search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
configfs: fix race between dentry put and lookup
[linux-2.6.git] / fs / binfmt_aout.c
blobca0ba15a73061fb61aaee9c4951ba6097d10544b
1 /*
2 * linux/fs/binfmt_aout.c
3 *
4 * Copyright (C) 1991, 1992, 1996 Linus Torvalds
5 */
6
7 #include <linux/module.h>
8
9 #include <linux/time.h>
10 #include <linux/kernel.h>
11 #include <linux/mm.h>
12 #include <linux/mman.h>
13 #include <linux/a.out.h>
14 #include <linux/errno.h>
15 #include <linux/signal.h>
16 #include <linux/string.h>
17 #include <linux/fs.h>
18 #include <linux/file.h>
19 #include <linux/stat.h>
20 #include <linux/fcntl.h>
21 #include <linux/ptrace.h>
22 #include <linux/user.h>
23 #include <linux/binfmts.h>
24 #include <linux/personality.h>
25 #include <linux/init.h>
26 #include <linux/coredump.h>
27 #include <linux/slab.h>
28
29 #include <asm/uaccess.h>
30 #include <asm/cacheflush.h>
31 #include <asm/a.out-core.h>
32
33 static int load_aout_binary(struct linux_binprm *);
34 static int load_aout_library(struct file*);
35
36 #ifdef CONFIG_COREDUMP
37 /*
38 * Routine writes a core dump image in the current directory.
39 * Currently only a stub-function.
40 *
41 * Note that setuid/setgid files won't make a core-dump if the uid/gid
42 * changed due to the set[u|g]id. It's enforced by the "current->mm->dumpable"
43 * field, which also makes sure the core-dumps won't be recursive if the
44 * dumping of the process results in another error..
45 */
46 static int aout_core_dump(struct coredump_params *cprm)
47 {
48 mm_segment_t fs;
49 int has_dumped = 0;
50 void __user *dump_start;
51 int dump_size;
52 struct user dump;
53 #ifdef __alpha__
54 # define START_DATA(u) ((void __user *)u.start_data)
55 #else
56 # define START_DATA(u) ((void __user *)((u.u_tsize << PAGE_SHIFT) + \
57 u.start_code))
58 #endif
59 # define START_STACK(u) ((void __user *)u.start_stack)
60
61 fs = get_fs();
62 set_fs(KERNEL_DS);
63 has_dumped = 1;
64 strncpy(dump.u_comm, current->comm, sizeof(dump.u_comm));
65 dump.u_ar0 = offsetof(struct user, regs);
66 dump.signal = cprm->siginfo->si_signo;
67 aout_dump_thread(cprm->regs, &dump);
68
69 /* If the size of the dump file exceeds the rlimit, then see what would happen
70 if we wrote the stack, but not the data area. */
71 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
72 dump.u_dsize = 0;
73
74 /* Make sure we have enough room to write the stack and data areas. */
75 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
76 dump.u_ssize = 0;
77
78 /* make sure we actually have a data and stack area to dump */
79 set_fs(USER_DS);
80 if (!access_ok(VERIFY_READ, START_DATA(dump), dump.u_dsize << PAGE_SHIFT))
81 dump.u_dsize = 0;
82 if (!access_ok(VERIFY_READ, START_STACK(dump), dump.u_ssize << PAGE_SHIFT))
83 dump.u_ssize = 0;
84
85 set_fs(KERNEL_DS);
86 /* struct user */
87 if (!dump_emit(cprm, &dump, sizeof(dump)))
88 goto end_coredump;
89 /* Now dump all of the user data. Include malloced stuff as well */
90 if (!dump_skip(cprm, PAGE_SIZE - sizeof(dump)))
91 goto end_coredump;
92 /* now we start writing out the user space info */
93 set_fs(USER_DS);
94 /* Dump the data area */
95 if (dump.u_dsize != 0) {
96 dump_start = START_DATA(dump);
97 dump_size = dump.u_dsize << PAGE_SHIFT;
98 if (!dump_emit(cprm, dump_start, dump_size))
99 goto end_coredump;
100 }
101 /* Now prepare to dump the stack area */
102 if (dump.u_ssize != 0) {
103 dump_start = START_STACK(dump);
104 dump_size = dump.u_ssize << PAGE_SHIFT;
105 if (!dump_emit(cprm, dump_start, dump_size))
106 goto end_coredump;
107 }
108 end_coredump:
109 set_fs(fs);
110 return has_dumped;
111 }
112 #else
113 #define aout_core_dump NULL
114 #endif
115
116 static struct linux_binfmt aout_format = {
117 .module = THIS_MODULE,
118 .load_binary = load_aout_binary,
119 .load_shlib = load_aout_library,
120 .core_dump = aout_core_dump,
121 .min_coredump = PAGE_SIZE
122 };
123
124 #define BAD_ADDR(x) ((unsigned long)(x) >= TASK_SIZE)
125
126 static int set_brk(unsigned long start, unsigned long end)
127 {
128 start = PAGE_ALIGN(start);
129 end = PAGE_ALIGN(end);
130 if (end > start) {
131 unsigned long addr;
132 addr = vm_brk(start, end - start);
133 if (BAD_ADDR(addr))
134 return addr;
135 }
136 return 0;
137 }
138
139 /*
140 * create_aout_tables() parses the env- and arg-strings in new user
141 * memory and creates the pointer tables from them, and puts their
142 * addresses on the "stack", returning the new stack pointer value.
143 */
144 static unsigned long __user *create_aout_tables(char __user *p, struct linux_binprm * bprm)
145 {
146 char __user * __user *argv;
147 char __user * __user *envp;
148 unsigned long __user *sp;
149 int argc = bprm->argc;
150 int envc = bprm->envc;
151
152 sp = (void __user *)((-(unsigned long)sizeof(char *)) & (unsigned long) p);
153 #ifdef __alpha__
154 /* whee.. test-programs are so much fun. */
155 put_user(0, --sp);
156 put_user(0, --sp);
157 if (bprm->loader) {
158 put_user(0, --sp);
159 put_user(1003, --sp);
160 put_user(bprm->loader, --sp);
161 put_user(1002, --sp);
162 }
163 put_user(bprm->exec, --sp);
164 put_user(1001, --sp);
165 #endif
166 sp -= envc+1;
167 envp = (char __user * __user *) sp;
168 sp -= argc+1;
169 argv = (char __user * __user *) sp;
170 #ifndef __alpha__
171 put_user((unsigned long) envp,--sp);
172 put_user((unsigned long) argv,--sp);
173 #endif
174 put_user(argc,--sp);
175 current->mm->arg_start = (unsigned long) p;
176 while (argc-->0) {
177 char c;
178 put_user(p,argv++);
179 do {
180 get_user(c,p++);
181 } while (c);
182 }
183 put_user(NULL,argv);
184 current->mm->arg_end = current->mm->env_start = (unsigned long) p;
185 while (envc-->0) {
186 char c;
187 put_user(p,envp++);
188 do {
189 get_user(c,p++);
190 } while (c);
191 }
192 put_user(NULL,envp);
193 current->mm->env_end = (unsigned long) p;
194 return sp;
195 }
196
197 /*
198 * These are the functions used to load a.out style executables and shared
199 * libraries. There is no binary dependent code anywhere else.
200 */
201
202 static int load_aout_binary(struct linux_binprm * bprm)
203 {
204 struct pt_regs *regs = current_pt_regs();
205 struct exec ex;
206 unsigned long error;
207 unsigned long fd_offset;
208 unsigned long rlim;
209 int retval;
210
211 ex = *((struct exec *) bprm->buf); /* exec-header */
212 if ((N_MAGIC(ex) != ZMAGIC && N_MAGIC(ex) != OMAGIC &&
213 N_MAGIC(ex) != QMAGIC && N_MAGIC(ex) != NMAGIC) ||
214 N_TRSIZE(ex) || N_DRSIZE(ex) ||
215 i_size_read(file_inode(bprm->file)) < ex.a_text+ex.a_data+N_SYMSIZE(ex)+N_TXTOFF(ex)) {
216 return -ENOEXEC;
217 }
218
219 /*
220 * Requires a mmap handler. This prevents people from using a.out
221 * as part of an exploit attack against /proc-related vulnerabilities.
222 */
223 if (!bprm->file->f_op->mmap)
224 return -ENOEXEC;
225
226 fd_offset = N_TXTOFF(ex);
227
228 /* Check initial limits. This avoids letting people circumvent
229 * size limits imposed on them by creating programs with large
230 * arrays in the data or bss.
231 */
232 rlim = rlimit(RLIMIT_DATA);
233 if (rlim >= RLIM_INFINITY)
234 rlim = ~0;
235 if (ex.a_data + ex.a_bss > rlim)
236 return -ENOMEM;
237
238 /* Flush all traces of the currently running executable */
239 retval = flush_old_exec(bprm);
240 if (retval)
241 return retval;
242
243 /* OK, This is the point of no return */
244 #ifdef __alpha__
245 SET_AOUT_PERSONALITY(bprm, ex);
246 #else
247 set_personality(PER_LINUX);
248 #endif
249 setup_new_exec(bprm);
250
251 current->mm->end_code = ex.a_text +
252 (current->mm->start_code = N_TXTADDR(ex));
253 current->mm->end_data = ex.a_data +
254 (current->mm->start_data = N_DATADDR(ex));
255 current->mm->brk = ex.a_bss +
256 (current->mm->start_brk = N_BSSADDR(ex));
257
258 retval = setup_arg_pages(bprm, STACK_TOP, EXSTACK_DEFAULT);
259 if (retval < 0) {
260 /* Someone check-me: is this error path enough? */
261 send_sig(SIGKILL, current, 0);
262 return retval;
263 }
264
265 install_exec_creds(bprm);
266
267 if (N_MAGIC(ex) == OMAGIC) {
268 unsigned long text_addr, map_size;
269 loff_t pos;
270
271 text_addr = N_TXTADDR(ex);
272
273 #ifdef __alpha__
274 pos = fd_offset;
275 map_size = ex.a_text+ex.a_data + PAGE_SIZE - 1;
276 #else
277 pos = 32;
278 map_size = ex.a_text+ex.a_data;
279 #endif
280 error = vm_brk(text_addr & PAGE_MASK, map_size);
281 if (error != (text_addr & PAGE_MASK)) {
282 send_sig(SIGKILL, current, 0);
283 return error;
284 }
285
286 error = read_code(bprm->file, text_addr, pos,
287 ex.a_text+ex.a_data);
288 if ((signed long)error < 0) {
289 send_sig(SIGKILL, current, 0);
290 return error;
291 }
292 } else {
293 if ((ex.a_text & 0xfff || ex.a_data & 0xfff) &&
294 (N_MAGIC(ex) != NMAGIC) && printk_ratelimit())
295 {
296 printk(KERN_NOTICE "executable not page aligned\n");
297 }
298
299 if ((fd_offset & ~PAGE_MASK) != 0 && printk_ratelimit())
300 {
301 printk(KERN_WARNING
302 "fd_offset is not page aligned. Please convert program: %s\n",
303 bprm->file->f_path.dentry->d_name.name);
304 }
305
306 if (!bprm->file->f_op->mmap||((fd_offset & ~PAGE_MASK) != 0)) {
307 vm_brk(N_TXTADDR(ex), ex.a_text+ex.a_data);
308 read_code(bprm->file, N_TXTADDR(ex), fd_offset,
309 ex.a_text + ex.a_data);
310 goto beyond_if;
311 }
312
313 error = vm_mmap(bprm->file, N_TXTADDR(ex), ex.a_text,
314 PROT_READ | PROT_EXEC,
315 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
316 fd_offset);
317
318 if (error != N_TXTADDR(ex)) {
319 send_sig(SIGKILL, current, 0);
320 return error;
321 }
322
323 error = vm_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
324 PROT_READ | PROT_WRITE | PROT_EXEC,
325 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
326 fd_offset + ex.a_text);
327 if (error != N_DATADDR(ex)) {
328 send_sig(SIGKILL, current, 0);
329 return error;
330 }
331 }
332 beyond_if:
333 set_binfmt(&aout_format);
334
335 retval = set_brk(current->mm->start_brk, current->mm->brk);
336 if (retval < 0) {
337 send_sig(SIGKILL, current, 0);
338 return retval;
339 }
340
341 current->mm->start_stack =
342 (unsigned long) create_aout_tables((char __user *) bprm->p, bprm);
343 #ifdef __alpha__
344 regs->gp = ex.a_gpvalue;
345 #endif
346 start_thread(regs, ex.a_entry, current->mm->start_stack);
347 return 0;
348 }
349
350 static int load_aout_library(struct file *file)
351 {
352 struct inode * inode;
353 unsigned long bss, start_addr, len;
354 unsigned long error;
355 int retval;
356 struct exec ex;
357
358 inode = file_inode(file);
359
360 retval = -ENOEXEC;
361 error = kernel_read(file, 0, (char *) &ex, sizeof(ex));
362 if (error != sizeof(ex))
363 goto out;
364
365 /* We come in here for the regular a.out style of shared libraries */
366 if ((N_MAGIC(ex) != ZMAGIC && N_MAGIC(ex) != QMAGIC) || N_TRSIZE(ex) ||
367 N_DRSIZE(ex) || ((ex.a_entry & 0xfff) && N_MAGIC(ex) == ZMAGIC) ||
368 i_size_read(inode) < ex.a_text+ex.a_data+N_SYMSIZE(ex)+N_TXTOFF(ex)) {
369 goto out;
370 }
371
372 /*
373 * Requires a mmap handler. This prevents people from using a.out
374 * as part of an exploit attack against /proc-related vulnerabilities.
375 */
376 if (!file->f_op->mmap)
377 goto out;
378
379 if (N_FLAGS(ex))
380 goto out;
381
382 /* For QMAGIC, the starting address is 0x20 into the page. We mask
383 this off to get the starting address for the page */
384
385 start_addr = ex.a_entry & 0xfffff000;
386
387 if ((N_TXTOFF(ex) & ~PAGE_MASK) != 0) {
388 if (printk_ratelimit())
389 {
390 printk(KERN_WARNING
391 "N_TXTOFF is not page aligned. Please convert library: %s\n",
392 file->f_path.dentry->d_name.name);
393 }
394 vm_brk(start_addr, ex.a_text + ex.a_data + ex.a_bss);
395
396 read_code(file, start_addr, N_TXTOFF(ex),
397 ex.a_text + ex.a_data);
398 retval = 0;
399 goto out;
400 }
401 /* Now use mmap to map the library into memory. */
402 error = vm_mmap(file, start_addr, ex.a_text + ex.a_data,
403 PROT_READ | PROT_WRITE | PROT_EXEC,
404 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE,
405 N_TXTOFF(ex));
406 retval = error;
407 if (error != start_addr)
408 goto out;
409
410 len = PAGE_ALIGN(ex.a_text + ex.a_data);
411 bss = ex.a_text + ex.a_data + ex.a_bss;
412 if (bss > len) {
413 error = vm_brk(start_addr + len, bss - len);
414 retval = error;
415 if (error != start_addr + len)
416 goto out;
417 }
418 retval = 0;
419 out:
420 return retval;
421 }
422
423 static int __init init_aout_binfmt(void)
424 {
425 register_binfmt(&aout_format);
426 return 0;
427 }
428
429 static void __exit exit_aout_binfmt(void)
430 {
431 unregister_binfmt(&aout_format);
432 }
433
434 core_initcall(init_aout_binfmt);
435 module_exit(exit_aout_binfmt);
436 MODULE_LICENSE("GPL");
Linus' kernel tree