
1776
	elf_fpregset_t *fpu;
1777

1778
	fill_prstatus(&t->prstatus.common, p, signr);
1779
	elf_core_copy_task_regs(p, &t->prstatus.pr_reg);
1780

1781
	fill_note(&t->notes[0], PRSTATUS, sizeof(t->prstatus), &t->prstatus);
1782
	info->size += notesize(&t->notes[0]);
1783

1784
	fpu = kzalloc(sizeof(elf_fpregset_t), GFP_KERNEL);
1785
	if (!fpu || !elf_core_copy_task_fpregs(p, fpu)) {
1786
		kfree(fpu);
1787
		return 1;
1788
	}
1789

1790
	t->prstatus.pr_fpvalid = 1;
1791
	fill_note(&t->notes[1], PRFPREG, sizeof(*fpu), fpu);
1792
	info->size += notesize(&t->notes[1]);
1793

1794
	return 1;
1795
}
1796
#endif
1797

1798
static int fill_note_info(struct elfhdr *elf, int phdrs,
1799
			  struct elf_note_info *info,
1800
			  struct coredump_params *cprm)
1801
{
1802
	struct task_struct *dump_task = current;
1803
	const struct user_regset_view *view;
1804
	struct elf_thread_core_info *t;
1805
	struct elf_prpsinfo *psinfo;
1806
	struct core_thread *ct;
1807

1808
	psinfo = kmalloc(sizeof(*psinfo), GFP_KERNEL);
1809
	if (!psinfo)
1810
		return 0;
1811
	fill_note(&info->psinfo, PRPSINFO, sizeof(*psinfo), psinfo);
1812

1813
#ifdef CORE_DUMP_USE_REGSET
1814
	view = task_user_regset_view(dump_task);
1815

1816
	/*
1817
	 * Figure out how many notes we're going to need for each thread.
1818
	 */
1819
	info->thread_notes = 0;
1820
	for (int i = 0; i < view->n; ++i)
1821
		if (view->regsets[i].core_note_type != 0)
1822
			++info->thread_notes;
1823

1824
	/*
1825
	 * Sanity check.  We rely on regset 0 being in NT_PRSTATUS,
1826
	 * since it is our one special case.
1827
	 */
1828
	if (unlikely(info->thread_notes == 0) ||
1829
	    unlikely(view->regsets[0].core_note_type != NT_PRSTATUS)) {
1830
		WARN_ON(1);
1831
		return 0;
1832
	}
1833

1834
	/*
1835
	 * Initialize the ELF file header.
1836
	 */
1837
	fill_elf_header(elf, phdrs,
1838
			view->e_machine, view->e_flags);
1839
#else
1840
	view = NULL;
1841
	info->thread_notes = 2;
1842
	fill_elf_header(elf, phdrs, ELF_ARCH, ELF_CORE_EFLAGS);
1843
#endif
1844

1845
	/*
1846
	 * Allocate a structure for each thread.
1847
	 */
1848
	info->thread = kzalloc(offsetof(struct elf_thread_core_info,
1849
				     notes[info->thread_notes]),
1850
			    GFP_KERNEL);
1851
	if (unlikely(!info->thread))
1852
		return 0;
1853

1854
	info->thread->task = dump_task;
1855
	for (ct = dump_task->signal->core_state->dumper.next; ct; ct = ct->next) {
1856
		t = kzalloc(offsetof(struct elf_thread_core_info,
1857
				     notes[info->thread_notes]),
1858
			    GFP_KERNEL);
1859
		if (unlikely(!t))
1860
			return 0;
1861

1862
		t->task = ct->task;
1863
		t->next = info->thread->next;
1864
		info->thread->next = t;
1865
	}
1866

1867
	/*
1868
	 * Now fill in each thread's information.
1869
	 */
1870
	for (t = info->thread; t != NULL; t = t->next)
1871
		if (!fill_thread_core_info(t, view, cprm->siginfo->si_signo, info))
1872
			return 0;
1873

1874
	/*
1875
	 * Fill in the two process-wide notes.
1876
	 */
1877
	fill_psinfo(psinfo, dump_task->group_leader, dump_task->mm);
1878
	info->size += notesize(&info->psinfo);
1879

1880
	fill_siginfo_note(&info->signote, &info->csigdata, cprm->siginfo);
1881
	info->size += notesize(&info->signote);
1882

1883
	fill_auxv_note(&info->auxv, current->mm);
1884
	info->size += notesize(&info->auxv);
1885

1886
	if (fill_files_note(&info->files, cprm) == 0)
1887
		info->size += notesize(&info->files);
1888

1889
	return 1;
1890
}
1891

1892
/*
1893
 * Write all the notes for each thread.  When writing the first thread, the
1894
 * process-wide notes are interleaved after the first thread-specific note.
1895
 */
1896
static int write_note_info(struct elf_note_info *info,
1897
			   struct coredump_params *cprm)
1898
{
1899
	bool first = true;
1900
	struct elf_thread_core_info *t = info->thread;
1901

1902
	do {
1903
		int i;
1904

1905
		if (!writenote(&t->notes[0], cprm))
1906
			return 0;
1907

1908
		if (first && !writenote(&info->psinfo, cprm))
1909
			return 0;
1910
		if (first && !writenote(&info->signote, cprm))
1911
			return 0;
1912
		if (first && !writenote(&info->auxv, cprm))
1913
			return 0;
1914
		if (first && info->files.data &&
1915
				!writenote(&info->files, cprm))
1916
			return 0;
1917

1918
		for (i = 1; i < info->thread_notes; ++i)
1919
			if (t->notes[i].data &&
1920
			    !writenote(&t->notes[i], cprm))
1921
				return 0;
1922

1923
		first = false;
1924
		t = t->next;
1925
	} while (t);
1926

1927
	return 1;
1928
}
1929

1930
static void free_note_info(struct elf_note_info *info)
1931
{
1932
	struct elf_thread_core_info *threads = info->thread;
1933
	while (threads) {
1934
		unsigned int i;
1935
		struct elf_thread_core_info *t = threads;
1936
		threads = t->next;
1937
		WARN_ON(t->notes[0].data && t->notes[0].data != &t->prstatus);
1938
		for (i = 1; i < info->thread_notes; ++i)
1939
			kvfree(t->notes[i].data);
1940
		kfree(t);
1941
	}
1942
	kfree(info->psinfo.data);
1943
	kvfree(info->files.data);
1944
}
1945

1946
static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
1947
			     elf_addr_t e_shoff, int segs)
1948
{
1949
	elf->e_shoff = e_shoff;
1950
	elf->e_shentsize = sizeof(*shdr4extnum);
1951
	elf->e_shnum = 1;
1952
	elf->e_shstrndx = SHN_UNDEF;
1953

1954
	memset(shdr4extnum, 0, sizeof(*shdr4extnum));
1955

1956
	shdr4extnum->sh_type = SHT_NULL;
1957
	shdr4extnum->sh_size = elf->e_shnum;
1958
	shdr4extnum->sh_link = elf->e_shstrndx;
1959
	shdr4extnum->sh_info = segs;
1960
}
1961

1962
/*
1963
 * Actual dumper
1964
 *
1965
 * This is a two-pass process; first we find the offsets of the bits,
1966
 * and then they are actually written out.  If we run out of core limit
1967
 * we just truncate.
1968
 */
1969
static int elf_core_dump(struct coredump_params *cprm)
1970
{
1971
	int has_dumped = 0;
1972
	int segs, i;
1973
	struct elfhdr elf;
1974
	loff_t offset = 0, dataoff;
1975
	struct elf_note_info info = { };
1976
	struct elf_phdr *phdr4note = NULL;
1977
	struct elf_shdr *shdr4extnum = NULL;
1978
	Elf_Half e_phnum;
1979
	elf_addr_t e_shoff;
1980

1981
	/*
1982
	 * The number of segs are recored into ELF header as 16bit value.
1983
	 * Please check DEFAULT_MAX_MAP_COUNT definition when you modify here.
1984
	 */
1985
	segs = cprm->vma_count + elf_core_extra_phdrs(cprm);
1986

1987
	/* for notes section */
1988
	segs++;
1989

1990
	/* If segs > PN_XNUM(0xffff), then e_phnum overflows. To avoid
1991
	 * this, kernel supports extended numbering. Have a look at
1992
	 * include/linux/elf.h for further information. */
1993
	e_phnum = segs > PN_XNUM ? PN_XNUM : segs;
1994

1995
	/*
1996
	 * Collect all the non-memory information about the process for the
1997
	 * notes.  This also sets up the file header.
1998
	 */
1999
	if (!fill_note_info(&elf, e_phnum, &info, cprm))
2000
		goto end_coredump;
2001

2002
	has_dumped = 1;
2003

2004
	offset += sizeof(elf);				/* ELF header */
2005
	offset += segs * sizeof(struct elf_phdr);	/* Program headers */
2006

2007
	/* Write notes phdr entry */
2008
	{
2009
		size_t sz = info.size;
2010

2011
		/* For cell spufs and x86 xstate */
2012
		sz += elf_coredump_extra_notes_size();
2013

2014
		phdr4note = kmalloc(sizeof(*phdr4note), GFP_KERNEL);
2015
		if (!phdr4note)
2016
			goto end_coredump;
2017

2018
		fill_elf_note_phdr(phdr4note, sz, offset);
2019
		offset += sz;
2020
	}
2021

2022
	dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
2023

2024
	offset += cprm->vma_data_size;
2025
	offset += elf_core_extra_data_size(cprm);
2026
	e_shoff = offset;
2027

2028
	if (e_phnum == PN_XNUM) {
2029
		shdr4extnum = kmalloc(sizeof(*shdr4extnum), GFP_KERNEL);
2030
		if (!shdr4extnum)
2031
			goto end_coredump;
2032
		fill_extnum_info(&elf, shdr4extnum, e_shoff, segs);
2033
	}
2034

2035
	offset = dataoff;
2036

2037
	if (!dump_emit(cprm, &elf, sizeof(elf)))
2038
		goto end_coredump;
2039

2040
	if (!dump_emit(cprm, phdr4note, sizeof(*phdr4note)))
2041
		goto end_coredump;
2042

2043
	/* Write program headers for segments dump */
2044
	for (i = 0; i < cprm->vma_count; i++) {
2045
		struct core_vma_metadata *meta = cprm->vma_meta + i;
2046
		struct elf_phdr phdr;
2047

2048
		phdr.p_type = PT_LOAD;
2049
		phdr.p_offset = offset;
2050
		phdr.p_vaddr = meta->start;
2051
		phdr.p_paddr = 0;
2052
		phdr.p_filesz = meta->dump_size;
2053
		phdr.p_memsz = meta->end - meta->start;
2054
		offset += phdr.p_filesz;
2055
		phdr.p_flags = 0;
2056
		if (meta->flags & VM_READ)
2057
			phdr.p_flags |= PF_R;
2058
		if (meta->flags & VM_WRITE)
2059
			phdr.p_flags |= PF_W;
2060
		if (meta->flags & VM_EXEC)
2061
			phdr.p_flags |= PF_X;
2062
		phdr.p_align = ELF_EXEC_PAGESIZE;
2063

2064
		if (!dump_emit(cprm, &phdr, sizeof(phdr)))
2065
			goto end_coredump;
2066
	}
2067

2068
	if (!elf_core_write_extra_phdrs(cprm, offset))
2069
		goto end_coredump;
2070

2071
	/* write out the notes section */
2072
	if (!write_note_info(&info, cprm))
2073
		goto end_coredump;
2074

2075
	/* For cell spufs and x86 xstate */
2076
	if (elf_coredump_extra_notes_write(cprm))
2077
		goto end_coredump;
2078

2079
	/* Align to page */
2080
	dump_skip_to(cprm, dataoff);
2081

2082
	for (i = 0; i < cprm->vma_count; i++) {
2083
		struct core_vma_metadata *meta = cprm->vma_meta + i;
2084

2085
		if (!dump_user_range(cprm, meta->start, meta->dump_size))
2086
			goto end_coredump;
2087
	}
2088

2089
	if (!elf_core_write_extra_data(cprm))
2090
		goto end_coredump;
2091

2092
	if (e_phnum == PN_XNUM) {
2093
		if (!dump_emit(cprm, shdr4extnum, sizeof(*shdr4extnum)))
2094
			goto end_coredump;
2095
	}
2096

2097
end_coredump:
2098
	free_note_info(&info);
2099
	kfree(shdr4extnum);
2100
	kfree(phdr4note);
2101
	return has_dumped;
2102
}
2103

2104
#endif		/* CONFIG_ELF_CORE */
2105

2106
static int __init init_elf_binfmt(void)
2107
{
2108
	register_binfmt(&elf_format);
2109
	return 0;
2110
}
2111

2112
static void __exit exit_elf_binfmt(void)
2113
{
2114
	/* Remove the COFF and ELF loaders. */
2115
	unregister_binfmt(&elf_format);
2116
}
2117

2118
core_initcall(init_elf_binfmt);
2119
module_exit(exit_elf_binfmt);
2120

2121
#ifdef CONFIG_BINFMT_ELF_KUNIT_TEST
2122
#include "tests/binfmt_elf_kunit.c"
2123
#endif
2124

2125