static int CVE_2010_0307_linux2_6_27_31_load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
{
struct file *interpreter = NULL; /* to shut gcc up */
unsigned long load_addr = 0, load_bias = 0;
int load_addr_set = 0;
char * elf_interpreter = NULL;
unsigned long error;
struct elf_phdr *elf_ppnt, *elf_phdata;
unsigned long elf_bss, elf_brk;
int elf_exec_fileno;
int retval, i;
unsigned int size;
unsigned long elf_entry;
unsigned long interp_load_addr = 0;
unsigned long start_code, end_code, start_data, end_data;
unsigned long reloc_func_desc = 0;
int executable_stack = EXSTACK_DEFAULT;
unsigned long def_flags = 0;
struct {
struct elfhdr elf_ex;
struct elfhdr interp_elf_ex;
} *loc;
loc = kmalloc(sizeof(*loc), GFP_KERNEL);
if (!loc) {
retval = -ENOMEM;
goto out_ret;
}
/* Get the exec-header */
loc->elf_ex = *((struct elfhdr *)bprm->buf);
retval = -ENOEXEC;
/* First of all, some simple consistency checks */
if (memcmp(loc->elf_ex.e_ident, ELFMAG, SELFMAG) != 0)
goto out;
if (loc->elf_ex.e_type != ET_EXEC && loc->elf_ex.e_type != ET_DYN)
goto out;
if (!elf_check_arch(&loc->elf_ex))
goto out;
if (!bprm->file->f_op||!bprm->file->f_op->mmap)
goto out;
/* Now read in all of the header information */
if (loc->elf_ex.e_phentsize != sizeof(struct elf_phdr))
goto out;
if (loc->elf_ex.e_phnum < 1 ||
loc->elf_ex.e_phnum > 65536U / sizeof(struct elf_phdr))
goto out;
size = loc->elf_ex.e_phnum * sizeof(struct elf_phdr);
retval = -ENOMEM;
elf_phdata = kmalloc(size, GFP_KERNEL);
if (!elf_phdata)
goto out;
retval = kernel_read(bprm->file, loc->elf_ex.e_phoff,
(char *)elf_phdata, size);
if (retval != size) {
if (retval >= 0)
retval = -EIO;
goto out_free_ph;
}
retval = get_unused_fd();
if (retval < 0)
goto out_free_ph;
get_file(bprm->file);
fd_install(elf_exec_fileno = retval, bprm->file);
elf_ppnt = elf_phdata;
elf_bss = 0;
elf_brk = 0;
start_code = ~0UL;
end_code = 0;
start_data = 0;
end_data = 0;
for (i = 0; i < loc->elf_ex.e_phnum; i++) {
if (elf_ppnt->p_type == PT_INTERP) {
/* This is the program interpreter used for
* shared libraries - for now assume that this
* is an a.out format binary
*/
retval = -ENOEXEC;
if (elf_ppnt->p_filesz > PATH_MAX ||
elf_ppnt->p_filesz < 2)
goto out_free_file;
retval = -ENOMEM;
elf_interpreter = kmalloc(elf_ppnt->p_filesz,
GFP_KERNEL);
if (!elf_interpreter)
goto out_free_file;
retval = kernel_read(bprm->file, elf_ppnt->p_offset,
elf_interpreter,
elf_ppnt->p_filesz);
if (retval != elf_ppnt->p_filesz) {
if (retval >= 0)
retval = -EIO;
goto out_free_interp;
}
/* make sure path is NULL terminated */
retval = -ENOEXEC;
if (elf_interpreter[elf_ppnt->p_filesz - 1] != '\0')
goto out_free_interp;
/*
* The early SET_PERSONALITY here is so that the lookup
* for the interpreter happens in the namespace of the
* to-be-execed image. SET_PERSONALITY can select an
* alternate root.
*
* However, SET_PERSONALITY is NOT allowed to switch
* this task into the new images's memory mapping
* policy - that is, TASK_SIZE must still evaluate to
* that which is appropriate to the execing application.
* This is because exit_mmap() needs to have TASK_SIZE
* evaluate to the size of the old image.
*
* So if (say) a 64-bit application is execing a 32-bit
* application it is the architecture's responsibility
* to defer changing the value of TASK_SIZE until the
* switch really is going to happen - do this in
* flush_thread(). - akpm
*/
SET_PERSONALITY(loc->elf_ex, 0);
interpreter = open_exec(elf_interpreter);
retval = PTR_ERR(interpreter);
if (IS_ERR(interpreter))
goto out_free_interp;
/*
* If the binary is not readable then enforce
* mm->dumpable = 0 regardless of the interpreter's
* permissions.
*/
if (file_permission(interpreter, MAY_READ) < 0)
bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;
retval = kernel_read(interpreter, 0, bprm->buf,
BINPRM_BUF_SIZE);
if (retval != BINPRM_BUF_SIZE) {
if (retval >= 0)
retval = -EIO;
goto out_free_dentry;
}
/* Get the exec headers */
loc->interp_elf_ex = *((struct elfhdr *)bprm->buf);
break;
}
elf_ppnt++;
}
elf_ppnt = elf_phdata;
for (i = 0; i < loc->elf_ex.e_phnum; i++, elf_ppnt++)
if (elf_ppnt->p_type == PT_GNU_STACK) {
if (elf_ppnt->p_flags & PF_X)
executable_stack = EXSTACK_ENABLE_X;
else
executable_stack = EXSTACK_DISABLE_X;
break;
}
/* Some simple consistency checks for the interpreter */
if (elf_interpreter) {
retval = -ELIBBAD;
/* Not an ELF interpreter */
if (memcmp(loc->interp_elf_ex.e_ident, ELFMAG, SELFMAG) != 0)
goto out_free_dentry;
/* Verify the interpreter has a valid arch */
if (!elf_check_arch(&loc->interp_elf_ex))
goto out_free_dentry;
} else {
/* Executables without an interpreter also need a personality */
SET_PERSONALITY(loc->elf_ex, 0);
}
/* Flush all traces of the currently running executable */
retval = flush_old_exec(bprm);
if (retval)
goto out_free_dentry;
/* OK, This is the point of no return */
current->flags &= ~PF_FORKNOEXEC;
current->mm->def_flags = def_flags;
/* Do this immediately, since STACK_TOP as used in setup_arg_pages
may depend on the personality. */
SET_PERSONALITY(loc->elf_ex, 0);
if (elf_read_implies_exec(loc->elf_ex, executable_stack))
current->personality |= READ_IMPLIES_EXEC;
if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
current->flags |= PF_RANDOMIZE;
arch_pick_mmap_layout(current->mm);
/* Do this so that we can load the interpreter, if need be. We will
change some of these later */
current->mm->free_area_cache = current->mm->mmap_base;
current->mm->cached_hole_size = 0;
retval = setup_arg_pages(bprm, randomize_stack_top(STACK_TOP),
executable_stack);
if (retval < 0) {
send_sig(SIGKILL, current, 0);
goto out_free_dentry;
}
current->mm->start_stack = bprm->p;
/* Now we do a little grungy work by mmaping the ELF image into
the correct location in memory. */
for(i = 0, elf_ppnt = elf_phdata;
i < loc->elf_ex.e_phnum; i++, elf_ppnt++) {
int elf_prot = 0, elf_flags;
unsigned long k, vaddr;
if (elf_ppnt->p_type != PT_LOAD)
continue;
if (unlikely (elf_brk > elf_bss)) {
unsigned long nbyte;
/* There was a PT_LOAD segment with p_memsz > p_filesz
before this one. Map anonymous pages, if needed,
and clear the area. */
retval = set_brk (elf_bss + load_bias,
elf_brk + load_bias);
if (retval) {
send_sig(SIGKILL, current, 0);
goto out_free_dentry;
}
nbyte = ELF_PAGEOFFSET(elf_bss);
if (nbyte) {
nbyte = ELF_MIN_ALIGN - nbyte;
if (nbyte > elf_brk - elf_bss)
nbyte = elf_brk - elf_bss;
if (clear_user((void __user *)elf_bss +
load_bias, nbyte)) {
/*
* This bss-zeroing can fail if the ELF
* file specifies odd protections. So
* we don't check the return value
*/
}
}
}
if (elf_ppnt->p_flags & PF_R)
elf_prot |= PROT_READ;
if (elf_ppnt->p_flags & PF_W)
elf_prot |= PROT_WRITE;
if (elf_ppnt->p_flags & PF_X)
elf_prot |= PROT_EXEC;
elf_flags = MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE;
vaddr = elf_ppnt->p_vaddr;
if (loc->elf_ex.e_type == ET_EXEC || load_addr_set) {
elf_flags |= MAP_FIXED;
} else if (loc->elf_ex.e_type == ET_DYN) {
/* Try and get dynamic programs out of the way of the
* default mmap base, as well as whatever program they
* might try to exec. This is because the brk will
* follow the loader, and is not movable. */
#ifdef CONFIG_X86
load_bias = 0;
#else
load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
#endif
}
error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
elf_prot, elf_flags, 0);
if (BAD_ADDR(error)) {
send_sig(SIGKILL, current, 0);
retval = IS_ERR((void *)error) ?
PTR_ERR((void*)error) : -EINVAL;
goto out_free_dentry;
}
if (!load_addr_set) {
load_addr_set = 1;
load_addr = (elf_ppnt->p_vaddr - elf_ppnt->p_offset);
if (loc->elf_ex.e_type == ET_DYN) {
load_bias += error -
ELF_PAGESTART(load_bias + vaddr);
load_addr += load_bias;
reloc_func_desc = load_bias;
}
}
k = elf_ppnt->p_vaddr;
if (k < start_code)
start_code = k;
if (start_data < k)
start_data = k;
/*
* Check to see if the section's size will overflow the
* allowed task size. Note that p_filesz must always be
* <= p_memsz so it is only necessary to check p_memsz.
*/
if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
elf_ppnt->p_memsz > TASK_SIZE ||
TASK_SIZE - elf_ppnt->p_memsz < k) {
/* set_brk can never work. Avoid overflows. */
send_sig(SIGKILL, current, 0);
retval = -EINVAL;
goto out_free_dentry;
}
k = elf_ppnt->p_vaddr + elf_ppnt->p_filesz;
if (k > elf_bss)
elf_bss = k;
if ((elf_ppnt->p_flags & PF_X) && end_code < k)
end_code = k;
if (end_data < k)
end_data = k;
k = elf_ppnt->p_vaddr + elf_ppnt->p_memsz;
if (k > elf_brk)
elf_brk = k;
}
loc->elf_ex.e_entry += load_bias;
elf_bss += load_bias;
elf_brk += load_bias;
start_code += load_bias;
end_code += load_bias;
start_data += load_bias;
end_data += load_bias;
/* Calling set_brk effectively mmaps the pages that we need
* for the bss and break sections. We must do this before
* mapping in the interpreter, to make sure it doesn't wind
* up getting placed where the bss needs to go.
*/
retval = set_brk(elf_bss, elf_brk);
if (retval) {
send_sig(SIGKILL, current, 0);
goto out_free_dentry;
}
if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
send_sig(SIGSEGV, current, 0);
retval = -EFAULT; /* Nobody gets to see this, but.. */
goto out_free_dentry;
}
if (elf_interpreter) {
unsigned long uninitialized_var(interp_map_addr);
elf_entry = load_elf_interp(&loc->interp_elf_ex,
interpreter,
&interp_map_addr,
load_bias);
if (!IS_ERR((void *)elf_entry)) {
/*
* load_elf_interp() returns relocation
* adjustment
*/
interp_load_addr = elf_entry;
elf_entry += loc->interp_elf_ex.e_entry;
}
if (BAD_ADDR(elf_entry)) {
force_sig(SIGSEGV, current);
retval = IS_ERR((void *)elf_entry) ?
(int)elf_entry : -EINVAL;
goto out_free_dentry;
}
reloc_func_desc = interp_load_addr;
allow_write_access(interpreter);
fput(interpreter);
kfree(elf_interpreter);
} else {
elf_entry = loc->elf_ex.e_entry;
if (BAD_ADDR(elf_entry)) {
force_sig(SIGSEGV, current);
retval = -EINVAL;
goto out_free_dentry;
}
}
kfree(elf_phdata);
sys_close(elf_exec_fileno);
set_binfmt(&elf_format);
#ifdef ARCH_HAS_SETUP_ADDITIONAL_PAGES
retval = arch_setup_additional_pages(bprm, executable_stack);
if (retval < 0) {
send_sig(SIGKILL, current, 0);
goto out;
}
#endif /* ARCH_HAS_SETUP_ADDITIONAL_PAGES */
compute_creds(bprm);
current->flags &= ~PF_FORKNOEXEC;
retval = create_elf_tables(bprm, &loc->elf_ex,
load_addr, interp_load_addr);
if (retval < 0) {
send_sig(SIGKILL, current, 0);
goto out;
}
/* N.B. passed_fileno might not be initialized? */
current->mm->end_code = end_code;
current->mm->start_code = start_code;
current->mm->start_data = start_data;
current->mm->end_data = end_data;
current->mm->start_stack = bprm->p;
#ifdef arch_randomize_brk
if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1))
current->mm->brk = current->mm->start_brk =
arch_randomize_brk(current->mm);
#endif
if (current->personality & MMAP_PAGE_ZERO) {
/* Why this, you ask??? Well SVr4 maps page 0 as read-only,
and some applications "depend" upon this behavior.
Since we do not have the power to recompile these, we
emulate the SVr4 behavior. Sigh. */
down_write(¤t->mm->mmap_sem);
error = do_mmap(NULL, 0, PAGE_SIZE, PROT_READ | PROT_EXEC,
MAP_FIXED | MAP_PRIVATE, 0);
up_write(¤t->mm->mmap_sem);
}
#ifdef ELF_PLAT_INIT
/*
* The ABI may specify that certain registers be set up in special
* ways (on i386 %edx is the address of a DT_FINI function, for
* example. In addition, it may also specify (eg, PowerPC64 ELF)
* that the e_entry field is the address of the function descriptor
* for the startup routine, rather than the address of the startup
* routine itself. This macro performs whatever initialization to
* the regs structure is required as well as any relocations to the
* function descriptor entries when executing dynamically links apps.
*/
ELF_PLAT_INIT(regs, reloc_func_desc);
#endif
start_thread(regs, elf_entry, bprm->p);
retval = 0;
out:
kfree(loc);
out_ret:
return retval;
/* error cleanup */
out_free_dentry:
allow_write_access(interpreter);
if (interpreter)
fput(interpreter);
out_free_interp:
kfree(elf_interpreter);
out_free_file:
sys_close(elf_exec_fileno);
out_free_ph:
kfree(elf_phdata);
goto out;
}
/*
* Helper function to process the load operation.
*/
static int
xout_load_object(struct linux_binprm * bpp, struct pt_regs *rp, int executable)
{
struct xexec *xexec = (struct xexec *)bpp->buf;
struct xext *xext = (struct xext *)(xexec + 1);
struct xseg *seglist;
struct file *fp = NULL;
u_long addr, lPers;
int nsegs, ntext, ndata;
int pageable = 1, err = 0, i;
#ifdef CONFIG_BINFMT_XOUT_X286
struct file *file;
#endif
lPers = abi_personality((char *)_BX(rp));
if (lPers == 0) lPers = PER_XENIX;
if (xexec->x_magic != X_MAGIC) {
return -ENOEXEC;
}
switch (xexec->x_cpu & XC_CPU) {
case XC_386:
break;
#if defined(CONFIG_BINFMT_XOUT_X286)
case XC_8086:
case XC_286:
case XC_286V:
case XC_186:
if (!Emulx286) return -ENOEXEC;
file = open_exec(Emulx286);
if (file) {
fput(bpp->file);
bpp->file = file;
kernel_read(bpp->file, 0L, bpp->buf, sizeof(bpp->buf));
}
return -ENOEXEC;
#endif
default:
dprintk(KERN_DEBUG "xout: unsupported CPU type (%02x)\n",
xexec->x_cpu);
return -ENOEXEC;
}
/*
* We can't handle byte or word swapped headers. Well, we
* *could* but they should never happen surely?
*/
if ((xexec->x_cpu & (XC_BSWAP | XC_WSWAP)) != XC_WSWAP) {
dprintk(KERN_DEBUG "xout: wrong byte or word sex (%02x)\n",
xexec->x_cpu);
return -ENOEXEC;
}
/* Check it's an executable. */
if (!(xexec->x_renv & XE_EXEC)) {
dprintk(KERN_DEBUG "xout: not executable\n");
return -ENOEXEC;
}
/*
* There should be an extended header and there should be
* some segments. At this stage we don't handle non-segmented
* binaries. I'm not sure you can get them under Xenix anyway.
*/
if (xexec->x_ext != sizeof(struct xext)) {
dprintk(KERN_DEBUG "xout: bad extended header\n");
return -ENOEXEC;
}
if (!(xexec->x_renv & XE_SEG) || !xext->xe_segsize) {
dprintk(KERN_DEBUG "xout: not segmented\n");
return -ENOEXEC;
}
if (!(seglist = kmalloc(xext->xe_segsize, GFP_KERNEL))) {
printk(KERN_WARNING "xout: allocating segment list failed\n");
return -ENOMEM;
}
err = kernel_read(bpp->file, xext->xe_segpos,
(char *)seglist, xext->xe_segsize);
if (err < 0) {
dprintk(KERN_DEBUG "xout: problem reading segment table\n");
goto out;
}
if (!bpp->file->f_op->mmap)
pageable = 0;
nsegs = xext->xe_segsize / sizeof(struct xseg);
ntext = ndata = 0;
for (i = 0; i < nsegs; i++) {
switch (seglist[i].xs_type) {
case XS_TTEXT:
if (isnotaligned(seglist+i))
pageable = 0;
ntext++;
break;
case XS_TDATA:
if (isnotaligned(seglist+i))
pageable = 0;
ndata++;
break;
}
}
if (!ndata)
goto out;
/*
* Generate the proper values for the text fields
*
* THIS IS THE POINT OF NO RETURN. THE NEW PROCESS WILL TRAP OUT SHOULD
* SOMETHING FAIL IN THE LOAD SEQUENCE FROM THIS POINT ONWARD.
*/
/*
* Flush the executable from memory. At this point the executable is
* committed to being defined or a segmentation violation will occur.
*/
if (executable) {
dprintk(KERN_DEBUG "xout: flushing executable\n");
flush_old_exec(bpp);
if ( (lPers & 0xFF) == (current->personality & 0xFF) ) set_personality(0);
set_personality(lPers);
#if defined(CONFIG_ABI_TRACE)
abi_trace(ABI_TRACE_UNIMPL, "Personality %08X assigned\n",
(unsigned int)current->personality);
#endif
#ifdef CONFIG_64BIT
set_thread_flag(TIF_IA32);
clear_thread_flag(TIF_ABI_PENDING);
#endif
current->mm->mmap = NULL;
#ifdef set_mm_counter
#if _KSL > 14
set_mm_counter(current->mm, file_rss, 0);
#else
set_mm_counter(current->mm, rss, 0);
#endif
#else
current->mm->rss = 0;
#endif
#if _KSL > 10
if ((err = setup_arg_pages(bpp, STACK_TOP, EXSTACK_DEFAULT)) < 0)
#else
if ((err = setup_arg_pages(bpp, EXSTACK_DEFAULT)) < 0)
#endif
{
send_sig(SIGSEGV, current, 1);
return (err);
}
bpp->p = (u_long)xout_create_tables((char *)bpp->p, bpp,
(xexec->x_cpu & XC_CPU) == XC_386 ? 1 : 0);
current->mm->start_code = 0;
current->mm->end_code = xexec->x_text;
current->mm->end_data = xexec->x_text + xexec->x_data;
current->mm->start_brk =
current->mm->brk = xexec->x_text + xexec->x_data + xexec->x_bss;
#if _KSL > 28
install_exec_creds(bpp);
#else
compute_creds(bpp);
#endif
current->flags &= ~PF_FORKNOEXEC;
#if _KSL < 15
#ifdef CONFIG_64BIT
__asm__ volatile (
"movl %0,%%fs; movl %0,%%es; movl %0,%%ds"
: :"r" (0));
__asm__ volatile (
"pushf; cli; swapgs; movl %0,%%gs; mfence; swapgs; popf"
: :"r" (0));
write_pda(oldrsp,bpp->p);
_FLG(rp) = 0x200;
#else
__asm__ volatile (
"movl %0,%%fs ; movl %0,%%gs"
: :"r" (0));
_DS(rp) = _ES(rp) = __USER_DS;
#endif
_SS(rp) = __USER_DS;
_SP(rp) = bpp->p;
_CS(rp) = __USER_CS;
_IP(rp) = xexec->x_entry;
set_fs(USER_DS);
#else
start_thread(rp, xexec->x_entry, bpp->p);
#endif
#ifdef CONFIG_64BIT
__asm__ volatile("movl %0,%%es; movl %0,%%ds": :"r" (__USER32_DS));
_SS(rp) = __USER32_DS;
_CS(rp) = __USER32_CS;
#endif
dprintk(KERN_DEBUG "xout: entry point = 0x%x:0x%08lx\n",
xext->xe_eseg, xexec->x_entry);
}
/*
* Scan the segments and map them into the process space. If this
* executable is pageable (unlikely since Xenix aligns to 1k
* boundaries and we want it aligned to 4k boundaries) this is
* all we need to do. If it isn't pageable we go round again
* afterwards and load the data. We have to do this in two steps
* because if segments overlap within a 4K page we'll lose the
* first instance when we remap the page. Hope that's clear...
*/
for (i = 0; err >= 0 && i < nsegs; i++) {
struct xseg *sp = seglist+i;
if (sp->xs_attr & XS_AMEM) {
err = xout_amen(fp, sp, pageable, &addr,
xexec, rp, (!ntext && ndata == 1));
}
}
/*
* We better fix start_data because sys_brk looks there to
* calculate data size.
* Kernel 2.2 did look at end_code so this is reasonable.
*/
if (current->mm->start_data == current->mm->start_code)
current->mm->start_data = current->mm->end_code;
dprintk(KERN_DEBUG "xout: start code 0x%08lx, end code 0x%08lx,"
" start data 0x%08lx, end data 0x%08lx, brk 0x%08lx\n",
current->mm->start_code, current->mm->end_code,
current->mm->start_data, current->mm->end_data,
current->mm->brk);
if (pageable)
goto trap;
if (err < 0)
goto trap;
for (i = 0; (err >= 0) && (i < nsegs); i++) {
struct xseg *sp = seglist + i;
u_long psize;
if (sp->xs_type == XS_TTEXT || sp->xs_type == XS_TDATA) {
dprintk(KERN_DEBUG "xout: read to 0x%08lx from 0x%08lx,"
" length 0x%8lx\n", sp->xs_rbase,
sp->xs_filpos, sp->xs_psize);
if (sp->xs_psize < 0)
continue;
/*
* Do we still get the size ? Yes! [joerg]
*/
psize = kernel_read(bpp->file, sp->xs_filpos,
(char *)((long)sp->xs_rbase), sp->xs_psize);
if (psize != sp->xs_psize) {
dprintk(KERN_DEBUG "xout: short read 0x%8lx\n",psize);
err = -1;
break;
}
}
}
/*
* Generate any needed trap for this process. If an error occured then
* generate a segmentation violation. If the process is being debugged
* then generate the load trap. (Note: If this is a library load then
* do not generate the trap here. Pass the error to the caller who
* will do it for the process in the outer lay of this procedure call.)
*/
trap:
if (executable) {
if (err < 0) {
dprintk(KERN_DEBUG "xout: loader forces seg fault "
"(err = %d)\n", err);
send_sig(SIGSEGV, current, 0);
}
#ifdef CONFIG_PTRACE
/* --- Red Hat specific handling --- */
#else
else if (current->ptrace & PT_PTRACED)
send_sig(SIGTRAP, current, 0);
#endif
err = 0;
}
out:
kfree(seglist);
dprintk(KERN_DEBUG "xout: binfmt_xout: result = %d\n", err);
/*
* If we are using the [2]86 emulation overlay we enter this
* rather than the real program and give it the information
* it needs to start the ball rolling.
*/
/*
* Xenix 386 programs expect the initial brk value to be in eax
* on start up. Hence if we succeeded we need to pass back
* the brk value rather than the status. Ultimately the
* ret_from_sys_call assembly will place this in eax before
* resuming (starting) the process.
*/
return (err < 0 ? err : current->mm->brk);
}
static int load_em86(struct linux_binprm *bprm,struct pt_regs *regs)
{
char *interp, *i_name, *i_arg;
struct file * file;
int retval;
struct elfhdr elf_ex;
/* Make sure this is a Linux/Intel ELF executable... */
elf_ex = *((struct elfhdr *)bprm->buf);
if (memcmp(elf_ex.e_ident, ELFMAG, SELFMAG) != 0)
return -ENOEXEC;
/* First of all, some simple consistency checks */
if ((elf_ex.e_type != ET_EXEC && elf_ex.e_type != ET_DYN) ||
(!((elf_ex.e_machine == EM_386) || (elf_ex.e_machine == EM_486))) ||
(!bprm->file->f_op || !bprm->file->f_op->mmap)) {
return -ENOEXEC;
}
bprm->recursion_depth++; /* Well, the bang-shell is implicit... */
allow_write_access(bprm->file);
fput(bprm->file);
bprm->file = NULL;
/* Unlike in the script case, we don't have to do any hairy
* parsing to find our interpreter... it's hardcoded!
*/
interp = EM86_INTERP;
i_name = EM86_I_NAME;
i_arg = NULL; /* We reserve the right to add an arg later */
/*
* Splice in (1) the interpreter's name for argv[0]
* (2) (optional) argument to interpreter
* (3) filename of emulated file (replace argv[0])
*
* This is done in reverse order, because of how the
* user environment and arguments are stored.
*/
remove_arg_zero(bprm);
retval = copy_strings_kernel(1, &bprm->filename, bprm);
if (retval < 0) return retval;
bprm->argc++;
if (i_arg) {
retval = copy_strings_kernel(1, &i_arg, bprm);
if (retval < 0) return retval;
bprm->argc++;
}
retval = copy_strings_kernel(1, &i_name, bprm);
if (retval < 0) return retval;
bprm->argc++;
/*
* OK, now restart the process with the interpreter's inode.
* Note that we use open_exec() as the name is now in kernel
* space, and we don't need to copy it.
*/
file = open_exec(interp);
if (IS_ERR(file))
return PTR_ERR(file);
bprm->file = file;
retval = prepare_binprm(bprm);
if (retval < 0)
return retval;
return search_binary_handler(bprm, regs);
}
asmlinkage int exe$creprc(unsigned int *pidadr, void *image, void *input, void *output, void *error, struct _generic_64 *prvadr, unsigned int *quota, void*prcnam, unsigned int baspri, unsigned int uic, unsigned short int mbxunt, unsigned int stsflg,...) {
unsigned long stack_here;
struct _pcb * p, * cur;
int retval;
struct dsc$descriptor * imd = image, * ind = input, * oud = output, * erd = error;
unsigned long clone_flags=CLONE_VFORK;
//check pidadr
ctl$gl_creprc_flags = stsflg;
// check for PRC$M_NOUAF sometime
if (stsflg&PRC$M_DETACH) {
}
if (uic) {
}
//setipl(IPL$_ASTDEL);//postpone this?
cur=ctl$gl_pcb;
vmslock(&SPIN_SCHED, IPL$_SCHED);
vmslock(&SPIN_MMG, IPL$_MMG);
p = alloc_task_struct();
//bzero(p,sizeof(struct _pcb));//not wise?
memset(p,0,sizeof(struct _pcb));
// check more
// compensate for no struct clone/copy
p->sigmask_lock = SPIN_LOCK_UNLOCKED;
p->alloc_lock = SPIN_LOCK_UNLOCKED;
qhead_init(&p->pcb$l_astqfl);
// and enable ast del to all modes
p->pcb$b_type = DYN$C_PCB;
p->pcb$b_asten=15;
p->phd$b_astlvl=4;
p->pr_astlvl=4;
p->psl=0;
p->pslindex=0;
qhead_init(&p->pcb$l_lockqfl);
// set capabilities
p->pcb$l_permanent_capability = sch$gl_default_process_cap;
p->pcb$l_capability = p->pcb$l_permanent_capability;
// set affinity
// set default fileprot
// set arb
// set mbx stuff
// from setprn:
if (prcnam) {
struct dsc$descriptor *s=prcnam;
strncpy(p->pcb$t_lname,s->dsc$a_pointer,s->dsc$w_length);
}
// set priv
p->pcb$l_priv=ctl$gl_pcb->pcb$l_priv;
// set pris
p->pcb$b_prib=31-baspri;
p->pcb$b_pri=31-baspri-6;
// if (p->pcb$b_pri<16) p->pcb$b_pri=16;
p->pcb$w_quant=-QUANTUM;
// set uic
p->pcb$l_uic=ctl$gl_pcb->pcb$l_uic;
// set vms pid
// check process name
// do something with pqb
p->pcb$l_pqb=kmalloc(sizeof(struct _pqb),GFP_KERNEL);
memset(p->pcb$l_pqb,0,sizeof(struct _pqb));
struct _pqb * pqb = p->pcb$l_pqb;
pqb->pqb$q_prvmsk = ctl$gq_procpriv;
if (imd)
memcpy(pqb->pqb$t_image,imd->dsc$a_pointer,imd->dsc$w_length);
if (ind)
memcpy(pqb->pqb$t_input,ind->dsc$a_pointer,ind->dsc$w_length);
if (oud)
memcpy(pqb->pqb$t_output,oud->dsc$a_pointer,oud->dsc$w_length);
if (erd)
memcpy(pqb->pqb$t_error,erd->dsc$a_pointer,erd->dsc$w_length);
if (oud) // temp measure
memcpy(p->pcb$t_terminal,oud->dsc$a_pointer,oud->dsc$w_length);
// translate some logicals
// copy security clearance
// copy msg
// copy flags
// set jib
// do quotas
// process itmlst
// set pcb$l_pqb
#if 0
setipl(IPL$_MMG);
vmslock(&SPIN_SCHED,-1);
// find vacant slot in pcb vector
// and store it
#endif
// make ipid and epid
p->pcb$l_pid=alloc_ipid();
{
unsigned long *vec=sch$gl_pcbvec;
vec[p->pcb$l_pid&0xffff]=p;
}
p->pcb$l_epid=exe$ipid_to_epid(p->pcb$l_pid);
// should invoke sch$chse, put this at bottom?
// setipl(0) and return
// now lots of things from fork
retval = -EAGAIN;
/*
* Check if we are over our maximum process limit, but be sure to
* exclude root. This is needed to make it possible for login and
* friends to set the per-user process limit to something lower
* than the amount of processes root is running. -- Rik
*/
#if 0
if (atomic_read(&p->user->processes) >= p->rlim[RLIMIT_NPROC].rlim_cur
&& !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
goto bad_fork_free;
atomic_inc(&p->user->__count);
atomic_inc(&p->user->processes);
#endif
/*
* Counter increases are protected by
* the kernel lock so nr_threads can't
* increase under us (but it may decrease).
*/
get_exec_domain(p->exec_domain);
if (p->binfmt && p->binfmt->module)
__MOD_INC_USE_COUNT(p->binfmt->module);
p->did_exec = 0;
p->swappable = 0;
p->state = TASK_UNINTERRUPTIBLE;
//copy_flags(clone_flags, p);
// not here? p->pcb$l_pid = alloc_ipid();
p->run_list.next = NULL;
p->run_list.prev = NULL;
p->p_cptr = NULL;
init_waitqueue_head(&p->wait_chldexit);
p->vfork_done = NULL;
spin_lock_init(&p->alloc_lock);
p->sigpending = 0;
init_sigpending(&p->pending);
p->it_real_value = p->it_virt_value = p->it_prof_value = 0;
p->it_real_incr = p->it_virt_incr = p->it_prof_incr = 0;
init_timer(&p->real_timer);
p->real_timer.data = (unsigned long) p;
p->leader = 0; /* session leadership doesn't inherit */
p->tty_old_pgrp = 0;
p->times.tms_utime = p->times.tms_stime = 0;
p->times.tms_cutime = p->times.tms_cstime = 0;
p->lock_depth = -1; /* -1 = no lock */
p->start_time = jiffies;
INIT_LIST_HEAD(&p->local_pages);
p->files = current->files;
p->fs = current->fs;
p->sig = current->sig;
/* copy all the process information */
if (copy_files(clone_flags, p))
goto bad_fork_cleanup;
if (copy_fs(clone_flags, p))
goto bad_fork_cleanup_files;
if (copy_sighand(clone_flags, p))
goto bad_fork_cleanup_fs;
bad_fork_cleanup:
bad_fork_cleanup_files:
bad_fork_cleanup_fs:
// now a hole
// now more from fork
/* ok, now we should be set up.. */
p->swappable = 1;
p->exit_signal = 0;
p->pdeath_signal = 0;
/*
* "share" dynamic priority between parent and child, thus the
* total amount of dynamic priorities in the system doesnt change,
* more scheduling fairness. This is only important in the first
* timeslice, on the long run the scheduling behaviour is unchanged.
*/
/*
* Ok, add it to the run-queues and make it
* visible to the rest of the system.
*
* Let it rip!
*/
retval = p->pcb$l_epid;
INIT_LIST_HEAD(&p->thread_group);
/* Need tasklist lock for parent etc handling! */
write_lock_irq(&tasklist_lock);
/* CLONE_PARENT and CLONE_THREAD re-use the old parent */
p->p_opptr = current->p_opptr;
p->p_pptr = current->p_pptr;
p->p_opptr = current /*->p_opptr*/;
p->p_pptr = current /*->p_pptr*/;
SET_LINKS(p);
nr_threads++;
write_unlock_irq(&tasklist_lock);
// printk("fork befwak\n");
//wake_up_process(p); /* do this last */
// wake_up_process2(p,PRI$_TICOM); /* do this last */
//goto fork_out;//??
// now something from exec
// wait, better do execve itself
memcpy(p->rlim, current->rlim, sizeof(p->rlim));
qhead_init(&p->pcb$l_sqfl);
struct mm_struct * mm = mm_alloc();
p->mm = mm;
p->active_mm = mm;
p->user = INIT_USER;
spin_lock(&mmlist_lock);
#if 0
list_add(&mm->mmlist, &p->p_pptr->mm->mmlist);
#endif
mmlist_nr++;
spin_unlock(&mmlist_lock);
// Now we are getting into the area that is really the swappers
// To be moved to shell.c and swp$shelinit later
p->pcb$l_phd=kmalloc(sizeof(struct _phd),GFP_KERNEL);
init_phd(p->pcb$l_phd);
init_fork_p1pp(p,p->pcb$l_phd,ctl$gl_pcb,ctl$gl_pcb->pcb$l_phd);
#ifdef __x86_64__
shell_init_other(p,ctl$gl_pcb,0x7ff80000-0x1000,0x7fffe000);
shell_init_other(p,ctl$gl_pcb,0x7ff80000-0x2000,0x7fffe000);
shell_init_other(p,ctl$gl_pcb,0x7ff90000-0x1000,0x7fffe000);
shell_init_other(p,ctl$gl_pcb,0x7ff90000-0x2000,0x7fffe000);
shell_init_other(p,ctl$gl_pcb,0x7ffa0000-0x1000,0x7fffe000);
shell_init_other(p,ctl$gl_pcb,0x7ffa0000-0x2000,0x7fffe000);
#else
shell_init_other(p,ctl$gl_pcb,0x7ff80000-0x1000,0x7fffe000);
shell_init_other(p,ctl$gl_pcb,0x7ff80000-0x2000,0x7fffe000);
shell_init_other(p,ctl$gl_pcb,0x7ff90000-0x1000,0x7fffe000);
shell_init_other(p,ctl$gl_pcb,0x7ff90000-0x2000,0x7fffe000);
#endif
int exe$procstrt(struct _pcb * p);
struct pt_regs * regs = &pidadr;
//printk("newthread %x\n",p),
retval = new_thread(0, clone_flags, 0, 0, p, 0);
int eip=0,esp=0;
// start_thread(regs,eip,esp);
sch$chse(p, PRI$_TICOM);
vmsunlock(&SPIN_MMG,-1);
vmsunlock(&SPIN_SCHED,0);
return SS$_NORMAL;
#if 0
return sys_execve(((struct dsc$descriptor *)image)->dsc$a_pointer,0,0);
return SS$_NORMAL;
#endif
#if 0
{
char * filename=((struct dsc$descriptor *)image)->dsc$a_pointer;
char ** argv=0;
char ** envp=0;
struct pt_regs * regs=0;
struct linux_binprm bprm;
struct file *file;
int retval;
int i;
file = open_exec(filename);
retval = PTR_ERR(file);
if (IS_ERR(file))
return retval;
bprm.p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
memset(bprm.page, 0, MAX_ARG_PAGES*sizeof(bprm.page[0]));
bprm.file = file;
bprm.filename = filename;
bprm.sh_bang = 0;
bprm.loader = 0;
bprm.exec = 0;
if ((bprm.argc = count(argv, bprm.p / sizeof(void *))) < 0) {
allow_write_access(file);
fput(file);
//printk("here 7 %x\n",bprm.argc);
return bprm.argc;
}
if ((bprm.envc = count(envp, bprm.p / sizeof(void *))) < 0) {
allow_write_access(file);
fput(file);
//printk("here 6\n");
return bprm.envc;
}
retval = prepare_binprm(&bprm);
//printk("here 4\n");
if (retval < 0)
goto out;
retval = copy_strings_kernel(1, &bprm.filename, &bprm);
//printk("here 3\n");
if (retval < 0)
goto out;
bprm.exec = bprm.p;
retval = copy_strings(bprm.envc, envp, &bprm);
//printk("here 2\n");
if (retval < 0)
goto out;
retval = copy_strings(bprm.argc, argv, &bprm);
//printk("here 1\n");
if (retval < 0)
goto out;
retval = search_binary_handler(&bprm,regs);
if (retval >= 0)
/* execve success */
return retval;
out:
/* Something went wrong, return the inode and free the argument pages*/
allow_write_access(bprm.file);
if (bprm.file)
fput(bprm.file);
for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
struct page * page = bprm.page[i];
if (page)
__free_page(page);
}
return retval;
}
#endif
fork_out:
return retval;
bad_fork_free:
free_task_struct(p);
goto fork_out;
}
static int load_elf_binary(struct linux_binprm * bprm, struct pt_regs * regs)
{
struct file *interpreter = NULL; /* to shut gcc up */
unsigned long load_addr = 0, load_bias = 0;
int load_addr_set = 0;
char * elf_interpreter = NULL;
unsigned int interpreter_type = INTERPRETER_NONE;
unsigned char ibcs2_interpreter = 0;
unsigned long error;
struct elf_phdr * elf_ppnt, *elf_phdata;
unsigned long elf_bss, k, elf_brk;
int elf_exec_fileno;
int retval, i;
unsigned int size;
unsigned long elf_entry, interp_load_addr = 0;
unsigned long start_code, end_code, start_data, end_data;
struct elfhdr elf_ex;
struct elfhdr interp_elf_ex;
struct exec interp_ex;
char passed_fileno[6];
/* Get the exec-header */
elf_ex = *((struct elfhdr *) bprm->buf);
retval = -ENOEXEC;
/* First of all, some simple consistency checks */
if (memcmp(elf_ex.e_ident, ELFMAG, SELFMAG) != 0)
goto out;
if (elf_ex.e_type != ET_EXEC && elf_ex.e_type != ET_DYN)
goto out;
if (!elf_check_arch(&elf_ex))
goto out;
if (!bprm->file->f_op||!bprm->file->f_op->mmap)
goto out;
/* Now read in all of the header information */
retval = -ENOMEM;
if (elf_ex.e_phentsize != sizeof(struct elf_phdr))
goto out;
if (elf_ex.e_phnum > 65536U / sizeof(struct elf_phdr))
goto out;
size = elf_ex.e_phnum * sizeof(struct elf_phdr);
elf_phdata = (struct elf_phdr *) kmalloc(size, GFP_KERNEL);
if (!elf_phdata)
goto out;
retval = kernel_read(bprm->file, elf_ex.e_phoff, (char *) elf_phdata, size);
if (retval < 0)
goto out_free_ph;
retval = get_unused_fd();
if (retval < 0)
goto out_free_ph;
get_file(bprm->file);
fd_install(elf_exec_fileno = retval, bprm->file);
elf_ppnt = elf_phdata;
elf_bss = 0;
elf_brk = 0;
start_code = ~0UL;
end_code = 0;
start_data = 0;
end_data = 0;
for (i = 0; i < elf_ex.e_phnum; i++) {
if (elf_ppnt->p_type == PT_INTERP) {
/* This is the program interpreter used for
* shared libraries - for now assume that this
* is an a.out format binary
*/
retval = -ENOMEM;
if (elf_ppnt->p_filesz > PATH_MAX)
goto out_free_file;
elf_interpreter = (char *) kmalloc(elf_ppnt->p_filesz,
GFP_KERNEL);
if (!elf_interpreter)
goto out_free_file;
retval = kernel_read(bprm->file, elf_ppnt->p_offset,
elf_interpreter,
elf_ppnt->p_filesz);
if (retval < 0)
goto out_free_interp;
/* If the program interpreter is one of these two,
* then assume an iBCS2 image. Otherwise assume
* a native linux image.
*/
if (strcmp(elf_interpreter,"/usr/lib/libc.so.1") == 0 ||
strcmp(elf_interpreter,"/usr/lib/ld.so.1") == 0)
ibcs2_interpreter = 1;
#if 0
printk("Using ELF interpreter %s\n", elf_interpreter);
#endif
SET_PERSONALITY(elf_ex, ibcs2_interpreter);
interpreter = open_exec(elf_interpreter);
retval = PTR_ERR(interpreter);
if (IS_ERR(interpreter))
goto out_free_interp;
retval = kernel_read(interpreter, 0, bprm->buf, BINPRM_BUF_SIZE);
if (retval < 0)
goto out_free_dentry;
/* Get the exec headers */
interp_ex = *((struct exec *) bprm->buf);
interp_elf_ex = *((struct elfhdr *) bprm->buf);
break;
}
elf_ppnt++;
}
/* Some simple consistency checks for the interpreter */
if (elf_interpreter) {
interpreter_type = INTERPRETER_ELF | INTERPRETER_AOUT;
/* Now figure out which format our binary is */
if ((N_MAGIC(interp_ex) != OMAGIC) &&
(N_MAGIC(interp_ex) != ZMAGIC) &&
(N_MAGIC(interp_ex) != QMAGIC))
interpreter_type = INTERPRETER_ELF;
if (memcmp(interp_elf_ex.e_ident, ELFMAG, SELFMAG) != 0)
interpreter_type &= ~INTERPRETER_ELF;
retval = -ELIBBAD;
if (!interpreter_type)
goto out_free_dentry;
/* Make sure only one type was selected */
if ((interpreter_type & INTERPRETER_ELF) &&
interpreter_type != INTERPRETER_ELF) {
// FIXME - ratelimit this before re-enabling
// printk(KERN_WARNING "ELF: Ambiguous type, using ELF\n");
interpreter_type = INTERPRETER_ELF;
}
} else {
/* Executables without an interpreter also need a personality */
SET_PERSONALITY(elf_ex, ibcs2_interpreter);
}
/* OK, we are done with that, now set up the arg stuff,
and then start this sucker up */
if (!bprm->sh_bang) {
char * passed_p;
if (interpreter_type == INTERPRETER_AOUT) {
sprintf(passed_fileno, "%d", elf_exec_fileno);
passed_p = passed_fileno;
if (elf_interpreter) {
retval = copy_strings_kernel(1,&passed_p,bprm);
if (retval)
goto out_free_dentry;
bprm->argc++;
}
}
}
/* Flush all traces of the currently running executable */
retval = flush_old_exec(bprm);
if (retval)
goto out_free_dentry;
/* OK, This is the point of no return */
current->mm->start_data = 0;
current->mm->end_data = 0;
current->mm->end_code = 0;
current->mm->mmap = NULL;
current->flags &= ~PF_FORKNOEXEC;
elf_entry = (unsigned long) elf_ex.e_entry;
/* Do this so that we can load the interpreter, if need be. We will
change some of these later */
current->mm->rss = 0;
retval = setup_arg_pages(bprm);
if (retval < 0) {
send_sig(SIGKILL, current, 0);
return retval;
}
current->mm->start_stack = bprm->p;
/* Now we do a little grungy work by mmaping the ELF image into
the correct location in memory. At this point, we assume that
the image should be loaded at fixed address, not at a variable
address. */
for(i = 0, elf_ppnt = elf_phdata; i < elf_ex.e_phnum; i++, elf_ppnt++) {
int elf_prot = 0, elf_flags;
unsigned long vaddr;
if (elf_ppnt->p_type != PT_LOAD)
continue;
if (unlikely (elf_brk > elf_bss)) {
unsigned long nbyte;
/* There was a PT_LOAD segment with p_memsz > p_filesz
before this one. Map anonymous pages, if needed,
and clear the area. */
set_brk (elf_bss + load_bias, elf_brk + load_bias);
nbyte = ELF_PAGEOFFSET(elf_bss);
if (nbyte) {
nbyte = ELF_MIN_ALIGN - nbyte;
if (nbyte > elf_brk - elf_bss)
nbyte = elf_brk - elf_bss;
clear_user((void *) elf_bss + load_bias, nbyte);
}
}
if (elf_ppnt->p_flags & PF_R) elf_prot |= PROT_READ;
if (elf_ppnt->p_flags & PF_W) elf_prot |= PROT_WRITE;
if (elf_ppnt->p_flags & PF_X) elf_prot |= PROT_EXEC;
elf_flags = MAP_PRIVATE|MAP_DENYWRITE|MAP_EXECUTABLE;
vaddr = elf_ppnt->p_vaddr;
if (elf_ex.e_type == ET_EXEC || load_addr_set) {
elf_flags |= MAP_FIXED;
} else if (elf_ex.e_type == ET_DYN) {
/* Try and get dynamic programs out of the way of the default mmap
base, as well as whatever program they might try to exec. This
is because the brk will follow the loader, and is not movable. */
load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
}
error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, elf_prot, elf_flags);
if (BAD_ADDR(error))
continue;
if (!load_addr_set) {
load_addr_set = 1;
load_addr = (elf_ppnt->p_vaddr - elf_ppnt->p_offset);
if (elf_ex.e_type == ET_DYN) {
load_bias += error -
ELF_PAGESTART(load_bias + vaddr);
load_addr += load_bias;
}
}
k = elf_ppnt->p_vaddr;
if (k < start_code) start_code = k;
if (start_data < k) start_data = k;
k = elf_ppnt->p_vaddr + elf_ppnt->p_filesz;
if (k > elf_bss)
elf_bss = k;
if ((elf_ppnt->p_flags & PF_X) && end_code < k)
end_code = k;
if (end_data < k)
end_data = k;
k = elf_ppnt->p_vaddr + elf_ppnt->p_memsz;
if (k > elf_brk)
elf_brk = k;
}
elf_entry += load_bias;
elf_bss += load_bias;
elf_brk += load_bias;
start_code += load_bias;
end_code += load_bias;
start_data += load_bias;
end_data += load_bias;
if (elf_interpreter) {
if (interpreter_type == INTERPRETER_AOUT)
elf_entry = load_aout_interp(&interp_ex,
interpreter);
else
elf_entry = load_elf_interp(&interp_elf_ex,
interpreter,
&interp_load_addr);
allow_write_access(interpreter);
fput(interpreter);
kfree(elf_interpreter);
if (BAD_ADDR(elf_entry)) {
printk(KERN_ERR "Unable to load interpreter\n");
kfree(elf_phdata);
send_sig(SIGSEGV, current, 0);
return 0;
}
}
kfree(elf_phdata);
if (interpreter_type != INTERPRETER_AOUT)
sys_close(elf_exec_fileno);
set_binfmt(&elf_format);
compute_creds(bprm);
current->flags &= ~PF_FORKNOEXEC;
bprm->p = (unsigned long)
create_elf_tables((char *)bprm->p,
bprm->argc,
bprm->envc,
&elf_ex,
load_addr, load_bias,
interp_load_addr,
(interpreter_type == INTERPRETER_AOUT ? 0 : 1));
/* N.B. passed_fileno might not be initialized? */
if (interpreter_type == INTERPRETER_AOUT)
current->mm->arg_start += strlen(passed_fileno) + 1;
current->mm->start_brk = current->mm->brk = elf_brk;
current->mm->end_code = end_code;
current->mm->start_code = start_code;
current->mm->start_data = start_data;
current->mm->end_data = end_data;
current->mm->start_stack = bprm->p;
/* Calling set_brk effectively mmaps the pages that we need
* for the bss and break sections
*/
set_brk(elf_bss, elf_brk);
padzero(elf_bss);
#if 0
printk("(start_brk) %lx\n" , (long) current->mm->start_brk);
printk("(end_code) %lx\n" , (long) current->mm->end_code);
printk("(start_code) %lx\n" , (long) current->mm->start_code);
printk("(start_data) %lx\n" , (long) current->mm->start_data);
printk("(end_data) %lx\n" , (long) current->mm->end_data);
printk("(start_stack) %lx\n" , (long) current->mm->start_stack);
printk("(brk) %lx\n" , (long) current->mm->brk);
#endif
if (current->personality & MMAP_PAGE_ZERO) {
/* Why this, you ask??? Well SVr4 maps page 0 as read-only,
and some applications "depend" upon this behavior.
Since we do not have the power to recompile these, we
emulate the SVr4 behavior. Sigh. */
/* N.B. Shouldn't the size here be PAGE_SIZE?? */
down_write(¤t->mm->mmap_sem);
error = do_mmap(NULL, 0, 4096, PROT_READ | PROT_EXEC,
MAP_FIXED | MAP_PRIVATE, 0);
up_write(¤t->mm->mmap_sem);
}
#ifdef ELF_PLAT_INIT
/*
* The ABI may specify that certain registers be set up in special
* ways (on i386 %edx is the address of a DT_FINI function, for
* example. This macro performs whatever initialization to
* the regs structure is required.
*/
ELF_PLAT_INIT(regs);
#endif
start_thread(regs, elf_entry, bprm->p);
if (current->ptrace & PT_PTRACED)
send_sig(SIGTRAP, current, 0);
retval = 0;
out:
return retval;
/* error cleanup */
out_free_dentry:
allow_write_access(interpreter);
fput(interpreter);
out_free_interp:
if (elf_interpreter)
kfree(elf_interpreter);
out_free_file:
sys_close(elf_exec_fileno);
out_free_ph:
kfree(elf_phdata);
goto out;
}
static int load_script(struct linux_binprm *bprm,struct pt_regs *regs)
{
char *cp, *i_name, *i_arg;
struct file *file;
char interp[BINPRM_BUF_SIZE];
int retval;
if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') || (bprm->sh_bang))
return -ENOEXEC;
/*
* This section does the #! interpretation.
* Sorta complicated, but hopefully it will work. -TYT
*/
bprm->sh_bang = 1;
allow_write_access(bprm->file);
fput(bprm->file);
bprm->file = NULL;
bprm->buf[BINPRM_BUF_SIZE - 1] = '\0';
if ((cp = strchr(bprm->buf, '\n')) == NULL)
cp = bprm->buf+BINPRM_BUF_SIZE-1;
*cp = '\0';
while (cp > bprm->buf) {
cp--;
if ((*cp == ' ') || (*cp == '\t'))
*cp = '\0';
else
break;
}
for (cp = bprm->buf+2; (*cp == ' ') || (*cp == '\t'); cp++);
if (*cp == '\0')
return -ENOEXEC; /* No interpreter name found */
i_name = cp;
i_arg = NULL;
for ( ; *cp && (*cp != ' ') && (*cp != '\t'); cp++)
/* nothing */ ;
while ((*cp == ' ') || (*cp == '\t'))
*cp++ = '\0';
if (*cp)
i_arg = cp;
strcpy (interp, i_name);
/*
* OK, we've parsed out the interpreter name and
* (optional) argument.
* Splice in (1) the interpreter's name for argv[0]
* (2) (optional) argument to interpreter
* (3) filename of shell script (replace argv[0])
*
* This is done in reverse order, because of how the
* user environment and arguments are stored.
*/
retval = remove_arg_zero(bprm);
if (retval)
return retval;
retval = copy_strings_kernel(1, &bprm->interp, bprm);
if (retval < 0) return retval;
bprm->argc++;
if (i_arg) {
retval = copy_strings_kernel(1, &i_arg, bprm);
if (retval < 0) return retval;
bprm->argc++;
}
retval = copy_strings_kernel(1, &i_name, bprm);
if (retval) return retval;
bprm->argc++;
bprm->interp = interp;
/*
* OK, now restart the process with the interpreter's dentry.
*/
file = open_exec(interp);
if (IS_ERR(file))
return PTR_ERR(file);
bprm->file = file;
retval = prepare_binprm(bprm);
if (retval < 0)
return retval;
return search_binary_handler(bprm,regs);
}
static int load_script(struct linux_binprm *bprm,struct pt_regs *regs)
{
const char *i_arg, *i_name;
char *cp;
struct file *file;
char interp[BINPRM_BUF_SIZE];
int retval;
if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') ||
(bprm->recursion_depth > BINPRM_MAX_RECURSION))
return -ENOEXEC;
/*
*/
bprm->recursion_depth++;
allow_write_access(bprm->file);
fput(bprm->file);
bprm->file = NULL;
bprm->buf[BINPRM_BUF_SIZE - 1] = '\0';
if ((cp = strchr(bprm->buf, '\n')) == NULL)
cp = bprm->buf+BINPRM_BUF_SIZE-1;
*cp = '\0';
while (cp > bprm->buf) {
cp--;
if ((*cp == ' ') || (*cp == '\t'))
*cp = '\0';
else
break;
}
for (cp = bprm->buf+2; (*cp == ' ') || (*cp == '\t'); cp++);
if (*cp == '\0')
return -ENOEXEC; /* */
i_name = cp;
i_arg = NULL;
for ( ; *cp && (*cp != ' ') && (*cp != '\t'); cp++)
/* */ ;
while ((*cp == ' ') || (*cp == '\t'))
*cp++ = '\0';
if (*cp)
i_arg = cp;
strcpy (interp, i_name);
/*
*/
retval = remove_arg_zero(bprm);
if (retval)
return retval;
retval = copy_strings_kernel(1, &bprm->interp, bprm);
if (retval < 0) return retval;
bprm->argc++;
if (i_arg) {
retval = copy_strings_kernel(1, &i_arg, bprm);
if (retval < 0) return retval;
bprm->argc++;
}
retval = copy_strings_kernel(1, &i_name, bprm);
if (retval) return retval;
bprm->argc++;
bprm->interp = interp;
/*
*/
file = open_exec(interp);
if (IS_ERR(file))
return PTR_ERR(file);
bprm->file = file;
retval = prepare_binprm(bprm);
if (retval < 0)
return retval;
return search_binary_handler(bprm,regs);
}
/*
* load an fdpic binary into various bits of memory
*/
static int load_elf_fdpic_binary(struct linux_binprm *bprm, struct pt_regs *regs)
{
struct elf_fdpic_params exec_params, interp_params;
struct elf_phdr *phdr;
unsigned long stack_size;
struct file *interpreter = NULL; /* to shut gcc up */
char *interpreter_name = NULL;
int executable_stack;
int retval, i;
memset(&exec_params, 0, sizeof(exec_params));
memset(&interp_params, 0, sizeof(interp_params));
exec_params.hdr = *(struct elfhdr *) bprm->buf;
exec_params.flags = ELF_FDPIC_FLAG_PRESENT | ELF_FDPIC_FLAG_EXECUTABLE;
/* check that this is a binary we know how to deal with */
retval = -ENOEXEC;
if (!is_elf_fdpic(&exec_params.hdr, bprm->file))
goto error;
/* read the program header table */
retval = elf_fdpic_fetch_phdrs(&exec_params, bprm->file);
if (retval < 0)
goto error;
/* scan for a program header that specifies an interpreter */
phdr = exec_params.phdrs;
for (i = 0; i < exec_params.hdr.e_phnum; i++, phdr++) {
switch (phdr->p_type) {
case PT_INTERP:
retval = -ENOMEM;
if (phdr->p_filesz > PATH_MAX)
goto error;
retval = -ENOENT;
if (phdr->p_filesz < 2)
goto error;
/* read the name of the interpreter into memory */
interpreter_name = (char *) kmalloc(phdr->p_filesz, GFP_KERNEL);
if (!interpreter_name)
goto error;
retval = kernel_read(bprm->file,
phdr->p_offset,
interpreter_name,
phdr->p_filesz);
if (retval < 0)
goto error;
retval = -ENOENT;
if (interpreter_name[phdr->p_filesz - 1] != '\0')
goto error;
kdebug("Using ELF interpreter %s", interpreter_name);
/* replace the program with the interpreter */
interpreter = open_exec(interpreter_name);
retval = PTR_ERR(interpreter);
if (IS_ERR(interpreter)) {
interpreter = NULL;
goto error;
}
retval = kernel_read(interpreter, 0, bprm->buf, BINPRM_BUF_SIZE);
if (retval < 0)
goto error;
interp_params.hdr = *((struct elfhdr *) bprm->buf);
break;
case PT_LOAD:
#ifdef CONFIG_MMU
if (exec_params.load_addr == 0)
exec_params.load_addr = phdr->p_vaddr;
#endif
break;
}
}
if (elf_check_const_displacement(&exec_params.hdr))
exec_params.flags |= ELF_FDPIC_FLAG_CONSTDISP;
/* perform insanity checks on the interpreter */
if (interpreter_name) {
retval = -ELIBBAD;
if (!is_elf_fdpic(&interp_params.hdr, interpreter))
goto error;
interp_params.flags = ELF_FDPIC_FLAG_PRESENT;
/* read the interpreter's program header table */
retval = elf_fdpic_fetch_phdrs(&interp_params, interpreter);
if (retval < 0)
goto error;
}
stack_size = exec_params.stack_size;
if (stack_size < interp_params.stack_size)
stack_size = interp_params.stack_size;
if (exec_params.flags & ELF_FDPIC_FLAG_EXEC_STACK)
executable_stack = EXSTACK_ENABLE_X;
else if (exec_params.flags & ELF_FDPIC_FLAG_NOEXEC_STACK)
executable_stack = EXSTACK_DISABLE_X;
else if (interp_params.flags & ELF_FDPIC_FLAG_EXEC_STACK)
executable_stack = EXSTACK_ENABLE_X;
else if (interp_params.flags & ELF_FDPIC_FLAG_NOEXEC_STACK)
executable_stack = EXSTACK_DISABLE_X;
else
executable_stack = EXSTACK_DEFAULT;
retval = -ENOEXEC;
if (stack_size == 0)
goto error;
if (elf_check_const_displacement(&interp_params.hdr))
interp_params.flags |= ELF_FDPIC_FLAG_CONSTDISP;
/* flush all traces of the currently running executable */
retval = flush_old_exec(bprm);
if (retval)
goto error;
/* there's now no turning back... the old userspace image is dead,
* defunct, deceased, etc. after this point we have to exit via
* error_kill */
set_personality(PER_LINUX_FDPIC);
set_binfmt(&elf_fdpic_format);
current->mm->start_code = 0;
current->mm->end_code = 0;
current->mm->start_stack = 0;
current->mm->start_data = 0;
current->mm->end_data = 0;
current->mm->context.exec_fdpic_loadmap = 0;
current->mm->context.interp_fdpic_loadmap = 0;
current->flags &= ~PF_FORKNOEXEC;
#ifdef CONFIG_MMU
elf_fdpic_arch_lay_out_mm(&exec_params,
&interp_params,
¤t->mm->start_stack,
¤t->mm->start_brk);
#endif
/* do this so that we can load the interpreter, if need be
* - we will change some of these later
*/
set_mm_counter(current->mm, rss, 0);
#ifdef CONFIG_MMU
retval = setup_arg_pages(bprm, current->mm->start_stack, executable_stack);
if (retval < 0) {
send_sig(SIGKILL, current, 0);
goto error_kill;
}
#endif
/* load the executable and interpreter into memory */
retval = elf_fdpic_map_file(&exec_params, bprm->file, current->mm, "executable");
if (retval < 0)
goto error_kill;
if (interpreter_name) {
retval = elf_fdpic_map_file(&interp_params, interpreter,
current->mm, "interpreter");
if (retval < 0) {
printk(KERN_ERR "Unable to load interpreter\n");
goto error_kill;
}
allow_write_access(interpreter);
fput(interpreter);
interpreter = NULL;
}
#ifdef CONFIG_MMU
if (!current->mm->start_brk)
current->mm->start_brk = current->mm->end_data;
current->mm->brk = current->mm->start_brk = PAGE_ALIGN(current->mm->start_brk);
#else
/* create a stack and brk area big enough for everyone
* - the brk heap starts at the bottom and works up
* - the stack starts at the top and works down
*/
stack_size = (stack_size + PAGE_SIZE - 1) & PAGE_MASK;
if (stack_size < PAGE_SIZE * 2)
stack_size = PAGE_SIZE * 2;
down_write(¤t->mm->mmap_sem);
current->mm->start_brk = do_mmap(NULL,
0,
stack_size,
PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_PRIVATE | MAP_ANON | MAP_GROWSDOWN,
0);
if (IS_ERR((void *) current->mm->start_brk)) {
up_write(¤t->mm->mmap_sem);
retval = current->mm->start_brk;
current->mm->start_brk = 0;
goto error_kill;
}
if (do_mremap(current->mm->start_brk,
stack_size,
ksize((char *) current->mm->start_brk),
0, 0
) == current->mm->start_brk
)
stack_size = ksize((char *) current->mm->start_brk);
up_write(¤t->mm->mmap_sem);
current->mm->brk = current->mm->start_brk;
current->mm->context.end_brk = current->mm->start_brk;
current->mm->context.end_brk += (stack_size > PAGE_SIZE) ? (stack_size - PAGE_SIZE) : 0;
current->mm->start_stack = current->mm->start_brk + stack_size;
#endif
compute_creds(bprm);
current->flags &= ~PF_FORKNOEXEC;
if (create_elf_fdpic_tables(bprm, current->mm, &exec_params, &interp_params) < 0)
goto error_kill;
kdebug("- start_code %lx", (long) current->mm->start_code);
kdebug("- end_code %lx", (long) current->mm->end_code);
kdebug("- start_data %lx", (long) current->mm->start_data);
kdebug("- end_data %lx", (long) current->mm->end_data);
kdebug("- start_brk %lx", (long) current->mm->start_brk);
kdebug("- brk %lx", (long) current->mm->brk);
kdebug("- start_stack %lx", (long) current->mm->start_stack);
#ifdef ELF_FDPIC_PLAT_INIT
/*
* The ABI may specify that certain registers be set up in special
* ways (on i386 %edx is the address of a DT_FINI function, for
* example. This macro performs whatever initialization to
* the regs structure is required.
*/
ELF_FDPIC_PLAT_INIT(regs,
exec_params.map_addr,
interp_params.map_addr,
interp_params.dynamic_addr ?: exec_params.dynamic_addr
);
#endif
/* everything is now ready... get the userspace context ready to roll */
start_thread(regs,
interp_params.entry_addr ?: exec_params.entry_addr,
current->mm->start_stack);
if (unlikely(current->ptrace & PT_PTRACED)) {
if (current->ptrace & PT_TRACE_EXEC)
ptrace_notify ((PTRACE_EVENT_EXEC << 8) | SIGTRAP);
else
send_sig(SIGTRAP, current, 0);
}
retval = 0;
error:
if (interpreter) {
allow_write_access(interpreter);
fput(interpreter);
}
if (interpreter_name)
kfree(interpreter_name);
if (exec_params.phdrs)
kfree(exec_params.phdrs);
if (exec_params.loadmap)
kfree(exec_params.loadmap);
if (interp_params.phdrs)
kfree(interp_params.phdrs);
if (interp_params.loadmap)
kfree(interp_params.loadmap);
return retval;
/* unrecoverable error - kill the process */
error_kill:
send_sig(SIGSEGV, current, 0);
goto error;
} /* end load_elf_fdpic_binary() */
LONG STDCALL map_system_dll(struct task_struct *tsk, char *name,
unsigned long *ntdll_load_addr, unsigned long *interp_load_addr)
{
NTSTATUS retval;
struct file *interpreter = NULL, *ntdll = NULL;
struct elfhdr ntdll_elf_ex, interp_elf_ex;
char buf[BINPRM_BUF_SIZE];
char ld_name[32];
ntdll = open_exec(name);
retval = PTR_ERR(ntdll);
if (IS_ERR(ntdll))
goto out;
/* read 128 Byte ELF header */
retval = kernel_read(ntdll, 0, buf, BINPRM_BUF_SIZE);
if (retval != BINPRM_BUF_SIZE) {
if (retval >= 0)
retval = -EIO;
goto out_free_ntdll;
}
/* Get the exec headers */
ntdll_elf_ex = *((struct elfhdr *)buf);
ntdll_phoff = ntdll_elf_ex.e_phoff;
ntdll_phnum = ntdll_elf_ex.e_phnum;
load_elf_interp(tsk, &ntdll_elf_ex, ntdll, ntdll_load_addr, ld_name);
if (tsk == current) {
int elf_shnum;
int elf_shsize;
elf_shdr *elf_shdata = NULL;
/* section header is not mapped to memory, need read it */
/* load section header list for ntdll */
elf_shnum = ntdll_elf_ex.e_shnum;
elf_shsize = elf_shnum * ntdll_elf_ex.e_shentsize;
elf_shdata = (elf_shdr *)kmalloc(elf_shsize, GFP_KERNEL);
if (!elf_shdata) {
retval = -ENOMEM;
goto out_free_ntdll;
}
retval = kernel_read(ntdll, ntdll_elf_ex.e_shoff, (void *)elf_shdata, elf_shsize);
if (retval != elf_shsize) {
if (retval >= 0)
retval = -EIO;
kfree(elf_shdata);
goto out_free_ntdll;
}
/* LdrInitializeThunk is used to load dll for PE exe file */
ntdll_entry = uk_find_symbol(elf_shdata, elf_shnum, "LdrInitializeThunk");
/* when interpreter done, jump to StartThunk */
start_thunk = uk_find_symbol(elf_shdata, elf_shnum, "StartThunk");
/* KiUserApcDispatcher is APC Dispatcher */
apc_dispatcher = uk_find_symbol(elf_shdata, elf_shnum, "KiUserApcDispatcher");
/* a forward function , will call BaseProcessStart in kernel32.dll.so */
pe_entry = uk_find_symbol(elf_shdata, elf_shnum, "ProcessStartForward");
thread_entry = uk_find_symbol(elf_shdata, elf_shnum, "start_thread");
#ifdef EXE_SO
ntdll_start_thunk = uk_find_symbol(elf_shdata, elf_shnum, "ntdll_start_thunk");
exeso_start_thunk = uk_find_symbol(elf_shdata, elf_shnum, "exeso_start_thunk");
#endif
kfree(elf_shdata);
}
allow_write_access(ntdll);
fput(ntdll);
interpreter = open_exec(ld_name);
retval = PTR_ERR(interpreter);
if (IS_ERR(interpreter))
goto out;
retval = kernel_read(interpreter, 0, buf, BINPRM_BUF_SIZE);
if (retval != BINPRM_BUF_SIZE) {
if (retval >= 0)
retval = -EIO;
goto out_free_interp;
}
/* Get the exec headers */
interp_elf_ex = *((struct elfhdr *)buf);
interp_entry = load_elf_interp(tsk, &interp_elf_ex, interpreter, interp_load_addr, NULL);
allow_write_access(interpreter);
fput(interpreter);
retval = 0;
out:
return retval;
out_free_ntdll:
allow_write_access(ntdll);
if (ntdll)
fput(ntdll);
goto out;
out_free_interp:
allow_write_access(interpreter);
if (interpreter)
fput(interpreter);
goto out;
} /* end map_system_dll */
