4  *  Copyright (C) 1991, 1992  Linus Torvalds
 
   8  * #!-checking implemented by tytso.
 
  11  * Demand-loading implemented 01.12.91 - no need to read anything but
 
  12  * the header into memory. The inode of the executable is put into
 
  13  * "current->executable", and page faults do the actual loading. Clean.
 
  15  * Once more I can proudly say that linux stood up to being changed: it
 
  16  * was less than 2 hours work to get demand-loading completely implemented.
 
  18  * Demand loading changed July 1993 by Eric Youngdale.   Use mmap instead,
 
  19  * current->executable is only used by the procfs.  This allows a dispatch
 
  20  * table to check for several different types  of binary formats.  We keep
 
  21  * trying until we recognize the file or we run out of supported binary
 
  25 #include <linux/slab.h>
 
  26 #include <linux/file.h>
 
  27 #include <linux/mman.h>
 
  28 #include <linux/a.out.h>
 
  29 #include <linux/stat.h>
 
  30 #include <linux/fcntl.h>
 
  31 #include <linux/smp_lock.h>
 
  32 #include <linux/init.h>
 
  33 #include <linux/pagemap.h>
 
  34 #include <linux/highmem.h>
 
  35 #include <linux/spinlock.h>
 
  36 #include <linux/key.h>
 
  37 #include <linux/personality.h>
 
  38 #include <linux/binfmts.h>
 
  39 #include <linux/swap.h>
 
  40 #include <linux/utsname.h>
 
  41 #include <linux/module.h>
 
  42 #include <linux/namei.h>
 
  43 #include <linux/proc_fs.h>
 
  44 #include <linux/ptrace.h>
 
  45 #include <linux/mount.h>
 
  46 #include <linux/security.h>
 
  47 #include <linux/syscalls.h>
 
  48 #include <linux/rmap.h>
 
  49 #include <linux/tsacct_kern.h>
 
  50 #include <linux/cn_proc.h>
 
  51 #include <linux/audit.h>
 
  53 #include <asm/uaccess.h>
 
  54 #include <asm/mmu_context.h>
 
  57 #include <linux/kmod.h>
 
  61 char core_pattern[128] = "core";
 
  62 int suid_dumpable = 0;
 
  64 EXPORT_SYMBOL(suid_dumpable);
 
  65 /* The maximal length of core_pattern is also specified in sysctl.c */
 
  67 static struct linux_binfmt *formats;
 
  68 static DEFINE_RWLOCK(binfmt_lock);
 
  70 int register_binfmt(struct linux_binfmt * fmt)
 
  72         struct linux_binfmt ** tmp = &formats;
 
  78         write_lock(&binfmt_lock);
 
  81                         write_unlock(&binfmt_lock);
 
  88         write_unlock(&binfmt_lock);
 
  92 EXPORT_SYMBOL(register_binfmt);
 
  94 int unregister_binfmt(struct linux_binfmt * fmt)
 
  96         struct linux_binfmt ** tmp = &formats;
 
  98         write_lock(&binfmt_lock);
 
 102                         write_unlock(&binfmt_lock);
 
 107         write_unlock(&binfmt_lock);
 
 111 EXPORT_SYMBOL(unregister_binfmt);
 
 113 static inline void put_binfmt(struct linux_binfmt * fmt)
 
 115         module_put(fmt->module);
 
 119  * Note that a shared library must be both readable and executable due to
 
 122  * Also note that we take the address to load from from the file itself.
 
 124 asmlinkage long sys_uselib(const char __user * library)
 
 130         error = __user_path_lookup_open(library, LOOKUP_FOLLOW, &nd, FMODE_READ|FMODE_EXEC);
 
 135         if (!S_ISREG(nd.dentry->d_inode->i_mode))
 
 138         error = vfs_permission(&nd, MAY_READ | MAY_EXEC);
 
 142         file = nameidata_to_filp(&nd, O_RDONLY);
 
 143         error = PTR_ERR(file);
 
 149                 struct linux_binfmt * fmt;
 
 151                 read_lock(&binfmt_lock);
 
 152                 for (fmt = formats ; fmt ; fmt = fmt->next) {
 
 153                         if (!fmt->load_shlib)
 
 155                         if (!try_module_get(fmt->module))
 
 157                         read_unlock(&binfmt_lock);
 
 158                         error = fmt->load_shlib(file);
 
 159                         read_lock(&binfmt_lock);
 
 161                         if (error != -ENOEXEC)
 
 164                 read_unlock(&binfmt_lock);
 
 170         release_open_intent(&nd);
 
 176  * count() counts the number of strings in array ARGV.
 
 178 static int count(char __user * __user * argv, int max)
 
 186                         if (get_user(p, argv))
 
 200  * 'copy_strings()' copies argument/environment strings from user
 
 201  * memory to free pages in kernel mem. These are in a format ready
 
 202  * to be put directly into the top of new user memory.
 
 204 static int copy_strings(int argc, char __user * __user * argv,
 
 205                         struct linux_binprm *bprm)
 
 207         struct page *kmapped_page = NULL;
 
 216                 if (get_user(str, argv+argc) ||
 
 217                                 !(len = strnlen_user(str, bprm->p))) {
 
 228                 /* XXX: add architecture specific overflow check here. */
 
 233                         int offset, bytes_to_copy;
 
 236                         offset = pos % PAGE_SIZE;
 
 238                         page = bprm->page[i];
 
 241                                 page = alloc_page(GFP_HIGHUSER);
 
 242                                 bprm->page[i] = page;
 
 250                         if (page != kmapped_page) {
 
 252                                         kunmap(kmapped_page);
 
 254                                 kaddr = kmap(kmapped_page);
 
 257                                 memset(kaddr, 0, offset);
 
 258                         bytes_to_copy = PAGE_SIZE - offset;
 
 259                         if (bytes_to_copy > len) {
 
 262                                         memset(kaddr+offset+len, 0,
 
 263                                                 PAGE_SIZE-offset-len);
 
 265                         err = copy_from_user(kaddr+offset, str, bytes_to_copy);
 
 271                         pos += bytes_to_copy;
 
 272                         str += bytes_to_copy;
 
 273                         len -= bytes_to_copy;
 
 279                 kunmap(kmapped_page);
 
 284  * Like copy_strings, but get argv and its values from kernel memory.
 
 286 int copy_strings_kernel(int argc,char ** argv, struct linux_binprm *bprm)
 
 289         mm_segment_t oldfs = get_fs();
 
 291         r = copy_strings(argc, (char __user * __user *)argv, bprm);
 
 296 EXPORT_SYMBOL(copy_strings_kernel);
 
 300  * This routine is used to map in a page into an address space: needed by
 
 301  * execve() for the initial stack and environment pages.
 
 303  * vma->vm_mm->mmap_sem is held for writing.
 
 305 void install_arg_page(struct vm_area_struct *vma,
 
 306                         struct page *page, unsigned long address)
 
 308         struct mm_struct *mm = vma->vm_mm;
 
 312         if (unlikely(anon_vma_prepare(vma)))
 
 315         flush_dcache_page(page);
 
 316         pte = get_locked_pte(mm, address, &ptl);
 
 319         if (!pte_none(*pte)) {
 
 320                 pte_unmap_unlock(pte, ptl);
 
 323         inc_mm_counter(mm, anon_rss);
 
 324         lru_cache_add_active(page);
 
 325         set_pte_at(mm, address, pte, pte_mkdirty(pte_mkwrite(mk_pte(
 
 326                                         page, vma->vm_page_prot))));
 
 327         page_add_new_anon_rmap(page, vma, address);
 
 328         pte_unmap_unlock(pte, ptl);
 
 330         /* no need for flush_tlb */
 
 334         force_sig(SIGKILL, current);
 
 337 #define EXTRA_STACK_VM_PAGES    20      /* random */
 
 339 int setup_arg_pages(struct linux_binprm *bprm,
 
 340                     unsigned long stack_top,
 
 341                     int executable_stack)
 
 343         unsigned long stack_base;
 
 344         struct vm_area_struct *mpnt;
 
 345         struct mm_struct *mm = current->mm;
 
 349 #ifdef CONFIG_STACK_GROWSUP
 
 350         /* Move the argument and environment strings to the bottom of the
 
 356         /* Start by shifting all the pages down */
 
 358         for (j = 0; j < MAX_ARG_PAGES; j++) {
 
 359                 struct page *page = bprm->page[j];
 
 362                 bprm->page[i++] = page;
 
 365         /* Now move them within their pages */
 
 366         offset = bprm->p % PAGE_SIZE;
 
 367         to = kmap(bprm->page[0]);
 
 368         for (j = 1; j < i; j++) {
 
 369                 memmove(to, to + offset, PAGE_SIZE - offset);
 
 370                 from = kmap(bprm->page[j]);
 
 371                 memcpy(to + PAGE_SIZE - offset, from, offset);
 
 372                 kunmap(bprm->page[j - 1]);
 
 375         memmove(to, to + offset, PAGE_SIZE - offset);
 
 376         kunmap(bprm->page[j - 1]);
 
 378         /* Limit stack size to 1GB */
 
 379         stack_base = current->signal->rlim[RLIMIT_STACK].rlim_max;
 
 380         if (stack_base > (1 << 30))
 
 381                 stack_base = 1 << 30;
 
 382         stack_base = PAGE_ALIGN(stack_top - stack_base);
 
 384         /* Adjust bprm->p to point to the end of the strings. */
 
 385         bprm->p = stack_base + PAGE_SIZE * i - offset;
 
 387         mm->arg_start = stack_base;
 
 388         arg_size = i << PAGE_SHIFT;
 
 390         /* zero pages that were copied above */
 
 391         while (i < MAX_ARG_PAGES)
 
 392                 bprm->page[i++] = NULL;
 
 394         stack_base = arch_align_stack(stack_top - MAX_ARG_PAGES*PAGE_SIZE);
 
 395         stack_base = PAGE_ALIGN(stack_base);
 
 396         bprm->p += stack_base;
 
 397         mm->arg_start = bprm->p;
 
 398         arg_size = stack_top - (PAGE_MASK & (unsigned long) mm->arg_start);
 
 401         arg_size += EXTRA_STACK_VM_PAGES * PAGE_SIZE;
 
 404                 bprm->loader += stack_base;
 
 405         bprm->exec += stack_base;
 
 407         mpnt = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL);
 
 411         memset(mpnt, 0, sizeof(*mpnt));
 
 413         down_write(&mm->mmap_sem);
 
 416 #ifdef CONFIG_STACK_GROWSUP
 
 417                 mpnt->vm_start = stack_base;
 
 418                 mpnt->vm_end = stack_base + arg_size;
 
 420                 mpnt->vm_end = stack_top;
 
 421                 mpnt->vm_start = mpnt->vm_end - arg_size;
 
 423                 /* Adjust stack execute permissions; explicitly enable
 
 424                  * for EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X
 
 425                  * and leave alone (arch default) otherwise. */
 
 426                 if (unlikely(executable_stack == EXSTACK_ENABLE_X))
 
 427                         mpnt->vm_flags = VM_STACK_FLAGS |  VM_EXEC;
 
 428                 else if (executable_stack == EXSTACK_DISABLE_X)
 
 429                         mpnt->vm_flags = VM_STACK_FLAGS & ~VM_EXEC;
 
 431                         mpnt->vm_flags = VM_STACK_FLAGS;
 
 432                 mpnt->vm_flags |= mm->def_flags;
 
 433                 mpnt->vm_page_prot = protection_map[mpnt->vm_flags & 0x7];
 
 434                 if ((ret = insert_vm_struct(mm, mpnt))) {
 
 435                         up_write(&mm->mmap_sem);
 
 436                         kmem_cache_free(vm_area_cachep, mpnt);
 
 439                 mm->stack_vm = mm->total_vm = vma_pages(mpnt);
 
 442         for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
 
 443                 struct page *page = bprm->page[i];
 
 445                         bprm->page[i] = NULL;
 
 446                         install_arg_page(mpnt, page, stack_base);
 
 448                 stack_base += PAGE_SIZE;
 
 450         up_write(&mm->mmap_sem);
 
 455 EXPORT_SYMBOL(setup_arg_pages);
 
 457 #define free_arg_pages(bprm) do { } while (0)
 
 461 static inline void free_arg_pages(struct linux_binprm *bprm)
 
 465         for (i = 0; i < MAX_ARG_PAGES; i++) {
 
 467                         __free_page(bprm->page[i]);
 
 468                 bprm->page[i] = NULL;
 
 472 #endif /* CONFIG_MMU */
 
 474 struct file *open_exec(const char *name)
 
 480         err = path_lookup_open(AT_FDCWD, name, LOOKUP_FOLLOW, &nd, FMODE_READ|FMODE_EXEC);
 
 484                 struct inode *inode = nd.dentry->d_inode;
 
 485                 file = ERR_PTR(-EACCES);
 
 486                 if (!(nd.mnt->mnt_flags & MNT_NOEXEC) &&
 
 487                     S_ISREG(inode->i_mode)) {
 
 488                         int err = vfs_permission(&nd, MAY_EXEC);
 
 491                                 file = nameidata_to_filp(&nd, O_RDONLY);
 
 493                                         err = deny_write_access(file);
 
 503                 release_open_intent(&nd);
 
 509 EXPORT_SYMBOL(open_exec);
 
 511 int kernel_read(struct file *file, unsigned long offset,
 
 512         char *addr, unsigned long count)
 
 520         /* The cast to a user pointer is valid due to the set_fs() */
 
 521         result = vfs_read(file, (void __user *)addr, count, &pos);
 
 526 EXPORT_SYMBOL(kernel_read);
 
 528 static int exec_mmap(struct mm_struct *mm)
 
 530         struct task_struct *tsk;
 
 531         struct mm_struct * old_mm, *active_mm;
 
 533         /* Notify parent that we're no longer interested in the old VM */
 
 535         old_mm = current->mm;
 
 536         mm_release(tsk, old_mm);
 
 540                  * Make sure that if there is a core dump in progress
 
 541                  * for the old mm, we get out and die instead of going
 
 542                  * through with the exec.  We must hold mmap_sem around
 
 543                  * checking core_waiters and changing tsk->mm.  The
 
 544                  * core-inducing thread will increment core_waiters for
 
 545                  * each thread whose ->mm == old_mm.
 
 547                 down_read(&old_mm->mmap_sem);
 
 548                 if (unlikely(old_mm->core_waiters)) {
 
 549                         up_read(&old_mm->mmap_sem);
 
 554         active_mm = tsk->active_mm;
 
 557         activate_mm(active_mm, mm);
 
 559         arch_pick_mmap_layout(mm);
 
 561                 up_read(&old_mm->mmap_sem);
 
 562                 BUG_ON(active_mm != old_mm);
 
 571  * This function makes sure the current process has its own signal table,
 
 572  * so that flush_signal_handlers can later reset the handlers without
 
 573  * disturbing other processes.  (Other processes might share the signal
 
 574  * table via the CLONE_SIGHAND option to clone().)
 
 576 static int de_thread(struct task_struct *tsk)
 
 578         struct signal_struct *sig = tsk->signal;
 
 579         struct sighand_struct *newsighand, *oldsighand = tsk->sighand;
 
 580         spinlock_t *lock = &oldsighand->siglock;
 
 581         struct task_struct *leader = NULL;
 
 585          * If we don't share sighandlers, then we aren't sharing anything
 
 586          * and we can just re-use it all.
 
 588         if (atomic_read(&oldsighand->count) <= 1) {
 
 589                 BUG_ON(atomic_read(&sig->count) != 1);
 
 594         newsighand = kmem_cache_alloc(sighand_cachep, GFP_KERNEL);
 
 598         if (thread_group_empty(tsk))
 
 599                 goto no_thread_group;
 
 602          * Kill all other threads in the thread group.
 
 603          * We must hold tasklist_lock to call zap_other_threads.
 
 605         read_lock(&tasklist_lock);
 
 607         if (sig->flags & SIGNAL_GROUP_EXIT) {
 
 609                  * Another group action in progress, just
 
 610                  * return so that the signal is processed.
 
 612                 spin_unlock_irq(lock);
 
 613                 read_unlock(&tasklist_lock);
 
 614                 kmem_cache_free(sighand_cachep, newsighand);
 
 619          * child_reaper ignores SIGKILL, change it now.
 
 620          * Reparenting needs write_lock on tasklist_lock,
 
 621          * so it is safe to do it under read_lock.
 
 623         if (unlikely(tsk->group_leader == child_reaper))
 
 626         zap_other_threads(tsk);
 
 627         read_unlock(&tasklist_lock);
 
 630          * Account for the thread group leader hanging around:
 
 633         if (!thread_group_leader(tsk)) {
 
 636                  * The SIGALRM timer survives the exec, but needs to point
 
 637                  * at us as the new group leader now.  We have a race with
 
 638                  * a timer firing now getting the old leader, so we need to
 
 639                  * synchronize with any firing (by calling del_timer_sync)
 
 640                  * before we can safely let the old group leader die.
 
 643                 spin_unlock_irq(lock);
 
 644                 if (hrtimer_cancel(&sig->real_timer))
 
 645                         hrtimer_restart(&sig->real_timer);
 
 648         while (atomic_read(&sig->count) > count) {
 
 649                 sig->group_exit_task = tsk;
 
 650                 sig->notify_count = count;
 
 651                 __set_current_state(TASK_UNINTERRUPTIBLE);
 
 652                 spin_unlock_irq(lock);
 
 656         sig->group_exit_task = NULL;
 
 657         sig->notify_count = 0;
 
 658         spin_unlock_irq(lock);
 
 661          * At this point all other threads have exited, all we have to
 
 662          * do is to wait for the thread group leader to become inactive,
 
 663          * and to assume its PID:
 
 665         if (!thread_group_leader(tsk)) {
 
 667                  * Wait for the thread group leader to be a zombie.
 
 668                  * It should already be zombie at this point, most
 
 671                 leader = tsk->group_leader;
 
 672                 while (leader->exit_state != EXIT_ZOMBIE)
 
 676                  * The only record we have of the real-time age of a
 
 677                  * process, regardless of execs it's done, is start_time.
 
 678                  * All the past CPU time is accumulated in signal_struct
 
 679                  * from sister threads now dead.  But in this non-leader
 
 680                  * exec, nothing survives from the original leader thread,
 
 681                  * whose birth marks the true age of this process now.
 
 682                  * When we take on its identity by switching to its PID, we
 
 683                  * also take its birthdate (always earlier than our own).
 
 685                 tsk->start_time = leader->start_time;
 
 687                 write_lock_irq(&tasklist_lock);
 
 689                 BUG_ON(leader->tgid != tsk->tgid);
 
 690                 BUG_ON(tsk->pid == tsk->tgid);
 
 692                  * An exec() starts a new thread group with the
 
 693                  * TGID of the previous thread group. Rehash the
 
 694                  * two threads with a switched PID, and release
 
 695                  * the former thread group leader:
 
 698                 /* Become a process group leader with the old leader's pid.
 
 699                  * The old leader becomes a thread of the this thread group.
 
 700                  * Note: The old leader also uses this pid until release_task
 
 701                  *       is called.  Odd but simple and correct.
 
 703                 detach_pid(tsk, PIDTYPE_PID);
 
 704                 tsk->pid = leader->pid;
 
 705                 attach_pid(tsk, PIDTYPE_PID,  tsk->pid);
 
 706                 transfer_pid(leader, tsk, PIDTYPE_PGID);
 
 707                 transfer_pid(leader, tsk, PIDTYPE_SID);
 
 708                 list_replace_rcu(&leader->tasks, &tsk->tasks);
 
 710                 tsk->group_leader = tsk;
 
 711                 leader->group_leader = tsk;
 
 713                 tsk->exit_signal = SIGCHLD;
 
 715                 BUG_ON(leader->exit_state != EXIT_ZOMBIE);
 
 716                 leader->exit_state = EXIT_DEAD;
 
 718                 write_unlock_irq(&tasklist_lock);
 
 722          * There may be one thread left which is just exiting,
 
 723          * but it's safe to stop telling the group to kill themselves.
 
 730                 release_task(leader);
 
 732         BUG_ON(atomic_read(&sig->count) != 1);
 
 734         if (atomic_read(&oldsighand->count) == 1) {
 
 736                  * Now that we nuked the rest of the thread group,
 
 737                  * it turns out we are not sharing sighand any more either.
 
 738                  * So we can just keep it.
 
 740                 kmem_cache_free(sighand_cachep, newsighand);
 
 743                  * Move our state over to newsighand and switch it in.
 
 745                 atomic_set(&newsighand->count, 1);
 
 746                 memcpy(newsighand->action, oldsighand->action,
 
 747                        sizeof(newsighand->action));
 
 749                 write_lock_irq(&tasklist_lock);
 
 750                 spin_lock(&oldsighand->siglock);
 
 751                 spin_lock_nested(&newsighand->siglock, SINGLE_DEPTH_NESTING);
 
 753                 rcu_assign_pointer(tsk->sighand, newsighand);
 
 756                 spin_unlock(&newsighand->siglock);
 
 757                 spin_unlock(&oldsighand->siglock);
 
 758                 write_unlock_irq(&tasklist_lock);
 
 760                 if (atomic_dec_and_test(&oldsighand->count))
 
 761                         kmem_cache_free(sighand_cachep, oldsighand);
 
 764         BUG_ON(!thread_group_leader(tsk));
 
 769  * These functions flushes out all traces of the currently running executable
 
 770  * so that a new one can be started
 
 773 static void flush_old_files(struct files_struct * files)
 
 778         spin_lock(&files->file_lock);
 
 780                 unsigned long set, i;
 
 784                 fdt = files_fdtable(files);
 
 785                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
 
 787                 set = fdt->close_on_exec->fds_bits[j];
 
 790                 fdt->close_on_exec->fds_bits[j] = 0;
 
 791                 spin_unlock(&files->file_lock);
 
 792                 for ( ; set ; i++,set >>= 1) {
 
 797                 spin_lock(&files->file_lock);
 
 800         spin_unlock(&files->file_lock);
 
 803 void get_task_comm(char *buf, struct task_struct *tsk)
 
 805         /* buf must be at least sizeof(tsk->comm) in size */
 
 807         strncpy(buf, tsk->comm, sizeof(tsk->comm));
 
 811 void set_task_comm(struct task_struct *tsk, char *buf)
 
 814         strlcpy(tsk->comm, buf, sizeof(tsk->comm));
 
 818 int flush_old_exec(struct linux_binprm * bprm)
 
 822         struct files_struct *files;
 
 823         char tcomm[sizeof(current->comm)];
 
 826          * Make sure we have a private signal table and that
 
 827          * we are unassociated from the previous thread group.
 
 829         retval = de_thread(current);
 
 834          * Make sure we have private file handles. Ask the
 
 835          * fork helper to do the work for us and the exit
 
 836          * helper to do the cleanup of the old one.
 
 838         files = current->files;         /* refcounted so safe to hold */
 
 839         retval = unshare_files();
 
 843          * Release all of the old mmap stuff
 
 845         retval = exec_mmap(bprm->mm);
 
 849         bprm->mm = NULL;                /* We're using it now */
 
 851         /* This is the point of no return */
 
 852         put_files_struct(files);
 
 854         current->sas_ss_sp = current->sas_ss_size = 0;
 
 856         if (current->euid == current->uid && current->egid == current->gid)
 
 857                 current->mm->dumpable = 1;
 
 859                 current->mm->dumpable = suid_dumpable;
 
 861         name = bprm->filename;
 
 863         /* Copies the binary name from after last slash */
 
 864         for (i=0; (ch = *(name++)) != '\0';) {
 
 866                         i = 0; /* overwrite what we wrote */
 
 868                         if (i < (sizeof(tcomm) - 1))
 
 872         set_task_comm(current, tcomm);
 
 874         current->flags &= ~PF_RANDOMIZE;
 
 877         /* Set the new mm task size. We have to do that late because it may
 
 878          * depend on TIF_32BIT which is only updated in flush_thread() on
 
 879          * some architectures like powerpc
 
 881         current->mm->task_size = TASK_SIZE;
 
 883         if (bprm->e_uid != current->euid || bprm->e_gid != current->egid || 
 
 884             file_permission(bprm->file, MAY_READ) ||
 
 885             (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
 
 887                 current->mm->dumpable = suid_dumpable;
 
 890         /* An exec changes our domain. We are no longer part of the thread
 
 893         current->self_exec_id++;
 
 895         flush_signal_handlers(current, 0);
 
 896         flush_old_files(current->files);
 
 901         reset_files_struct(current, files);
 
 906 EXPORT_SYMBOL(flush_old_exec);
 
 909  * Fill the binprm structure from the inode. 
 
 910  * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
 
 912 int prepare_binprm(struct linux_binprm *bprm)
 
 915         struct inode * inode = bprm->file->f_dentry->d_inode;
 
 918         mode = inode->i_mode;
 
 919         if (bprm->file->f_op == NULL)
 
 922         bprm->e_uid = current->euid;
 
 923         bprm->e_gid = current->egid;
 
 925         if(!(bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)) {
 
 927                 if (mode & S_ISUID) {
 
 928                         current->personality &= ~PER_CLEAR_ON_SETID;
 
 929                         bprm->e_uid = inode->i_uid;
 
 934                  * If setgid is set but no group execute bit then this
 
 935                  * is a candidate for mandatory locking, not a setgid
 
 938                 if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
 
 939                         current->personality &= ~PER_CLEAR_ON_SETID;
 
 940                         bprm->e_gid = inode->i_gid;
 
 944         /* fill in binprm security blob */
 
 945         retval = security_bprm_set(bprm);
 
 949         memset(bprm->buf,0,BINPRM_BUF_SIZE);
 
 950         return kernel_read(bprm->file,0,bprm->buf,BINPRM_BUF_SIZE);
 
 953 EXPORT_SYMBOL(prepare_binprm);
 
 955 static int unsafe_exec(struct task_struct *p)
 
 958         if (p->ptrace & PT_PTRACED) {
 
 959                 if (p->ptrace & PT_PTRACE_CAP)
 
 960                         unsafe |= LSM_UNSAFE_PTRACE_CAP;
 
 962                         unsafe |= LSM_UNSAFE_PTRACE;
 
 964         if (atomic_read(&p->fs->count) > 1 ||
 
 965             atomic_read(&p->files->count) > 1 ||
 
 966             atomic_read(&p->sighand->count) > 1)
 
 967                 unsafe |= LSM_UNSAFE_SHARE;
 
 972 void compute_creds(struct linux_binprm *bprm)
 
 976         if (bprm->e_uid != current->uid)
 
 981         unsafe = unsafe_exec(current);
 
 982         security_bprm_apply_creds(bprm, unsafe);
 
 983         task_unlock(current);
 
 984         security_bprm_post_apply_creds(bprm);
 
 987 EXPORT_SYMBOL(compute_creds);
 
 989 void remove_arg_zero(struct linux_binprm *bprm)
 
 992                 unsigned long offset;
 
 996                 offset = bprm->p % PAGE_SIZE;
 
 999                 while (bprm->p++, *(kaddr+offset++)) {
 
1000                         if (offset != PAGE_SIZE)
 
1003                         kunmap_atomic(kaddr, KM_USER0);
 
1005                         page = bprm->page[bprm->p/PAGE_SIZE];
 
1006                         kaddr = kmap_atomic(page, KM_USER0);
 
1008                 kunmap_atomic(kaddr, KM_USER0);
 
1013 EXPORT_SYMBOL(remove_arg_zero);
 
1016  * cycle the list of binary formats handler, until one recognizes the image
 
1018 int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
 
1021         struct linux_binfmt *fmt;
 
1023         /* handle /sbin/loader.. */
 
1025             struct exec * eh = (struct exec *) bprm->buf;
 
1027             if (!bprm->loader && eh->fh.f_magic == 0x183 &&
 
1028                 (eh->fh.f_flags & 0x3000) == 0x3000)
 
1031                 unsigned long loader;
 
1033                 allow_write_access(bprm->file);
 
1037                 loader = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
 
1039                 file = open_exec("/sbin/loader");
 
1040                 retval = PTR_ERR(file);
 
1044                 /* Remember if the application is TASO.  */
 
1045                 bprm->sh_bang = eh->ah.entry < 0x100000000UL;
 
1048                 bprm->loader = loader;
 
1049                 retval = prepare_binprm(bprm);
 
1052                 /* should call search_binary_handler recursively here,
 
1053                    but it does not matter */
 
1057         retval = security_bprm_check(bprm);
 
1061         /* kernel module loader fixup */
 
1062         /* so we don't try to load run modprobe in kernel space. */
 
1065         retval = audit_bprm(bprm);
 
1070         for (try=0; try<2; try++) {
 
1071                 read_lock(&binfmt_lock);
 
1072                 for (fmt = formats ; fmt ; fmt = fmt->next) {
 
1073                         int (*fn)(struct linux_binprm *, struct pt_regs *) = fmt->load_binary;
 
1076                         if (!try_module_get(fmt->module))
 
1078                         read_unlock(&binfmt_lock);
 
1079                         retval = fn(bprm, regs);
 
1082                                 allow_write_access(bprm->file);
 
1086                                 current->did_exec = 1;
 
1087                                 proc_exec_connector(current);
 
1090                         read_lock(&binfmt_lock);
 
1092                         if (retval != -ENOEXEC || bprm->mm == NULL)
 
1095                                 read_unlock(&binfmt_lock);
 
1099                 read_unlock(&binfmt_lock);
 
1100                 if (retval != -ENOEXEC || bprm->mm == NULL) {
 
1104 #define printable(c) (((c)=='\t') || ((c)=='\n') || (0x20<=(c) && (c)<=0x7e))
 
1105                         if (printable(bprm->buf[0]) &&
 
1106                             printable(bprm->buf[1]) &&
 
1107                             printable(bprm->buf[2]) &&
 
1108                             printable(bprm->buf[3]))
 
1109                                 break; /* -ENOEXEC */
 
1110                         request_module("binfmt-%04x", *(unsigned short *)(&bprm->buf[2]));
 
1117 EXPORT_SYMBOL(search_binary_handler);
 
1120  * sys_execve() executes a new program.
 
1122 int do_execve(char * filename,
 
1123         char __user *__user *argv,
 
1124         char __user *__user *envp,
 
1125         struct pt_regs * regs)
 
1127         struct linux_binprm *bprm;
 
1133         bprm = kzalloc(sizeof(*bprm), GFP_KERNEL);
 
1137         file = open_exec(filename);
 
1138         retval = PTR_ERR(file);
 
1144         bprm->p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
 
1147         bprm->filename = filename;
 
1148         bprm->interp = filename;
 
1149         bprm->mm = mm_alloc();
 
1154         retval = init_new_context(current, bprm->mm);
 
1158         bprm->argc = count(argv, bprm->p / sizeof(void *));
 
1159         if ((retval = bprm->argc) < 0)
 
1162         bprm->envc = count(envp, bprm->p / sizeof(void *));
 
1163         if ((retval = bprm->envc) < 0)
 
1166         retval = security_bprm_alloc(bprm);
 
1170         retval = prepare_binprm(bprm);
 
1174         retval = copy_strings_kernel(1, &bprm->filename, bprm);
 
1178         bprm->exec = bprm->p;
 
1179         retval = copy_strings(bprm->envc, envp, bprm);
 
1183         retval = copy_strings(bprm->argc, argv, bprm);
 
1187         retval = search_binary_handler(bprm,regs);
 
1189                 free_arg_pages(bprm);
 
1191                 /* execve success */
 
1192                 security_bprm_free(bprm);
 
1193                 acct_update_integrals(current);
 
1199         /* Something went wrong, return the inode and free the argument pages*/
 
1200         for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
 
1201                 struct page * page = bprm->page[i];
 
1207                 security_bprm_free(bprm);
 
1215                 allow_write_access(bprm->file);
 
1226 int set_binfmt(struct linux_binfmt *new)
 
1228         struct linux_binfmt *old = current->binfmt;
 
1231                 if (!try_module_get(new->module))
 
1234         current->binfmt = new;
 
1236                 module_put(old->module);
 
1240 EXPORT_SYMBOL(set_binfmt);
 
1242 #define CORENAME_MAX_SIZE 64
 
1244 /* format_corename will inspect the pattern parameter, and output a
 
1245  * name into corename, which must have space for at least
 
1246  * CORENAME_MAX_SIZE bytes plus one byte for the zero terminator.
 
1248 static void format_corename(char *corename, const char *pattern, long signr)
 
1250         const char *pat_ptr = pattern;
 
1251         char *out_ptr = corename;
 
1252         char *const out_end = corename + CORENAME_MAX_SIZE;
 
1254         int pid_in_pattern = 0;
 
1256         /* Repeat as long as we have more pattern to process and more output
 
1259                 if (*pat_ptr != '%') {
 
1260                         if (out_ptr == out_end)
 
1262                         *out_ptr++ = *pat_ptr++;
 
1264                         switch (*++pat_ptr) {
 
1267                         /* Double percent, output one percent */
 
1269                                 if (out_ptr == out_end)
 
1276                                 rc = snprintf(out_ptr, out_end - out_ptr,
 
1277                                               "%d", current->tgid);
 
1278                                 if (rc > out_end - out_ptr)
 
1284                                 rc = snprintf(out_ptr, out_end - out_ptr,
 
1285                                               "%d", current->uid);
 
1286                                 if (rc > out_end - out_ptr)
 
1292                                 rc = snprintf(out_ptr, out_end - out_ptr,
 
1293                                               "%d", current->gid);
 
1294                                 if (rc > out_end - out_ptr)
 
1298                         /* signal that caused the coredump */
 
1300                                 rc = snprintf(out_ptr, out_end - out_ptr,
 
1302                                 if (rc > out_end - out_ptr)
 
1306                         /* UNIX time of coredump */
 
1309                                 do_gettimeofday(&tv);
 
1310                                 rc = snprintf(out_ptr, out_end - out_ptr,
 
1312                                 if (rc > out_end - out_ptr)
 
1319                                 down_read(&uts_sem);
 
1320                                 rc = snprintf(out_ptr, out_end - out_ptr,
 
1321                                               "%s", utsname()->nodename);
 
1323                                 if (rc > out_end - out_ptr)
 
1329                                 rc = snprintf(out_ptr, out_end - out_ptr,
 
1330                                               "%s", current->comm);
 
1331                                 if (rc > out_end - out_ptr)
 
1341         /* Backward compatibility with core_uses_pid:
 
1343          * If core_pattern does not include a %p (as is the default)
 
1344          * and core_uses_pid is set, then .%pid will be appended to
 
1347             && (core_uses_pid || atomic_read(¤t->mm->mm_users) != 1)) {
 
1348                 rc = snprintf(out_ptr, out_end - out_ptr,
 
1349                               ".%d", current->tgid);
 
1350                 if (rc > out_end - out_ptr)
 
1358 static void zap_process(struct task_struct *start)
 
1360         struct task_struct *t;
 
1362         start->signal->flags = SIGNAL_GROUP_EXIT;
 
1363         start->signal->group_stop_count = 0;
 
1367                 if (t != current && t->mm) {
 
1368                         t->mm->core_waiters++;
 
1369                         sigaddset(&t->pending.signal, SIGKILL);
 
1370                         signal_wake_up(t, 1);
 
1372         } while ((t = next_thread(t)) != start);
 
1375 static inline int zap_threads(struct task_struct *tsk, struct mm_struct *mm,
 
1378         struct task_struct *g, *p;
 
1379         unsigned long flags;
 
1382         spin_lock_irq(&tsk->sighand->siglock);
 
1383         if (!(tsk->signal->flags & SIGNAL_GROUP_EXIT)) {
 
1384                 tsk->signal->group_exit_code = exit_code;
 
1388         spin_unlock_irq(&tsk->sighand->siglock);
 
1392         if (atomic_read(&mm->mm_users) == mm->core_waiters + 1)
 
1396         for_each_process(g) {
 
1397                 if (g == tsk->group_leader)
 
1405                                          * p->sighand can't disappear, but
 
1406                                          * may be changed by de_thread()
 
1408                                         lock_task_sighand(p, &flags);
 
1410                                         unlock_task_sighand(p, &flags);
 
1414                 } while ((p = next_thread(p)) != g);
 
1418         return mm->core_waiters;
 
1421 static int coredump_wait(int exit_code)
 
1423         struct task_struct *tsk = current;
 
1424         struct mm_struct *mm = tsk->mm;
 
1425         struct completion startup_done;
 
1426         struct completion *vfork_done;
 
1429         init_completion(&mm->core_done);
 
1430         init_completion(&startup_done);
 
1431         mm->core_startup_done = &startup_done;
 
1433         core_waiters = zap_threads(tsk, mm, exit_code);
 
1434         up_write(&mm->mmap_sem);
 
1436         if (unlikely(core_waiters < 0))
 
1440          * Make sure nobody is waiting for us to release the VM,
 
1441          * otherwise we can deadlock when we wait on each other
 
1443         vfork_done = tsk->vfork_done;
 
1445                 tsk->vfork_done = NULL;
 
1446                 complete(vfork_done);
 
1450                 wait_for_completion(&startup_done);
 
1452         BUG_ON(mm->core_waiters);
 
1453         return core_waiters;
 
1456 int do_coredump(long signr, int exit_code, struct pt_regs * regs)
 
1458         char corename[CORENAME_MAX_SIZE + 1];
 
1459         struct mm_struct *mm = current->mm;
 
1460         struct linux_binfmt * binfmt;
 
1461         struct inode * inode;
 
1464         int fsuid = current->fsuid;
 
1468         binfmt = current->binfmt;
 
1469         if (!binfmt || !binfmt->core_dump)
 
1471         down_write(&mm->mmap_sem);
 
1472         if (!mm->dumpable) {
 
1473                 up_write(&mm->mmap_sem);
 
1478          *      We cannot trust fsuid as being the "true" uid of the
 
1479          *      process nor do we know its entire history. We only know it
 
1480          *      was tainted so we dump it as root in mode 2.
 
1482         if (mm->dumpable == 2) {        /* Setuid core dump mode */
 
1483                 flag = O_EXCL;          /* Stop rewrite attacks */
 
1484                 current->fsuid = 0;     /* Dump root private */
 
1488         retval = coredump_wait(exit_code);
 
1493          * Clear any false indication of pending signals that might
 
1494          * be seen by the filesystem code called to write the core file.
 
1496         clear_thread_flag(TIF_SIGPENDING);
 
1498         if (current->signal->rlim[RLIMIT_CORE].rlim_cur < binfmt->min_coredump)
 
1502          * lock_kernel() because format_corename() is controlled by sysctl, which
 
1503          * uses lock_kernel()
 
1506         format_corename(corename, core_pattern, signr);
 
1508         if (corename[0] == '|') {
 
1509                 /* SIGPIPE can happen, but it's just never processed */
 
1510                 if(call_usermodehelper_pipe(corename+1, NULL, NULL, &file)) {
 
1511                         printk(KERN_INFO "Core dump to %s pipe failed\n",
 
1517                 file = filp_open(corename,
 
1518                                  O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE, 0600);
 
1521         inode = file->f_dentry->d_inode;
 
1522         if (inode->i_nlink > 1)
 
1523                 goto close_fail;        /* multiple links - don't dump */
 
1524         if (!ispipe && d_unhashed(file->f_dentry))
 
1527         /* AK: actually i see no reason to not allow this for named pipes etc.,
 
1528            but keep the previous behaviour for now. */
 
1529         if (!ispipe && !S_ISREG(inode->i_mode))
 
1533         if (!file->f_op->write)
 
1535         if (!ispipe && do_truncate(file->f_dentry, 0, 0, file) != 0)
 
1538         retval = binfmt->core_dump(signr, regs, file);
 
1541                 current->signal->group_exit_code |= 0x80;
 
1543         filp_close(file, NULL);
 
1545         current->fsuid = fsuid;
 
1546         complete_all(&mm->core_done);