search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
9596 Initial xsave xstate_bv should not include all features
[unleashed.git] / usr / src / uts / common / exec / elf / elf.c
blob141baa4aeb53d3e1d3baf6037251bf3b3d2dff74
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 1989, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */
27 /* All Rights Reserved */
28 /*
29 * Copyright (c) 2018, Joyent, Inc.
30 */
31
32 #include <sys/types.h>
33 #include <sys/param.h>
34 #include <sys/thread.h>
35 #include <sys/sysmacros.h>
36 #include <sys/signal.h>
37 #include <sys/cred.h>
38 #include <sys/user.h>
39 #include <sys/errno.h>
40 #include <sys/vnode.h>
41 #include <sys/mman.h>
42 #include <sys/kmem.h>
43 #include <sys/proc.h>
44 #include <sys/pathname.h>
45 #include <sys/policy.h>
46 #include <sys/cmn_err.h>
47 #include <sys/systm.h>
48 #include <sys/elf.h>
49 #include <sys/vmsystm.h>
50 #include <sys/debug.h>
51 #include <sys/auxv.h>
52 #include <sys/exec.h>
53 #include <sys/prsystm.h>
54 #include <vm/as.h>
55 #include <vm/rm.h>
56 #include <vm/seg.h>
57 #include <vm/seg_vn.h>
58 #include <sys/modctl.h>
59 #include <sys/systeminfo.h>
60 #include <sys/vmparam.h>
61 #include <sys/machelf.h>
62 #include <sys/shm_impl.h>
63 #include <sys/archsystm.h>
64 #include <sys/fasttrap.h>
65 #include <sys/brand.h>
66 #include "elf_impl.h"
67 #include <sys/sdt.h>
68 #include <sys/siginfo.h>
69 #include <sys/random.h>
70
71 #if defined(__x86)
72 #include <sys/comm_page_util.h>
73 #include <sys/fp.h>
74 #endif /* defined(__x86) */
75
76
77 extern int at_flags;
78 extern volatile size_t aslr_max_brk_skew;
79
80 #define ORIGIN_STR "ORIGIN"
81 #define ORIGIN_STR_SIZE 6
82
83 static int getelfhead(vnode_t *, cred_t *, Ehdr *, int *, int *, int *);
84 static int getelfphdr(vnode_t *, cred_t *, const Ehdr *, int, caddr_t *,
85 ssize_t *);
86 static int getelfshdr(vnode_t *, cred_t *, const Ehdr *, int, int, caddr_t *,
87 ssize_t *, caddr_t *, ssize_t *);
88 static size_t elfsize(Ehdr *, int, caddr_t, uintptr_t *);
89 static int mapelfexec(vnode_t *, Ehdr *, int, caddr_t,
90 Phdr **, Phdr **, Phdr **, Phdr **, Phdr *,
91 caddr_t *, caddr_t *, intptr_t *, intptr_t *, size_t, long *, size_t *);
92
93 typedef enum {
94 STR_CTF,
95 STR_SYMTAB,
96 STR_DYNSYM,
97 STR_STRTAB,
98 STR_DYNSTR,
99 STR_SHSTRTAB,
100 STR_NUM
101 } shstrtype_t;
102
103 static const char *shstrtab_data[] = {
104 ".SUNW_ctf",
105 ".symtab",
106 ".dynsym",
107 ".strtab",
108 ".dynstr",
109 ".shstrtab"
110 };
111
112 typedef struct shstrtab {
113 int sst_ndx[STR_NUM];
114 int sst_cur;
115 } shstrtab_t;
116
117 static void
118 shstrtab_init(shstrtab_t *s)
119 {
120 bzero(&s->sst_ndx, sizeof (s->sst_ndx));
121 s->sst_cur = 1;
122 }
123
124 static int
125 shstrtab_ndx(shstrtab_t *s, shstrtype_t type)
126 {
127 int ret;
128
129 if ((ret = s->sst_ndx[type]) != 0)
130 return (ret);
131
132 ret = s->sst_ndx[type] = s->sst_cur;
133 s->sst_cur += strlen(shstrtab_data[type]) + 1;
134
135 return (ret);
136 }
137
138 static size_t
139 shstrtab_size(const shstrtab_t *s)
140 {
141 return (s->sst_cur);
142 }
143
144 static void
145 shstrtab_dump(const shstrtab_t *s, char *buf)
146 {
147 int i, ndx;
148
149 *buf = '\0';
150 for (i = 0; i < STR_NUM; i++) {
151 if ((ndx = s->sst_ndx[i]) != 0)
152 (void) strcpy(buf + ndx, shstrtab_data[i]);
153 }
154 }
155
156 static int
157 dtrace_safe_phdr(Phdr *phdrp, struct uarg *args, uintptr_t base)
158 {
159 ASSERT(phdrp->p_type == PT_SUNWDTRACE);
160
161 /*
162 * See the comment in fasttrap.h for information on how to safely
163 * update this program header.
164 */
165 if (phdrp->p_memsz < PT_SUNWDTRACE_SIZE ||
166 (phdrp->p_flags & (PF_R | PF_W | PF_X)) != (PF_R | PF_W | PF_X))
167 return (-1);
168
169 args->thrptr = phdrp->p_vaddr + base;
170
171 return (0);
172 }
173
174 static int
175 handle_secflag_dt(proc_t *p, uint_t dt, uint_t val)
176 {
177 uint_t flag;
178
179 switch (dt) {
180 case DT_SUNW_ASLR:
181 flag = PROC_SEC_ASLR;
182 break;
183 default:
184 return (EINVAL);
185 }
186
187 if (val == 0) {
188 if (secflag_isset(p->p_secflags.psf_lower, flag))
189 return (EPERM);
190 if ((secpolicy_psecflags(CRED(), p, p) != 0) &&
191 secflag_isset(p->p_secflags.psf_inherit, flag))
192 return (EPERM);
193
194 secflag_clear(&p->p_secflags.psf_effective, flag);
195 } else {
196 if (!secflag_isset(p->p_secflags.psf_upper, flag))
197 return (EPERM);
198
199 if ((secpolicy_psecflags(CRED(), p, p) != 0) &&
200 !secflag_isset(p->p_secflags.psf_inherit, flag))
201 return (EPERM);
202
203 secflag_set(&p->p_secflags.psf_effective, flag);
204 }
205
206 return (0);
207 }
208
209 /*
210 * Map in the executable pointed to by vp. Returns 0 on success.
211 */
212 int
213 mapexec_brand(vnode_t *vp, uarg_t *args, Ehdr *ehdr, Addr *uphdr_vaddr,
214 intptr_t *voffset, caddr_t exec_file, int *interp, caddr_t *bssbase,
215 caddr_t *brkbase, size_t *brksize, uintptr_t *lddatap)
216 {
217 size_t len;
218 struct vattr vat;
219 caddr_t phdrbase = NULL;
220 ssize_t phdrsize;
221 int nshdrs, shstrndx, nphdrs;
222 int error = 0;
223 Phdr *uphdr = NULL;
224 Phdr *junk = NULL;
225 Phdr *dynphdr = NULL;
226 Phdr *dtrphdr = NULL;
227 uintptr_t lddata;
228 long execsz;
229 intptr_t minaddr;
230
231 if (lddatap != NULL)
232 *lddatap = NULL;
233
234 if (error = execpermissions(vp, &vat, args)) {
235 uprintf("%s: Cannot execute %s\n", exec_file, args->pathname);
236 return (error);
237 }
238
239 if ((error = getelfhead(vp, CRED(), ehdr, &nshdrs, &shstrndx,
240 &nphdrs)) != 0 ||
241 (error = getelfphdr(vp, CRED(), ehdr, nphdrs, &phdrbase,
242 &phdrsize)) != 0) {
243 uprintf("%s: Cannot read %s\n", exec_file, args->pathname);
244 return (error);
245 }
246
247 if ((len = elfsize(ehdr, nphdrs, phdrbase, &lddata)) == 0) {
248 uprintf("%s: Nothing to load in %s", exec_file, args->pathname);
249 kmem_free(phdrbase, phdrsize);
250 return (ENOEXEC);
251 }
252 if (lddatap != NULL)
253 *lddatap = lddata;
254
255 if (error = mapelfexec(vp, ehdr, nphdrs, phdrbase, &uphdr, &dynphdr,
256 &junk, &dtrphdr, NULL, bssbase, brkbase, voffset, &minaddr,
257 len, &execsz, brksize)) {
258 uprintf("%s: Cannot map %s\n", exec_file, args->pathname);
259 kmem_free(phdrbase, phdrsize);
260 return (error);
261 }
262
263 /*
264 * Inform our caller if the executable needs an interpreter.
265 */
266 *interp = (dynphdr == NULL) ? 0 : 1;
267
268 /*
269 * If this is a statically linked executable, voffset should indicate
270 * the address of the executable itself (it normally holds the address
271 * of the interpreter).
272 */
273 if (ehdr->e_type == ET_EXEC && *interp == 0)
274 *voffset = minaddr;
275
276 if (uphdr != NULL) {
277 *uphdr_vaddr = uphdr->p_vaddr;
278 } else {
279 *uphdr_vaddr = (Addr)-1;
280 }
281
282 kmem_free(phdrbase, phdrsize);
283 return (error);
284 }
285
286 /*ARGSUSED*/
287 int
288 elfexec(vnode_t *vp, execa_t *uap, uarg_t *args, intpdata_t *idatap,
289 int level, long *execsz, int setid, caddr_t exec_file, cred_t *cred,
290 int brand_action)
291 {
292 caddr_t phdrbase = NULL;
293 caddr_t bssbase = 0;
294 caddr_t brkbase = 0;
295 size_t brksize = 0;
296 ssize_t dlnsize;
297 aux_entry_t *aux;
298 int error;
299 ssize_t resid;
300 int fd = -1;
301 intptr_t voffset;
302 Phdr *intphdr = NULL;
303 Phdr *dynamicphdr = NULL;
304 Phdr *stphdr = NULL;
305 Phdr *uphdr = NULL;
306 Phdr *junk = NULL;
307 size_t len;
308 ssize_t phdrsize;
309 int postfixsize = 0;
310 int i, hsize;
311 Phdr *phdrp;
312 Phdr *dataphdrp = NULL;
313 Phdr *dtrphdr;
314 Phdr *capphdr = NULL;
315 Cap *cap = NULL;
316 ssize_t capsize;
317 Dyn *dyn = NULL;
318 int hasu = 0;
319 int hasauxv = 0;
320 int hasintp = 0;
321 int branded = 0;
322
323 struct proc *p = ttoproc(curthread);
324 struct user *up = PTOU(p);
325 struct bigwad {
326 Ehdr ehdr;
327 aux_entry_t elfargs[__KERN_NAUXV_IMPL];
328 char dl_name[MAXPATHLEN];
329 char pathbuf[MAXPATHLEN];
330 struct vattr vattr;
331 struct execenv exenv;
332 } *bigwad; /* kmem_alloc this behemoth so we don't blow stack */
333 Ehdr *ehdrp;
334 int nshdrs, shstrndx, nphdrs;
335 char *dlnp;
336 char *pathbufp;
337 rlim64_t limit;
338 rlim64_t roundlimit;
339
340 ASSERT(p->p_model == DATAMODEL_ILP32 || p->p_model == DATAMODEL_LP64);
341
342 bigwad = kmem_alloc(sizeof (struct bigwad), KM_SLEEP);
343 ehdrp = &bigwad->ehdr;
344 dlnp = bigwad->dl_name;
345 pathbufp = bigwad->pathbuf;
346
347 /*
348 * Obtain ELF and program header information.
349 */
350 if ((error = getelfhead(vp, CRED(), ehdrp, &nshdrs, &shstrndx,
351 &nphdrs)) != 0 ||
352 (error = getelfphdr(vp, CRED(), ehdrp, nphdrs, &phdrbase,
353 &phdrsize)) != 0)
354 goto out;
355
356 /*
357 * Prevent executing an ELF file that has no entry point.
358 */
359 if (ehdrp->e_entry == 0) {
360 uprintf("%s: Bad entry point\n", exec_file);
361 goto bad;
362 }
363
364 /*
365 * Put data model that we're exec-ing to into the args passed to
366 * exec_args(), so it will know what it is copying to on new stack.
367 * Now that we know whether we are exec-ing a 32-bit or 64-bit
368 * executable, we can set execsz with the appropriate NCARGS.
369 */
370 #ifdef _LP64
371 if (ehdrp->e_ident[EI_CLASS] == ELFCLASS32) {
372 args->to_model = DATAMODEL_ILP32;
373 *execsz = btopr(SINCR) + btopr(SSIZE) + btopr(NCARGS32-1);
374 } else {
375 args->to_model = DATAMODEL_LP64;
376 args->stk_prot &= ~PROT_EXEC;
377 #if defined(__i386) || defined(__amd64)
378 args->dat_prot &= ~PROT_EXEC;
379 #endif
380 *execsz = btopr(SINCR) + btopr(SSIZE) + btopr(NCARGS64-1);
381 }
382 #else /* _LP64 */
383 args->to_model = DATAMODEL_ILP32;
384 *execsz = btopr(SINCR) + btopr(SSIZE) + btopr(NCARGS-1);
385 #endif /* _LP64 */
386
387 /*
388 * We delay invoking the brand callback until we've figured out
389 * what kind of elf binary we're trying to run, 32-bit or 64-bit.
390 * We do this because now the brand library can just check
391 * args->to_model to see if the target is 32-bit or 64-bit without
392 * having do duplicate all the code above.
393 *
394 * The level checks associated with brand handling below are used to
395 * prevent a loop since the brand elfexec function typically comes back
396 * through this function. We must check <= here since the nested
397 * handling in the #! interpreter code will increment the level before
398 * calling gexec to run the final elfexec interpreter.
399 */
400 if ((level <= INTP_MAXDEPTH) &&
401 (brand_action != EBA_NATIVE) && (PROC_IS_BRANDED(p))) {
402 error = BROP(p)->b_elfexec(vp, uap, args,
403 idatap, level + 1, execsz, setid, exec_file, cred,
404 brand_action);
405 goto out;
406 }
407
408 /*
409 * Determine aux size now so that stack can be built
410 * in one shot (except actual copyout of aux image),
411 * determine any non-default stack protections,
412 * and still have this code be machine independent.
413 */
414 hsize = ehdrp->e_phentsize;
415 phdrp = (Phdr *)phdrbase;
416 for (i = nphdrs; i > 0; i--) {
417 switch (phdrp->p_type) {
418 case PT_INTERP:
419 hasauxv = hasintp = 1;
420 break;
421 case PT_PHDR:
422 hasu = 1;
423 break;
424 case PT_SUNWSTACK:
425 args->stk_prot = PROT_USER;
426 if (phdrp->p_flags & PF_R)
427 args->stk_prot |= PROT_READ;
428 if (phdrp->p_flags & PF_W)
429 args->stk_prot |= PROT_WRITE;
430 if (phdrp->p_flags & PF_X)
431 args->stk_prot |= PROT_EXEC;
432 break;
433 case PT_LOAD:
434 dataphdrp = phdrp;
435 break;
436 case PT_SUNWCAP:
437 capphdr = phdrp;
438 break;
439 case PT_DYNAMIC:
440 dynamicphdr = phdrp;
441 break;
442 }
443 phdrp = (Phdr *)((caddr_t)phdrp + hsize);
444 }
445
446 if (ehdrp->e_type != ET_EXEC) {
447 dataphdrp = NULL;
448 hasauxv = 1;
449 }
450
451 /* Copy BSS permissions to args->dat_prot */
452 if (dataphdrp != NULL) {
453 args->dat_prot = PROT_USER;
454 if (dataphdrp->p_flags & PF_R)
455 args->dat_prot |= PROT_READ;
456 if (dataphdrp->p_flags & PF_W)
457 args->dat_prot |= PROT_WRITE;
458 if (dataphdrp->p_flags & PF_X)
459 args->dat_prot |= PROT_EXEC;
460 }
461
462 /*
463 * If a auxvector will be required - reserve the space for
464 * it now. This may be increased by exec_args if there are
465 * ISA-specific types (included in __KERN_NAUXV_IMPL).
466 */
467 if (hasauxv) {
468 /*
469 * If a AUX vector is being built - the base AUX
470 * entries are:
471 *
472 * AT_BASE
473 * AT_FLAGS
474 * AT_PAGESZ
475 * AT_SUN_AUXFLAGS
476 * AT_SUN_HWCAP
477 * AT_SUN_HWCAP2
478 * AT_SUN_PLATFORM (added in stk_copyout)
479 * AT_SUN_EXECNAME (added in stk_copyout)
480 * AT_NULL
481 *
482 * total == 9
483 */
484 if (hasintp && hasu) {
485 /*
486 * Has PT_INTERP & PT_PHDR - the auxvectors that
487 * will be built are:
488 *
489 * AT_PHDR
490 * AT_PHENT
491 * AT_PHNUM
492 * AT_ENTRY
493 * AT_LDDATA
494 *
495 * total = 5
496 */
497 args->auxsize = (9 + 5) * sizeof (aux_entry_t);
498 } else if (hasintp) {
499 /*
500 * Has PT_INTERP but no PT_PHDR
501 *
502 * AT_EXECFD
503 * AT_LDDATA
504 *
505 * total = 2
506 */
507 args->auxsize = (9 + 2) * sizeof (aux_entry_t);
508 } else {
509 args->auxsize = 9 * sizeof (aux_entry_t);
510 }
511 } else {
512 args->auxsize = 0;
513 }
514
515 /*
516 * If this binary is using an emulator, we need to add an
517 * AT_SUN_EMULATOR aux entry.
518 */
519 if (args->emulator != NULL)
520 args->auxsize += sizeof (aux_entry_t);
521
522 /*
523 * On supported kernels (x86_64) make room in the auxv for the
524 * AT_SUN_COMMPAGE entry. This will go unpopulated on i86xpv systems
525 * which do not provide such functionality.
526 *
527 * Additionally cover the floating point information AT_SUN_FPSIZE and
528 * AT_SUN_FPTYPE.
529 */
530 #if defined(__amd64)
531 args->auxsize += 3 * sizeof (aux_entry_t);
532 #endif /* defined(__amd64) */
533
534 if ((brand_action != EBA_NATIVE) && (PROC_IS_BRANDED(p))) {
535 branded = 1;
536 /*
537 * We will be adding 4 entries to the aux vectors. One for
538 * the the brandname and 3 for the brand specific aux vectors.
539 */
540 args->auxsize += 4 * sizeof (aux_entry_t);
541 }
542
543 /* If the binary has an explicit ASLR flag, it must be honoured */
544 if ((dynamicphdr != NULL) &&
545 (dynamicphdr->p_filesz > 0)) {
546 Dyn *dp;
547 off_t i = 0;
548
549 #define DYN_STRIDE 100
550 for (i = 0; i < dynamicphdr->p_filesz;
551 i += sizeof (*dyn) * DYN_STRIDE) {
552 int ndyns = (dynamicphdr->p_filesz - i) / sizeof (*dyn);
553 size_t dynsize;
554
555 ndyns = MIN(DYN_STRIDE, ndyns);
556 dynsize = ndyns * sizeof (*dyn);
557
558 dyn = kmem_alloc(dynsize, KM_SLEEP);
559
560 if ((error = vn_rdwr(UIO_READ, vp, (caddr_t)dyn,
561 dynsize, (offset_t)(dynamicphdr->p_offset + i),
562 UIO_SYSSPACE, 0, (rlim64_t)0,
563 CRED(), &resid)) != 0) {
564 uprintf("%s: cannot read .dynamic section\n",
565 exec_file);
566 goto out;
567 }
568
569 for (dp = dyn; dp < (dyn + ndyns); dp++) {
570 if (dp->d_tag == DT_SUNW_ASLR) {
571 if ((error = handle_secflag_dt(p,
572 DT_SUNW_ASLR,
573 dp->d_un.d_val)) != 0) {
574 uprintf("%s: error setting "
575 "security-flag from "
576 "DT_SUNW_ASLR: %d\n",
577 exec_file, error);
578 goto out;
579 }
580 }
581 }
582
583 kmem_free(dyn, dynsize);
584 }
585 }
586
587 /* Hardware/Software capabilities */
588 if (capphdr != NULL &&
589 (capsize = capphdr->p_filesz) > 0 &&
590 capsize <= 16 * sizeof (*cap)) {
591 int ncaps = capsize / sizeof (*cap);
592 Cap *cp;
593
594 cap = kmem_alloc(capsize, KM_SLEEP);
595 if ((error = vn_rdwr(UIO_READ, vp, (caddr_t)cap,
596 capsize, (offset_t)capphdr->p_offset,
597 UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid)) != 0) {
598 uprintf("%s: Cannot read capabilities section\n",
599 exec_file);
600 goto out;
601 }
602 for (cp = cap; cp < cap + ncaps; cp++) {
603 if (cp->c_tag == CA_SUNW_SF_1 &&
604 (cp->c_un.c_val & SF1_SUNW_ADDR32)) {
605 if (args->to_model == DATAMODEL_LP64)
606 args->addr32 = 1;
607 break;
608 }
609 }
610 }
611
612 aux = bigwad->elfargs;
613 /*
614 * Move args to the user's stack.
615 * This can fill in the AT_SUN_PLATFORM and AT_SUN_EXECNAME aux entries.
616 */
617 if ((error = exec_args(uap, args, idatap, (void **)&aux)) != 0) {
618 if (error == -1) {
619 error = ENOEXEC;
620 goto bad;
621 }
622 goto out;
623 }
624 /* we're single threaded after this point */
625
626 /*
627 * If this is an ET_DYN executable (shared object),
628 * determine its memory size so that mapelfexec() can load it.
629 */
630 if (ehdrp->e_type == ET_DYN)
631 len = elfsize(ehdrp, nphdrs, phdrbase, NULL);
632 else
633 len = 0;
634
635 dtrphdr = NULL;
636
637 if ((error = mapelfexec(vp, ehdrp, nphdrs, phdrbase, &uphdr, &intphdr,
638 &stphdr, &dtrphdr, dataphdrp, &bssbase, &brkbase, &voffset, NULL,
639 len, execsz, &brksize)) != 0)
640 goto bad;
641
642 if (uphdr != NULL && intphdr == NULL)
643 goto bad;
644
645 if (dtrphdr != NULL && dtrace_safe_phdr(dtrphdr, args, voffset) != 0) {
646 uprintf("%s: Bad DTrace phdr in %s\n", exec_file, exec_file);
647 goto bad;
648 }
649
650 if (intphdr != NULL) {
651 size_t len;
652 uintptr_t lddata;
653 char *p;
654 struct vnode *nvp;
655
656 dlnsize = intphdr->p_filesz;
657
658 if (dlnsize > MAXPATHLEN || dlnsize <= 0)
659 goto bad;
660
661 /*
662 * Read in "interpreter" pathname.
663 */
664 if ((error = vn_rdwr(UIO_READ, vp, dlnp, intphdr->p_filesz,
665 (offset_t)intphdr->p_offset, UIO_SYSSPACE, 0, (rlim64_t)0,
666 CRED(), &resid)) != 0) {
667 uprintf("%s: Cannot obtain interpreter pathname\n",
668 exec_file);
669 goto bad;
670 }
671
672 if (resid != 0 || dlnp[dlnsize - 1] != '\0')
673 goto bad;
674
675 /*
676 * Search for '$ORIGIN' token in interpreter path.
677 * If found, expand it.
678 */
679 for (p = dlnp; p = strchr(p, '$'); ) {
680 uint_t len, curlen;
681 char *_ptr;
682
683 if (strncmp(++p, ORIGIN_STR, ORIGIN_STR_SIZE))
684 continue;
685
686 /*
687 * We don't support $ORIGIN on setid programs to close
688 * a potential attack vector.
689 */
690 if ((setid & EXECSETID_SETID) != 0) {
691 error = ENOEXEC;
692 goto bad;
693 }
694
695 curlen = 0;
696 len = p - dlnp - 1;
697 if (len) {
698 bcopy(dlnp, pathbufp, len);
699 curlen += len;
700 }
701 if (_ptr = strrchr(args->pathname, '/')) {
702 len = _ptr - args->pathname;
703 if ((curlen + len) > MAXPATHLEN)
704 break;
705
706 bcopy(args->pathname, &pathbufp[curlen], len);
707 curlen += len;
708 } else {
709 /*
710 * executable is a basename found in the
711 * current directory. So - just substitue
712 * '.' for ORIGIN.
713 */
714 pathbufp[curlen] = '.';
715 curlen++;
716 }
717 p += ORIGIN_STR_SIZE;
718 len = strlen(p);
719
720 if ((curlen + len) > MAXPATHLEN)
721 break;
722 bcopy(p, &pathbufp[curlen], len);
723 curlen += len;
724 pathbufp[curlen++] = '\0';
725 bcopy(pathbufp, dlnp, curlen);
726 }
727
728 /*
729 * /usr/lib/ld.so.1 is known to be a symlink to /lib/ld.so.1
730 * (and /usr/lib/64/ld.so.1 is a symlink to /lib/64/ld.so.1).
731 * Just in case /usr is not mounted, change it now.
732 */
733 if (strcmp(dlnp, USR_LIB_RTLD) == 0)
734 dlnp += 4;
735 error = lookupname(dlnp, UIO_SYSSPACE, FOLLOW, NULLVPP, &nvp);
736 if (error && dlnp != bigwad->dl_name) {
737 /* new kernel, old user-level */
738 error = lookupname(dlnp -= 4, UIO_SYSSPACE, FOLLOW,
739 NULLVPP, &nvp);
740 }
741 if (error) {
742 uprintf("%s: Cannot find %s\n", exec_file, dlnp);
743 goto bad;
744 }
745
746 /*
747 * Setup the "aux" vector.
748 */
749 if (uphdr) {
750 if (ehdrp->e_type == ET_DYN) {
751 /* don't use the first page */
752 bigwad->exenv.ex_brkbase = (caddr_t)PAGESIZE;
753 bigwad->exenv.ex_bssbase = (caddr_t)PAGESIZE;
754 } else {
755 bigwad->exenv.ex_bssbase = bssbase;
756 bigwad->exenv.ex_brkbase = brkbase;
757 }
758 bigwad->exenv.ex_brksize = brksize;
759 bigwad->exenv.ex_magic = elfmagic;
760 bigwad->exenv.ex_vp = vp;
761 setexecenv(&bigwad->exenv);
762
763 ADDAUX(aux, AT_PHDR, uphdr->p_vaddr + voffset)
764 ADDAUX(aux, AT_PHENT, ehdrp->e_phentsize)
765 ADDAUX(aux, AT_PHNUM, nphdrs)
766 ADDAUX(aux, AT_ENTRY, ehdrp->e_entry + voffset)
767 } else {
768 if ((error = execopen(&vp, &fd)) != 0) {
769 VN_RELE(nvp);
770 goto bad;
771 }
772
773 ADDAUX(aux, AT_EXECFD, fd)
774 }
775
776 if ((error = execpermissions(nvp, &bigwad->vattr, args)) != 0) {
777 VN_RELE(nvp);
778 uprintf("%s: Cannot execute %s\n", exec_file, dlnp);
779 goto bad;
780 }
781
782 /*
783 * Now obtain the ELF header along with the entire program
784 * header contained in "nvp".
785 */
786 kmem_free(phdrbase, phdrsize);
787 phdrbase = NULL;
788 if ((error = getelfhead(nvp, CRED(), ehdrp, &nshdrs,
789 &shstrndx, &nphdrs)) != 0 ||
790 (error = getelfphdr(nvp, CRED(), ehdrp, nphdrs, &phdrbase,
791 &phdrsize)) != 0) {
792 VN_RELE(nvp);
793 uprintf("%s: Cannot read %s\n", exec_file, dlnp);
794 goto bad;
795 }
796
797 /*
798 * Determine memory size of the "interpreter's" loadable
799 * sections. This size is then used to obtain the virtual
800 * address of a hole, in the user's address space, large
801 * enough to map the "interpreter".
802 */
803 if ((len = elfsize(ehdrp, nphdrs, phdrbase, &lddata)) == 0) {
804 VN_RELE(nvp);
805 uprintf("%s: Nothing to load in %s\n", exec_file, dlnp);
806 goto bad;
807 }
808
809 dtrphdr = NULL;
810
811 error = mapelfexec(nvp, ehdrp, nphdrs, phdrbase, &junk, &junk,
812 &junk, &dtrphdr, NULL, NULL, NULL, &voffset, NULL, len,
813 execsz, NULL);
814 if (error || junk != NULL) {
815 VN_RELE(nvp);
816 uprintf("%s: Cannot map %s\n", exec_file, dlnp);
817 goto bad;
818 }
819
820 /*
821 * We use the DTrace program header to initialize the
822 * architecture-specific user per-LWP location. The dtrace
823 * fasttrap provider requires ready access to per-LWP scratch
824 * space. We assume that there is only one such program header
825 * in the interpreter.
826 */
827 if (dtrphdr != NULL &&
828 dtrace_safe_phdr(dtrphdr, args, voffset) != 0) {
829 VN_RELE(nvp);
830 uprintf("%s: Bad DTrace phdr in %s\n", exec_file, dlnp);
831 goto bad;
832 }
833
834 VN_RELE(nvp);
835 ADDAUX(aux, AT_SUN_LDDATA, voffset + lddata)
836 }
837
838 if (hasauxv) {
839 int auxf = AF_SUN_HWCAPVERIFY;
840 size_t fpsize;
841 int fptype;
842
843 /*
844 * Note: AT_SUN_PLATFORM and AT_SUN_EXECNAME were filled in via
845 * exec_args()
846 */
847 ADDAUX(aux, AT_BASE, voffset)
848 ADDAUX(aux, AT_FLAGS, at_flags)
849 ADDAUX(aux, AT_PAGESZ, PAGESIZE)
850 /*
851 * Linker flags. (security)
852 * p_flag not yet set at this time.
853 * We rely on gexec() to provide us with the information.
854 * If the application is set-uid but this is not reflected
855 * in a mismatch between real/effective uids/gids, then
856 * don't treat this as a set-uid exec. So we care about
857 * the EXECSETID_UGIDS flag but not the ...SETID flag.
858 */
859 if ((setid &= ~EXECSETID_SETID) != 0)
860 auxf |= AF_SUN_SETUGID;
861
862 /*
863 * If we're running a native process from within a branded
864 * zone under pfexec then we clear the AF_SUN_SETUGID flag so
865 * that the native ld.so.1 is able to link with the native
866 * libraries instead of using the brand libraries that are
867 * installed in the zone. We only do this for processes
868 * which we trust because we see they are already running
869 * under pfexec (where uid != euid). This prevents a
870 * malicious user within the zone from crafting a wrapper to
871 * run native suid commands with unsecure libraries interposed.
872 */
873 if ((brand_action == EBA_NATIVE) && (PROC_IS_BRANDED(p) &&
874 (setid &= ~EXECSETID_SETID) != 0))
875 auxf &= ~AF_SUN_SETUGID;
876
877 /*
878 * Record the user addr of the auxflags aux vector entry
879 * since brands may optionally want to manipulate this field.
880 */
881 args->auxp_auxflags =
882 (char *)((char *)args->stackend +
883 ((char *)&aux->a_type -
884 (char *)bigwad->elfargs));
885 ADDAUX(aux, AT_SUN_AUXFLAGS, auxf);
886
887 /*
888 * Hardware capability flag word (performance hints)
889 * Used for choosing faster library routines.
890 * (Potentially different between 32-bit and 64-bit ABIs)
891 */
892 #if defined(_LP64)
893 if (args->to_model == DATAMODEL_NATIVE) {
894 ADDAUX(aux, AT_SUN_HWCAP, auxv_hwcap)
895 ADDAUX(aux, AT_SUN_HWCAP2, auxv_hwcap_2)
896 } else {
897 ADDAUX(aux, AT_SUN_HWCAP, auxv_hwcap32)
898 ADDAUX(aux, AT_SUN_HWCAP2, auxv_hwcap32_2)
899 }
900 #else
901 ADDAUX(aux, AT_SUN_HWCAP, auxv_hwcap)
902 ADDAUX(aux, AT_SUN_HWCAP2, auxv_hwcap_2)
903 #endif
904 if (branded) {
905 /*
906 * Reserve space for the brand-private aux vectors,
907 * and record the user addr of that space.
908 */
909 args->auxp_brand =
910 (char *)((char *)args->stackend +
911 ((char *)&aux->a_type -
912 (char *)bigwad->elfargs));
913 ADDAUX(aux, AT_SUN_BRAND_AUX1, 0)
914 ADDAUX(aux, AT_SUN_BRAND_AUX2, 0)
915 ADDAUX(aux, AT_SUN_BRAND_AUX3, 0)
916 }
917
918 /*
919 * Add the comm page auxv entry, mapping it in if needed. Also
920 * take care of the FPU entries.
921 */
922 #if defined(__amd64)
923 if (args->commpage != NULL ||
924 (args->commpage = (uintptr_t)comm_page_mapin()) != NULL) {
925 ADDAUX(aux, AT_SUN_COMMPAGE, args->commpage)
926 } else {
927 /*
928 * If the comm page cannot be mapped, pad out the auxv
929 * to satisfy later size checks.
930 */
931 ADDAUX(aux, AT_NULL, 0)
932 }
933
934 fptype = AT_386_FPINFO_NONE;
935 fpu_auxv_info(&fptype, &fpsize);
936 if (fptype != AT_386_FPINFO_NONE) {
937 ADDAUX(aux, AT_SUN_FPTYPE, fptype)
938 ADDAUX(aux, AT_SUN_FPSIZE, fpsize)
939 } else {
940 ADDAUX(aux, AT_NULL, 0)
941 ADDAUX(aux, AT_NULL, 0)
942 }
943 #endif /* defined(__amd64) */
944
945 ADDAUX(aux, AT_NULL, 0)
946 postfixsize = (char *)aux - (char *)bigwad->elfargs;
947
948 /*
949 * We make assumptions above when we determine how many aux
950 * vector entries we will be adding. However, if we have an
951 * invalid elf file, it is possible that mapelfexec might
952 * behave differently (but not return an error), in which case
953 * the number of aux entries we actually add will be different.
954 * We detect that now and error out.
955 */
956 if (postfixsize != args->auxsize) {
957 DTRACE_PROBE2(elfexec_badaux, int, postfixsize,
958 int, args->auxsize);
959 goto bad;
960 }
961 ASSERT(postfixsize <= __KERN_NAUXV_IMPL * sizeof (aux_entry_t));
962 }
963
964 /*
965 * For the 64-bit kernel, the limit is big enough that rounding it up
966 * to a page can overflow the 64-bit limit, so we check for btopr()
967 * overflowing here by comparing it with the unrounded limit in pages.
968 * If it hasn't overflowed, compare the exec size with the rounded up
969 * limit in pages. Otherwise, just compare with the unrounded limit.
970 */
971 limit = btop(p->p_vmem_ctl);
972 roundlimit = btopr(p->p_vmem_ctl);
973 if ((roundlimit > limit && *execsz > roundlimit) ||
974 (roundlimit < limit && *execsz > limit)) {
975 mutex_enter(&p->p_lock);
976 (void) rctl_action(rctlproc_legacy[RLIMIT_VMEM], p->p_rctls, p,
977 RCA_SAFE);
978 mutex_exit(&p->p_lock);
979 error = ENOMEM;
980 goto bad;
981 }
982
983 bzero(up->u_auxv, sizeof (up->u_auxv));
984 up->u_commpagep = args->commpage;
985 if (postfixsize) {
986 int num_auxv;
987
988 /*
989 * Copy the aux vector to the user stack.
990 */
991 error = execpoststack(args, bigwad->elfargs, postfixsize);
992 if (error)
993 goto bad;
994
995 /*
996 * Copy auxv to the process's user structure for use by /proc.
997 * If this is a branded process, the brand's exec routine will
998 * copy it's private entries to the user structure later. It
999 * relies on the fact that the blank entries are at the end.
1000 */
1001 num_auxv = postfixsize / sizeof (aux_entry_t);
1002 ASSERT(num_auxv <= sizeof (up->u_auxv) / sizeof (auxv_t));
1003 aux = bigwad->elfargs;
1004 for (i = 0; i < num_auxv; i++) {
1005 up->u_auxv[i].a_type = aux[i].a_type;
1006 up->u_auxv[i].a_un.a_val = (aux_val_t)aux[i].a_un.a_val;
1007 }
1008 }
1009
1010 /*
1011 * Pass back the starting address so we can set the program counter.
1012 */
1013 args->entry = (uintptr_t)(ehdrp->e_entry + voffset);
1014
1015 if (!uphdr) {
1016 if (ehdrp->e_type == ET_DYN) {
1017 /*
1018 * If we are executing a shared library which doesn't
1019 * have a interpreter (probably ld.so.1) then
1020 * we don't set the brkbase now. Instead we
1021 * delay it's setting until the first call
1022 * via grow.c::brk(). This permits ld.so.1 to
1023 * initialize brkbase to the tail of the executable it
1024 * loads (which is where it needs to be).
1025 */
1026 bigwad->exenv.ex_brkbase = (caddr_t)0;
1027 bigwad->exenv.ex_bssbase = (caddr_t)0;
1028 bigwad->exenv.ex_brksize = 0;
1029 } else {
1030 bigwad->exenv.ex_brkbase = brkbase;
1031 bigwad->exenv.ex_bssbase = bssbase;
1032 bigwad->exenv.ex_brksize = brksize;
1033 }
1034 bigwad->exenv.ex_magic = elfmagic;
1035 bigwad->exenv.ex_vp = vp;
1036 setexecenv(&bigwad->exenv);
1037 }
1038
1039 ASSERT(error == 0);
1040 goto out;
1041
1042 bad:
1043 if (fd != -1) /* did we open the a.out yet */
1044 (void) execclose(fd);
1045
1046 psignal(p, SIGKILL);
1047
1048 if (error == 0)
1049 error = ENOEXEC;
1050 out:
1051 if (phdrbase != NULL)
1052 kmem_free(phdrbase, phdrsize);
1053 if (cap != NULL)
1054 kmem_free(cap, capsize);
1055 kmem_free(bigwad, sizeof (struct bigwad));
1056 return (error);
1057 }
1058
1059 /*
1060 * Compute the memory size requirement for the ELF file.
1061 */
1062 static size_t
1063 elfsize(Ehdr *ehdrp, int nphdrs, caddr_t phdrbase, uintptr_t *lddata)
1064 {
1065 size_t len;
1066 Phdr *phdrp = (Phdr *)phdrbase;
1067 int hsize = ehdrp->e_phentsize;
1068 int first = 1;
1069 int dfirst = 1; /* first data segment */
1070 uintptr_t loaddr = 0;
1071 uintptr_t hiaddr = 0;
1072 uintptr_t lo, hi;
1073 int i;
1074
1075 for (i = nphdrs; i > 0; i--) {
1076 if (phdrp->p_type == PT_LOAD) {
1077 lo = phdrp->p_vaddr;
1078 hi = lo + phdrp->p_memsz;
1079 if (first) {
1080 loaddr = lo;
1081 hiaddr = hi;
1082 first = 0;
1083 } else {
1084 if (loaddr > lo)
1085 loaddr = lo;
1086 if (hiaddr < hi)
1087 hiaddr = hi;
1088 }
1089
1090 /*
1091 * save the address of the first data segment
1092 * of a object - used for the AT_SUNW_LDDATA
1093 * aux entry.
1094 */
1095 if ((lddata != NULL) && dfirst &&
1096 (phdrp->p_flags & PF_W)) {
1097 *lddata = lo;
1098 dfirst = 0;
1099 }
1100 }
1101 phdrp = (Phdr *)((caddr_t)phdrp + hsize);
1102 }
1103
1104 len = hiaddr - (loaddr & PAGEMASK);
1105 len = roundup(len, PAGESIZE);
1106
1107 return (len);
1108 }
1109
1110 /*
1111 * Read in the ELF header and program header table.
1112 * SUSV3 requires:
1113 * ENOEXEC File format is not recognized
1114 * EINVAL Format recognized but execution not supported
1115 */
1116 static int
1117 getelfhead(vnode_t *vp, cred_t *credp, Ehdr *ehdr, int *nshdrs, int *shstrndx,
1118 int *nphdrs)
1119 {
1120 int error;
1121 ssize_t resid;
1122
1123 /*
1124 * We got here by the first two bytes in ident,
1125 * now read the entire ELF header.
1126 */
1127 if ((error = vn_rdwr(UIO_READ, vp, (caddr_t)ehdr,
1128 sizeof (Ehdr), (offset_t)0, UIO_SYSSPACE, 0,
1129 (rlim64_t)0, credp, &resid)) != 0)
1130 return (error);
1131
1132 /*
1133 * Since a separate version is compiled for handling 32-bit and
1134 * 64-bit ELF executables on a 64-bit kernel, the 64-bit version
1135 * doesn't need to be able to deal with 32-bit ELF files.
1136 */
1137 if (resid != 0 ||
1138 ehdr->e_ident[EI_MAG2] != ELFMAG2 ||
1139 ehdr->e_ident[EI_MAG3] != ELFMAG3)
1140 return (ENOEXEC);
1141
1142 if ((ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN) ||
1143 #if defined(_ILP32) || defined(_ELF32_COMPAT)
1144 ehdr->e_ident[EI_CLASS] != ELFCLASS32 ||
1145 #else
1146 ehdr->e_ident[EI_CLASS] != ELFCLASS64 ||
1147 #endif
1148 !elfheadcheck(ehdr->e_ident[EI_DATA], ehdr->e_machine,
1149 ehdr->e_flags))
1150 return (EINVAL);
1151
1152 *nshdrs = ehdr->e_shnum;
1153 *shstrndx = ehdr->e_shstrndx;
1154 *nphdrs = ehdr->e_phnum;
1155
1156 /*
1157 * If e_shnum, e_shstrndx, or e_phnum is its sentinel value, we need
1158 * to read in the section header at index zero to acces the true
1159 * values for those fields.
1160 */
1161 if ((*nshdrs == 0 && ehdr->e_shoff != 0) ||
1162 *shstrndx == SHN_XINDEX || *nphdrs == PN_XNUM) {
1163 Shdr shdr;
1164
1165 if (ehdr->e_shoff == 0)
1166 return (EINVAL);
1167
1168 if ((error = vn_rdwr(UIO_READ, vp, (caddr_t)&shdr,
1169 sizeof (shdr), (offset_t)ehdr->e_shoff, UIO_SYSSPACE, 0,
1170 (rlim64_t)0, credp, &resid)) != 0)
1171 return (error);
1172
1173 if (*nshdrs == 0)
1174 *nshdrs = shdr.sh_size;
1175 if (*shstrndx == SHN_XINDEX)
1176 *shstrndx = shdr.sh_link;
1177 if (*nphdrs == PN_XNUM && shdr.sh_info != 0)
1178 *nphdrs = shdr.sh_info;
1179 }
1180
1181 return (0);
1182 }
1183
1184 #ifdef _ELF32_COMPAT
1185 extern size_t elf_nphdr_max;
1186 #else
1187 size_t elf_nphdr_max = 1000;
1188 #endif
1189
1190 static int
1191 getelfphdr(vnode_t *vp, cred_t *credp, const Ehdr *ehdr, int nphdrs,
1192 caddr_t *phbasep, ssize_t *phsizep)
1193 {
1194 ssize_t resid, minsize;
1195 int err;
1196
1197 /*
1198 * Since we're going to be using e_phentsize to iterate down the
1199 * array of program headers, it must be 8-byte aligned or else
1200 * a we might cause a misaligned access. We use all members through
1201 * p_flags on 32-bit ELF files and p_memsz on 64-bit ELF files so
1202 * e_phentsize must be at least large enough to include those
1203 * members.
1204 */
1205 #if !defined(_LP64) || defined(_ELF32_COMPAT)
1206 minsize = offsetof(Phdr, p_flags) + sizeof (((Phdr *)NULL)->p_flags);
1207 #else
1208 minsize = offsetof(Phdr, p_memsz) + sizeof (((Phdr *)NULL)->p_memsz);
1209 #endif
1210 if (ehdr->e_phentsize < minsize || (ehdr->e_phentsize & 3))
1211 return (EINVAL);
1212
1213 *phsizep = nphdrs * ehdr->e_phentsize;
1214
1215 if (*phsizep > sizeof (Phdr) * elf_nphdr_max) {
1216 if ((*phbasep = kmem_alloc(*phsizep, KM_NOSLEEP)) == NULL)
1217 return (ENOMEM);
1218 } else {
1219 *phbasep = kmem_alloc(*phsizep, KM_SLEEP);
1220 }
1221
1222 if ((err = vn_rdwr(UIO_READ, vp, *phbasep, *phsizep,
1223 (offset_t)ehdr->e_phoff, UIO_SYSSPACE, 0, (rlim64_t)0,
1224 credp, &resid)) != 0) {
1225 kmem_free(*phbasep, *phsizep);
1226 *phbasep = NULL;
1227 return (err);
1228 }
1229
1230 return (0);
1231 }
1232
1233 #ifdef _ELF32_COMPAT
1234 extern size_t elf_nshdr_max;
1235 extern size_t elf_shstrtab_max;
1236 #else
1237 size_t elf_nshdr_max = 10000;
1238 size_t elf_shstrtab_max = 100 * 1024;
1239 #endif
1240
1241
1242 static int
1243 getelfshdr(vnode_t *vp, cred_t *credp, const Ehdr *ehdr,
1244 int nshdrs, int shstrndx, caddr_t *shbasep, ssize_t *shsizep,
1245 char **shstrbasep, ssize_t *shstrsizep)
1246 {
1247 ssize_t resid, minsize;
1248 int err;
1249 Shdr *shdr;
1250
1251 /*
1252 * Since we're going to be using e_shentsize to iterate down the
1253 * array of section headers, it must be 8-byte aligned or else
1254 * a we might cause a misaligned access. We use all members through
1255 * sh_entsize (on both 32- and 64-bit ELF files) so e_shentsize
1256 * must be at least large enough to include that member. The index
1257 * of the string table section must also be valid.
1258 */
1259 minsize = offsetof(Shdr, sh_entsize) + sizeof (shdr->sh_entsize);
1260 if (ehdr->e_shentsize < minsize || (ehdr->e_shentsize & 3) ||
1261 shstrndx >= nshdrs)
1262 return (EINVAL);
1263
1264 *shsizep = nshdrs * ehdr->e_shentsize;
1265
1266 if (*shsizep > sizeof (Shdr) * elf_nshdr_max) {
1267 if ((*shbasep = kmem_alloc(*shsizep, KM_NOSLEEP)) == NULL)
1268 return (ENOMEM);
1269 } else {
1270 *shbasep = kmem_alloc(*shsizep, KM_SLEEP);
1271 }
1272
1273 if ((err = vn_rdwr(UIO_READ, vp, *shbasep, *shsizep,
1274 (offset_t)ehdr->e_shoff, UIO_SYSSPACE, 0, (rlim64_t)0,
1275 credp, &resid)) != 0) {
1276 kmem_free(*shbasep, *shsizep);
1277 return (err);
1278 }
1279
1280 /*
1281 * Pull the section string table out of the vnode; fail if the size
1282 * is zero.
1283 */
1284 shdr = (Shdr *)(*shbasep + shstrndx * ehdr->e_shentsize);
1285 if ((*shstrsizep = shdr->sh_size) == 0) {
1286 kmem_free(*shbasep, *shsizep);
1287 return (EINVAL);
1288 }
1289
1290 if (*shstrsizep > elf_shstrtab_max) {
1291 if ((*shstrbasep = kmem_alloc(*shstrsizep,
1292 KM_NOSLEEP)) == NULL) {
1293 kmem_free(*shbasep, *shsizep);
1294 return (ENOMEM);
1295 }
1296 } else {
1297 *shstrbasep = kmem_alloc(*shstrsizep, KM_SLEEP);
1298 }
1299
1300 if ((err = vn_rdwr(UIO_READ, vp, *shstrbasep, *shstrsizep,
1301 (offset_t)shdr->sh_offset, UIO_SYSSPACE, 0, (rlim64_t)0,
1302 credp, &resid)) != 0) {
1303 kmem_free(*shbasep, *shsizep);
1304 kmem_free(*shstrbasep, *shstrsizep);
1305 return (err);
1306 }
1307
1308 /*
1309 * Make sure the strtab is null-terminated to make sure we
1310 * don't run off the end of the table.
1311 */
1312 (*shstrbasep)[*shstrsizep - 1] = '\0';
1313
1314 return (0);
1315 }
1316
1317 static int
1318 mapelfexec(
1319 vnode_t *vp,
1320 Ehdr *ehdr,
1321 int nphdrs,
1322 caddr_t phdrbase,
1323 Phdr **uphdr,
1324 Phdr **intphdr,
1325 Phdr **stphdr,
1326 Phdr **dtphdr,
1327 Phdr *dataphdrp,
1328 caddr_t *bssbase,
1329 caddr_t *brkbase,
1330 intptr_t *voffset,
1331 intptr_t *minaddr,
1332 size_t len,
1333 long *execsz,
1334 size_t *brksize)
1335 {
1336 Phdr *phdr;
1337 int i, prot, error;
1338 caddr_t addr = NULL;
1339 size_t zfodsz;
1340 int ptload = 0;
1341 int page;
1342 off_t offset;
1343 int hsize = ehdr->e_phentsize;
1344 caddr_t mintmp = (caddr_t)-1;
1345 extern int use_brk_lpg;
1346
1347 if (ehdr->e_type == ET_DYN) {
1348 secflagset_t flags = 0;
1349 /*
1350 * Obtain the virtual address of a hole in the
1351 * address space to map the "interpreter".
1352 */
1353 if (secflag_enabled(curproc, PROC_SEC_ASLR))
1354 flags |= _MAP_RANDOMIZE;
1355
1356 map_addr(&addr, len, (offset_t)0, 1, flags);
1357 if (addr == NULL)
1358 return (ENOMEM);
1359 *voffset = (intptr_t)addr;
1360
1361 /*
1362 * Calculate the minimum vaddr so it can be subtracted out.
1363 * According to the ELF specification, since PT_LOAD sections
1364 * must be sorted by increasing p_vaddr values, this is
1365 * guaranteed to be the first PT_LOAD section.
1366 */
1367 phdr = (Phdr *)phdrbase;
1368 for (i = nphdrs; i > 0; i--) {
1369 if (phdr->p_type == PT_LOAD) {
1370 *voffset -= (uintptr_t)phdr->p_vaddr;
1371 break;
1372 }
1373 phdr = (Phdr *)((caddr_t)phdr + hsize);
1374 }
1375
1376 } else {
1377 *voffset = 0;
1378 }
1379 phdr = (Phdr *)phdrbase;
1380 for (i = nphdrs; i > 0; i--) {
1381 switch (phdr->p_type) {
1382 case PT_LOAD:
1383 if ((*intphdr != NULL) && (*uphdr == NULL))
1384 return (0);
1385
1386 ptload = 1;
1387 prot = PROT_USER;
1388 if (phdr->p_flags & PF_R)
1389 prot |= PROT_READ;
1390 if (phdr->p_flags & PF_W)
1391 prot |= PROT_WRITE;
1392 if (phdr->p_flags & PF_X)
1393 prot |= PROT_EXEC;
1394
1395 addr = (caddr_t)((uintptr_t)phdr->p_vaddr + *voffset);
1396
1397 /*
1398 * Keep track of the segment with the lowest starting
1399 * address.
1400 */
1401 if (addr < mintmp)
1402 mintmp = addr;
1403
1404 zfodsz = (size_t)phdr->p_memsz - phdr->p_filesz;
1405
1406 offset = phdr->p_offset;
1407 if (((uintptr_t)offset & PAGEOFFSET) ==
1408 ((uintptr_t)addr & PAGEOFFSET) &&
1409 (!(vp->v_flag & VNOMAP))) {
1410 page = 1;
1411 } else {
1412 page = 0;
1413 }
1414
1415 /*
1416 * Set the heap pagesize for OOB when the bss size
1417 * is known and use_brk_lpg is not 0.
1418 */
1419 if (brksize != NULL && use_brk_lpg &&
1420 zfodsz != 0 && phdr == dataphdrp &&
1421 (prot & PROT_WRITE)) {
1422 size_t tlen = P2NPHASE((uintptr_t)addr +
1423 phdr->p_filesz, PAGESIZE);
1424
1425 if (zfodsz > tlen) {
1426 curproc->p_brkpageszc =
1427 page_szc(map_pgsz(MAPPGSZ_HEAP,
1428 curproc, addr + phdr->p_filesz +
1429 tlen, zfodsz - tlen, 0));
1430 }
1431 }
1432
1433 if (curproc->p_brkpageszc != 0 && phdr == dataphdrp &&
1434 (prot & PROT_WRITE)) {
1435 uint_t szc = curproc->p_brkpageszc;
1436 size_t pgsz = page_get_pagesize(szc);
1437 caddr_t ebss = addr + phdr->p_memsz;
1438 /*
1439 * If we need extra space to keep the BSS an
1440 * integral number of pages in size, some of
1441 * that space may fall beyond p_brkbase, so we
1442 * need to set p_brksize to account for it
1443 * being (logically) part of the brk.
1444 */
1445 size_t extra_zfodsz;
1446
1447 ASSERT(pgsz > PAGESIZE);
1448
1449 extra_zfodsz = P2NPHASE((uintptr_t)ebss, pgsz);
1450
1451 if (error = execmap(vp, addr, phdr->p_filesz,
1452 zfodsz + extra_zfodsz, phdr->p_offset,
1453 prot, page, szc))
1454 goto bad;
1455 if (brksize != NULL)
1456 *brksize = extra_zfodsz;
1457 } else {
1458 if (error = execmap(vp, addr, phdr->p_filesz,
1459 zfodsz, phdr->p_offset, prot, page, 0))
1460 goto bad;
1461 }
1462
1463 if (bssbase != NULL && addr >= *bssbase &&
1464 phdr == dataphdrp) {
1465 *bssbase = addr + phdr->p_filesz;
1466 }
1467 if (brkbase != NULL && addr >= *brkbase) {
1468 *brkbase = addr + phdr->p_memsz;
1469 }
1470
1471 *execsz += btopr(phdr->p_memsz);
1472 break;
1473
1474 case PT_INTERP:
1475 if (ptload)
1476 goto bad;
1477 *intphdr = phdr;
1478 break;
1479
1480 case PT_SHLIB:
1481 *stphdr = phdr;
1482 break;
1483
1484 case PT_PHDR:
1485 if (ptload)
1486 goto bad;
1487 *uphdr = phdr;
1488 break;
1489
1490 case PT_NULL:
1491 case PT_DYNAMIC:
1492 case PT_NOTE:
1493 break;
1494
1495 case PT_SUNWDTRACE:
1496 if (dtphdr != NULL)
1497 *dtphdr = phdr;
1498 break;
1499
1500 default:
1501 break;
1502 }
1503 phdr = (Phdr *)((caddr_t)phdr + hsize);
1504 }
1505
1506 if (minaddr != NULL) {
1507 ASSERT(mintmp != (caddr_t)-1);
1508 *minaddr = (intptr_t)mintmp;
1509 }
1510
1511 if (brkbase != NULL && secflag_enabled(curproc, PROC_SEC_ASLR)) {
1512 size_t off;
1513 uintptr_t base = (uintptr_t)*brkbase;
1514 uintptr_t oend = base + *brksize;
1515
1516 ASSERT(ISP2(aslr_max_brk_skew));
1517
1518 (void) random_get_pseudo_bytes((uint8_t *)&off, sizeof (off));
1519 base += P2PHASE(off, aslr_max_brk_skew);
1520 base = P2ROUNDUP(base, PAGESIZE);
1521 *brkbase = (caddr_t)base;
1522 /*
1523 * Above, we set *brksize to account for the possibility we
1524 * had to grow the 'brk' in padding out the BSS to a page
1525 * boundary.
1526 *
1527 * We now need to adjust that based on where we now are
1528 * actually putting the brk.
1529 */
1530 if (oend > base)
1531 *brksize = oend - base;
1532 else
1533 *brksize = 0;
1534 }
1535
1536 return (0);
1537 bad:
1538 if (error == 0)
1539 error = EINVAL;
1540 return (error);
1541 }
1542
1543 int
1544 elfnote(vnode_t *vp, offset_t *offsetp, int type, int descsz, void *desc,
1545 rlim64_t rlimit, cred_t *credp)
1546 {
1547 Note note;
1548 int error;
1549
1550 bzero(&note, sizeof (note));
1551 bcopy("CORE", note.name, 4);
1552 note.nhdr.n_type = type;
1553 /*
1554 * The System V ABI states that n_namesz must be the length of the
1555 * string that follows the Nhdr structure including the terminating
1556 * null. The ABI also specifies that sufficient padding should be
1557 * included so that the description that follows the name string
1558 * begins on a 4- or 8-byte boundary for 32- and 64-bit binaries
1559 * respectively. However, since this change was not made correctly
1560 * at the time of the 64-bit port, both 32- and 64-bit binaries
1561 * descriptions are only guaranteed to begin on a 4-byte boundary.
1562 */
1563 note.nhdr.n_namesz = 5;
1564 note.nhdr.n_descsz = roundup(descsz, sizeof (Word));
1565
1566 if (error = core_write(vp, UIO_SYSSPACE, *offsetp, &note,
1567 sizeof (note), rlimit, credp))
1568 return (error);
1569
1570 *offsetp += sizeof (note);
1571
1572 if (error = core_write(vp, UIO_SYSSPACE, *offsetp, desc,
1573 note.nhdr.n_descsz, rlimit, credp))
1574 return (error);
1575
1576 *offsetp += note.nhdr.n_descsz;
1577 return (0);
1578 }
1579
1580 /*
1581 * Copy the section data from one vnode to the section of another vnode.
1582 */
1583 static void
1584 copy_scn(Shdr *src, vnode_t *src_vp, Shdr *dst, vnode_t *dst_vp, Off *doffset,
1585 void *buf, size_t size, cred_t *credp, rlim64_t rlimit)
1586 {
1587 ssize_t resid;
1588 size_t len, n = src->sh_size;
1589 offset_t off = 0;
1590
1591 while (n != 0) {
1592 len = MIN(size, n);
1593 if (vn_rdwr(UIO_READ, src_vp, buf, len, src->sh_offset + off,
1594 UIO_SYSSPACE, 0, (rlim64_t)0, credp, &resid) != 0 ||
1595 resid >= len ||
1596 core_write(dst_vp, UIO_SYSSPACE, *doffset + off,
1597 buf, len - resid, rlimit, credp) != 0) {
1598 dst->sh_size = 0;
1599 dst->sh_offset = 0;
1600 return;
1601 }
1602
1603 ASSERT(n >= len - resid);
1604
1605 n -= len - resid;
1606 off += len - resid;
1607 }
1608
1609 *doffset += src->sh_size;
1610 }
1611
1612 #ifdef _ELF32_COMPAT
1613 extern size_t elf_datasz_max;
1614 #else
1615 size_t elf_datasz_max = 1 * 1024 * 1024;
1616 #endif
1617
1618 /*
1619 * This function processes mappings that correspond to load objects to
1620 * examine their respective sections for elfcore(). It's called once with
1621 * v set to NULL to count the number of sections that we're going to need
1622 * and then again with v set to some allocated buffer that we fill in with
1623 * all the section data.
1624 */
1625 static int
1626 process_scns(core_content_t content, proc_t *p, cred_t *credp, vnode_t *vp,
1627 Shdr *v, int nv, rlim64_t rlimit, Off *doffsetp, int *nshdrsp)
1628 {
1629 vnode_t *lastvp = NULL;
1630 struct seg *seg;
1631 int i, j;
1632 void *data = NULL;
1633 size_t datasz = 0;
1634 shstrtab_t shstrtab;
1635 struct as *as = p->p_as;
1636 int error = 0;
1637
1638 if (v != NULL)
1639 shstrtab_init(&shstrtab);
1640
1641 i = 1;
1642 for (seg = AS_SEGFIRST(as); seg != NULL; seg = AS_SEGNEXT(as, seg)) {
1643 uint_t prot;
1644 vnode_t *mvp;
1645 void *tmp = NULL;
1646 caddr_t saddr = seg->s_base;
1647 caddr_t naddr;
1648 caddr_t eaddr;
1649 size_t segsize;
1650
1651 Ehdr ehdr;
1652 int nshdrs, shstrndx, nphdrs;
1653 caddr_t shbase;
1654 ssize_t shsize;
1655 char *shstrbase;
1656 ssize_t shstrsize;
1657
1658 Shdr *shdr;
1659 const char *name;
1660 size_t sz;
1661 uintptr_t off;
1662
1663 int ctf_ndx = 0;
1664 int symtab_ndx = 0;
1665
1666 /*
1667 * Since we're just looking for text segments of load
1668 * objects, we only care about the protection bits; we don't
1669 * care about the actual size of the segment so we use the
1670 * reserved size. If the segment's size is zero, there's
1671 * something fishy going on so we ignore this segment.
1672 */
1673 if (seg->s_ops != &segvn_ops ||
1674 SEGOP_GETVP(seg, seg->s_base, &mvp) != 0 ||
1675 mvp == lastvp || mvp == NULL || mvp->v_type != VREG ||
1676 (segsize = pr_getsegsize(seg, 1)) == 0)
1677 continue;
1678
1679 eaddr = saddr + segsize;
1680 prot = pr_getprot(seg, 1, &tmp, &saddr, &naddr, eaddr);
1681 pr_getprot_done(&tmp);
1682
1683 /*
1684 * Skip this segment unless the protection bits look like
1685 * what we'd expect for a text segment.
1686 */
1687 if ((prot & (PROT_WRITE | PROT_EXEC)) != PROT_EXEC)
1688 continue;
1689
1690 if (getelfhead(mvp, credp, &ehdr, &nshdrs, &shstrndx,
1691 &nphdrs) != 0 ||
1692 getelfshdr(mvp, credp, &ehdr, nshdrs, shstrndx,
1693 &shbase, &shsize, &shstrbase, &shstrsize) != 0)
1694 continue;
1695
1696 off = ehdr.e_shentsize;
1697 for (j = 1; j < nshdrs; j++, off += ehdr.e_shentsize) {
1698 Shdr *symtab = NULL, *strtab;
1699
1700 shdr = (Shdr *)(shbase + off);
1701
1702 if (shdr->sh_name >= shstrsize)
1703 continue;
1704
1705 name = shstrbase + shdr->sh_name;
1706
1707 if (strcmp(name, shstrtab_data[STR_CTF]) == 0) {
1708 if ((content & CC_CONTENT_CTF) == 0 ||
1709 ctf_ndx != 0)
1710 continue;
1711
1712 if (shdr->sh_link > 0 &&
1713 shdr->sh_link < nshdrs) {
1714 symtab = (Shdr *)(shbase +
1715 shdr->sh_link * ehdr.e_shentsize);
1716 }
1717
1718 if (v != NULL && i < nv - 1) {
1719 if (shdr->sh_size > datasz &&
1720 shdr->sh_size <= elf_datasz_max) {
1721 if (data != NULL)
1722 kmem_free(data, datasz);
1723
1724 datasz = shdr->sh_size;
1725 data = kmem_alloc(datasz,
1726 KM_SLEEP);
1727 }
1728
1729 v[i].sh_name = shstrtab_ndx(&shstrtab,
1730 STR_CTF);
1731 v[i].sh_addr = (Addr)(uintptr_t)saddr;
1732 v[i].sh_type = SHT_PROGBITS;
1733 v[i].sh_addralign = 4;
1734 *doffsetp = roundup(*doffsetp,
1735 v[i].sh_addralign);
1736 v[i].sh_offset = *doffsetp;
1737 v[i].sh_size = shdr->sh_size;
1738 if (symtab == NULL) {
1739 v[i].sh_link = 0;
1740 } else if (symtab->sh_type ==
1741 SHT_SYMTAB &&
1742 symtab_ndx != 0) {
1743 v[i].sh_link =
1744 symtab_ndx;
1745 } else {
1746 v[i].sh_link = i + 1;
1747 }
1748
1749 copy_scn(shdr, mvp, &v[i], vp,
1750 doffsetp, data, datasz, credp,
1751 rlimit);
1752 }
1753
1754 ctf_ndx = i++;
1755
1756 /*
1757 * We've already dumped the symtab.
1758 */
1759 if (symtab != NULL &&
1760 symtab->sh_type == SHT_SYMTAB &&
1761 symtab_ndx != 0)
1762 continue;
1763
1764 } else if (strcmp(name,
1765 shstrtab_data[STR_SYMTAB]) == 0) {
1766 if ((content & CC_CONTENT_SYMTAB) == 0 ||
1767 symtab != 0)
1768 continue;
1769
1770 symtab = shdr;
1771 }
1772
1773 if (symtab != NULL) {
1774 if ((symtab->sh_type != SHT_DYNSYM &&
1775 symtab->sh_type != SHT_SYMTAB) ||
1776 symtab->sh_link == 0 ||
1777 symtab->sh_link >= nshdrs)
1778 continue;
1779
1780 strtab = (Shdr *)(shbase +
1781 symtab->sh_link * ehdr.e_shentsize);
1782
1783 if (strtab->sh_type != SHT_STRTAB)
1784 continue;
1785
1786 if (v != NULL && i < nv - 2) {
1787 sz = MAX(symtab->sh_size,
1788 strtab->sh_size);
1789 if (sz > datasz &&
1790 sz <= elf_datasz_max) {
1791 if (data != NULL)
1792 kmem_free(data, datasz);
1793
1794 datasz = sz;
1795 data = kmem_alloc(datasz,
1796 KM_SLEEP);
1797 }
1798
1799 if (symtab->sh_type == SHT_DYNSYM) {
1800 v[i].sh_name = shstrtab_ndx(
1801 &shstrtab, STR_DYNSYM);
1802 v[i + 1].sh_name = shstrtab_ndx(
1803 &shstrtab, STR_DYNSTR);
1804 } else {
1805 v[i].sh_name = shstrtab_ndx(
1806 &shstrtab, STR_SYMTAB);
1807 v[i + 1].sh_name = shstrtab_ndx(
1808 &shstrtab, STR_STRTAB);
1809 }
1810
1811 v[i].sh_type = symtab->sh_type;
1812 v[i].sh_addr = symtab->sh_addr;
1813 if (ehdr.e_type == ET_DYN ||
1814 v[i].sh_addr == 0)
1815 v[i].sh_addr +=
1816 (Addr)(uintptr_t)saddr;
1817 v[i].sh_addralign =
1818 symtab->sh_addralign;
1819 *doffsetp = roundup(*doffsetp,
1820 v[i].sh_addralign);
1821 v[i].sh_offset = *doffsetp;
1822 v[i].sh_size = symtab->sh_size;
1823 v[i].sh_link = i + 1;
1824 v[i].sh_entsize = symtab->sh_entsize;
1825 v[i].sh_info = symtab->sh_info;
1826
1827 copy_scn(symtab, mvp, &v[i], vp,
1828 doffsetp, data, datasz, credp,
1829 rlimit);
1830
1831 v[i + 1].sh_type = SHT_STRTAB;
1832 v[i + 1].sh_flags = SHF_STRINGS;
1833 v[i + 1].sh_addr = symtab->sh_addr;
1834 if (ehdr.e_type == ET_DYN ||
1835 v[i + 1].sh_addr == 0)
1836 v[i + 1].sh_addr +=
1837 (Addr)(uintptr_t)saddr;
1838 v[i + 1].sh_addralign =
1839 strtab->sh_addralign;
1840 *doffsetp = roundup(*doffsetp,
1841 v[i + 1].sh_addralign);
1842 v[i + 1].sh_offset = *doffsetp;
1843 v[i + 1].sh_size = strtab->sh_size;
1844
1845 copy_scn(strtab, mvp, &v[i + 1], vp,
1846 doffsetp, data, datasz, credp,
1847 rlimit);
1848 }
1849
1850 if (symtab->sh_type == SHT_SYMTAB)
1851 symtab_ndx = i;
1852 i += 2;
1853 }
1854 }
1855
1856 kmem_free(shstrbase, shstrsize);
1857 kmem_free(shbase, shsize);
1858
1859 lastvp = mvp;
1860 }
1861
1862 if (v == NULL) {
1863 if (i == 1)
1864 *nshdrsp = 0;
1865 else
1866 *nshdrsp = i + 1;
1867 goto done;
1868 }
1869
1870 if (i != nv - 1) {
1871 cmn_err(CE_WARN, "elfcore: core dump failed for "
1872 "process %d; address space is changing", p->p_pid);
1873 error = EIO;
1874 goto done;
1875 }
1876
1877 v[i].sh_name = shstrtab_ndx(&shstrtab, STR_SHSTRTAB);
1878 v[i].sh_size = shstrtab_size(&shstrtab);
1879 v[i].sh_addralign = 1;
1880 *doffsetp = roundup(*doffsetp, v[i].sh_addralign);
1881 v[i].sh_offset = *doffsetp;
1882 v[i].sh_flags = SHF_STRINGS;
1883 v[i].sh_type = SHT_STRTAB;
1884
1885 if (v[i].sh_size > datasz) {
1886 if (data != NULL)
1887 kmem_free(data, datasz);
1888
1889 datasz = v[i].sh_size;
1890 data = kmem_alloc(datasz,
1891 KM_SLEEP);
1892 }
1893
1894 shstrtab_dump(&shstrtab, data);
1895
1896 if ((error = core_write(vp, UIO_SYSSPACE, *doffsetp,
1897 data, v[i].sh_size, rlimit, credp)) != 0)
1898 goto done;
1899
1900 *doffsetp += v[i].sh_size;
1901
1902 done:
1903 if (data != NULL)
1904 kmem_free(data, datasz);
1905
1906 return (error);
1907 }
1908
1909 int
1910 elfcore(vnode_t *vp, proc_t *p, cred_t *credp, rlim64_t rlimit, int sig,
1911 core_content_t content)
1912 {
1913 offset_t poffset, soffset;
1914 Off doffset;
1915 int error, i, nphdrs, nshdrs;
1916 int overflow = 0;
1917 struct seg *seg;
1918 struct as *as = p->p_as;
1919 union {
1920 Ehdr ehdr;
1921 Phdr phdr[1];
1922 Shdr shdr[1];
1923 } *bigwad;
1924 size_t bigsize;
1925 size_t phdrsz, shdrsz;
1926 Ehdr *ehdr;
1927 Phdr *v;
1928 caddr_t brkbase;
1929 size_t brksize;
1930 caddr_t stkbase;
1931 size_t stksize;
1932 int ntries = 0;
1933 klwp_t *lwp = ttolwp(curthread);
1934
1935 top:
1936 /*
1937 * Make sure we have everything we need (registers, etc.).
1938 * All other lwps have already stopped and are in an orderly state.
1939 */
1940 ASSERT(p == ttoproc(curthread));
1941 prstop(0, 0);
1942
1943 AS_LOCK_ENTER(as, RW_WRITER);
1944 nphdrs = prnsegs(as, 0) + 2; /* two CORE note sections */
1945
1946 /*
1947 * Count the number of section headers we're going to need.
1948 */
1949 nshdrs = 0;
1950 if (content & (CC_CONTENT_CTF | CC_CONTENT_SYMTAB)) {
1951 (void) process_scns(content, p, credp, NULL, NULL, NULL, 0,
1952 NULL, &nshdrs);
1953 }
1954 AS_LOCK_EXIT(as);
1955
1956 ASSERT(nshdrs == 0 || nshdrs > 1);
1957
1958 /*
1959 * The core file contents may required zero section headers, but if
1960 * we overflow the 16 bits allotted to the program header count in
1961 * the ELF header, we'll need that program header at index zero.
1962 */
1963 if (nshdrs == 0 && nphdrs >= PN_XNUM)
1964 nshdrs = 1;
1965
1966 phdrsz = nphdrs * sizeof (Phdr);
1967 shdrsz = nshdrs * sizeof (Shdr);
1968
1969 bigsize = MAX(sizeof (*bigwad), MAX(phdrsz, shdrsz));
1970 bigwad = kmem_alloc(bigsize, KM_SLEEP);
1971
1972 ehdr = &bigwad->ehdr;
1973 bzero(ehdr, sizeof (*ehdr));
1974
1975 ehdr->e_ident[EI_MAG0] = ELFMAG0;
1976 ehdr->e_ident[EI_MAG1] = ELFMAG1;
1977 ehdr->e_ident[EI_MAG2] = ELFMAG2;
1978 ehdr->e_ident[EI_MAG3] = ELFMAG3;
1979 ehdr->e_ident[EI_CLASS] = ELFCLASS;
1980 ehdr->e_type = ET_CORE;
1981
1982 #if !defined(_LP64) || defined(_ELF32_COMPAT)
1983
1984 #if defined(__sparc)
1985 ehdr->e_ident[EI_DATA] = ELFDATA2MSB;
1986 ehdr->e_machine = EM_SPARC;
1987 #elif defined(__i386) || defined(__i386_COMPAT)
1988 ehdr->e_ident[EI_DATA] = ELFDATA2LSB;
1989 ehdr->e_machine = EM_386;
1990 #else
1991 #error "no recognized machine type is defined"
1992 #endif
1993
1994 #else /* !defined(_LP64) || defined(_ELF32_COMPAT) */
1995
1996 #if defined(__sparc)
1997 ehdr->e_ident[EI_DATA] = ELFDATA2MSB;
1998 ehdr->e_machine = EM_SPARCV9;
1999 #elif defined(__amd64)
2000 ehdr->e_ident[EI_DATA] = ELFDATA2LSB;
2001 ehdr->e_machine = EM_AMD64;
2002 #else
2003 #error "no recognized 64-bit machine type is defined"
2004 #endif
2005
2006 #endif /* !defined(_LP64) || defined(_ELF32_COMPAT) */
2007
2008 /*
2009 * If the count of program headers or section headers or the index
2010 * of the section string table can't fit in the mere 16 bits
2011 * shortsightedly allotted to them in the ELF header, we use the
2012 * extended formats and put the real values in the section header
2013 * as index 0.
2014 */
2015 ehdr->e_version = EV_CURRENT;
2016 ehdr->e_ehsize = sizeof (Ehdr);
2017
2018 if (nphdrs >= PN_XNUM)
2019 ehdr->e_phnum = PN_XNUM;
2020 else
2021 ehdr->e_phnum = (unsigned short)nphdrs;
2022
2023 ehdr->e_phoff = sizeof (Ehdr);
2024 ehdr->e_phentsize = sizeof (Phdr);
2025
2026 if (nshdrs > 0) {
2027 if (nshdrs >= SHN_LORESERVE)
2028 ehdr->e_shnum = 0;
2029 else
2030 ehdr->e_shnum = (unsigned short)nshdrs;
2031
2032 if (nshdrs - 1 >= SHN_LORESERVE)
2033 ehdr->e_shstrndx = SHN_XINDEX;
2034 else
2035 ehdr->e_shstrndx = (unsigned short)(nshdrs - 1);
2036
2037 ehdr->e_shoff = ehdr->e_phoff + ehdr->e_phentsize * nphdrs;
2038 ehdr->e_shentsize = sizeof (Shdr);
2039 }
2040
2041 if (error = core_write(vp, UIO_SYSSPACE, (offset_t)0, ehdr,
2042 sizeof (Ehdr), rlimit, credp))
2043 goto done;
2044
2045 poffset = sizeof (Ehdr);
2046 soffset = sizeof (Ehdr) + phdrsz;
2047 doffset = sizeof (Ehdr) + phdrsz + shdrsz;
2048
2049 v = &bigwad->phdr[0];
2050 bzero(v, phdrsz);
2051
2052 setup_old_note_header(&v[0], p);
2053 v[0].p_offset = doffset = roundup(doffset, sizeof (Word));
2054 doffset += v[0].p_filesz;
2055
2056 setup_note_header(&v[1], p);
2057 v[1].p_offset = doffset = roundup(doffset, sizeof (Word));
2058 doffset += v[1].p_filesz;
2059
2060 mutex_enter(&p->p_lock);
2061
2062 brkbase = p->p_brkbase;
2063 brksize = p->p_brksize;
2064
2065 stkbase = p->p_usrstack - p->p_stksize;
2066 stksize = p->p_stksize;
2067
2068 mutex_exit(&p->p_lock);
2069
2070 AS_LOCK_ENTER(as, RW_WRITER);
2071 i = 2;
2072 for (seg = AS_SEGFIRST(as); seg != NULL; seg = AS_SEGNEXT(as, seg)) {
2073 caddr_t eaddr = seg->s_base + pr_getsegsize(seg, 0);
2074 caddr_t saddr, naddr;
2075 void *tmp = NULL;
2076 extern struct seg_ops segspt_shmops;
2077
2078 for (saddr = seg->s_base; saddr < eaddr; saddr = naddr) {
2079 uint_t prot;
2080 size_t size;
2081 int type;
2082 vnode_t *mvp;
2083
2084 prot = pr_getprot(seg, 0, &tmp, &saddr, &naddr, eaddr);
2085 prot &= PROT_READ | PROT_WRITE | PROT_EXEC;
2086 if ((size = (size_t)(naddr - saddr)) == 0)
2087 continue;
2088 if (i == nphdrs) {
2089 overflow++;
2090 continue;
2091 }
2092 v[i].p_type = PT_LOAD;
2093 v[i].p_vaddr = (Addr)(uintptr_t)saddr;
2094 v[i].p_memsz = size;
2095 if (prot & PROT_READ)
2096 v[i].p_flags |= PF_R;
2097 if (prot & PROT_WRITE)
2098 v[i].p_flags |= PF_W;
2099 if (prot & PROT_EXEC)
2100 v[i].p_flags |= PF_X;
2101
2102 /*
2103 * Figure out which mappings to include in the core.
2104 */
2105 type = SEGOP_GETTYPE(seg, saddr);
2106
2107 if (saddr == stkbase && size == stksize) {
2108 if (!(content & CC_CONTENT_STACK))
2109 goto exclude;
2110
2111 } else if (saddr == brkbase && size == brksize) {
2112 if (!(content & CC_CONTENT_HEAP))
2113 goto exclude;
2114
2115 } else if (seg->s_ops == &segspt_shmops) {
2116 if (type & MAP_NORESERVE) {
2117 if (!(content & CC_CONTENT_DISM))
2118 goto exclude;
2119 } else {
2120 if (!(content & CC_CONTENT_ISM))
2121 goto exclude;
2122 }
2123
2124 } else if (seg->s_ops != &segvn_ops) {
2125 goto exclude;
2126
2127 } else if (type & MAP_SHARED) {
2128 if (shmgetid(p, saddr) != SHMID_NONE) {
2129 if (!(content & CC_CONTENT_SHM))
2130 goto exclude;
2131
2132 } else if (SEGOP_GETVP(seg, seg->s_base,
2133 &mvp) != 0 || mvp == NULL ||
2134 mvp->v_type != VREG) {
2135 if (!(content & CC_CONTENT_SHANON))
2136 goto exclude;
2137
2138 } else {
2139 if (!(content & CC_CONTENT_SHFILE))
2140 goto exclude;
2141 }
2142
2143 } else if (SEGOP_GETVP(seg, seg->s_base, &mvp) != 0 ||
2144 mvp == NULL || mvp->v_type != VREG) {
2145 if (!(content & CC_CONTENT_ANON))
2146 goto exclude;
2147
2148 } else if (prot == (PROT_READ | PROT_EXEC)) {
2149 if (!(content & CC_CONTENT_TEXT))
2150 goto exclude;
2151
2152 } else if (prot == PROT_READ) {
2153 if (!(content & CC_CONTENT_RODATA))
2154 goto exclude;
2155
2156 } else {
2157 if (!(content & CC_CONTENT_DATA))
2158 goto exclude;
2159 }
2160
2161 doffset = roundup(doffset, sizeof (Word));
2162 v[i].p_offset = doffset;
2163 v[i].p_filesz = size;
2164 doffset += size;
2165 exclude:
2166 i++;
2167 }
2168 ASSERT(tmp == NULL);
2169 }
2170 AS_LOCK_EXIT(as);
2171
2172 if (overflow || i != nphdrs) {
2173 if (ntries++ == 0) {
2174 kmem_free(bigwad, bigsize);
2175 overflow = 0;
2176 goto top;
2177 }
2178 cmn_err(CE_WARN, "elfcore: core dump failed for "
2179 "process %d; address space is changing", p->p_pid);
2180 error = EIO;
2181 goto done;
2182 }
2183
2184 if ((error = core_write(vp, UIO_SYSSPACE, poffset,
2185 v, phdrsz, rlimit, credp)) != 0)
2186 goto done;
2187
2188 if ((error = write_old_elfnotes(p, sig, vp, v[0].p_offset, rlimit,
2189 credp)) != 0)
2190 goto done;
2191
2192 if ((error = write_elfnotes(p, sig, vp, v[1].p_offset, rlimit,
2193 credp, content)) != 0)
2194 goto done;
2195
2196 for (i = 2; i < nphdrs; i++) {
2197 prkillinfo_t killinfo;
2198 sigqueue_t *sq;
2199 int sig, j;
2200
2201 if (v[i].p_filesz == 0)
2202 continue;
2203
2204 /*
2205 * If dumping out this segment fails, rather than failing
2206 * the core dump entirely, we reset the size of the mapping
2207 * to zero to indicate that the data is absent from the core
2208 * file and or in the PF_SUNW_FAILURE flag to differentiate
2209 * this from mappings that were excluded due to the core file
2210 * content settings.
2211 */
2212 if ((error = core_seg(p, vp, v[i].p_offset,
2213 (caddr_t)(uintptr_t)v[i].p_vaddr, v[i].p_filesz,
2214 rlimit, credp)) == 0) {
2215 continue;
2216 }
2217
2218 if ((sig = lwp->lwp_cursig) == 0) {
2219 /*
2220 * We failed due to something other than a signal.
2221 * Since the space reserved for the segment is now
2222 * unused, we stash the errno in the first four
2223 * bytes. This undocumented interface will let us
2224 * understand the nature of the failure.
2225 */
2226 (void) core_write(vp, UIO_SYSSPACE, v[i].p_offset,
2227 &error, sizeof (error), rlimit, credp);
2228
2229 v[i].p_filesz = 0;
2230 v[i].p_flags |= PF_SUNW_FAILURE;
2231 if ((error = core_write(vp, UIO_SYSSPACE,
2232 poffset + sizeof (v[i]) * i, &v[i], sizeof (v[i]),
2233 rlimit, credp)) != 0)
2234 goto done;
2235
2236 continue;
2237 }
2238
2239 /*
2240 * We took a signal. We want to abort the dump entirely, but
2241 * we also want to indicate what failed and why. We therefore
2242 * use the space reserved for the first failing segment to
2243 * write our error (which, for purposes of compatability with
2244 * older core dump readers, we set to EINTR) followed by any
2245 * siginfo associated with the signal.
2246 */
2247 bzero(&killinfo, sizeof (killinfo));
2248 killinfo.prk_error = EINTR;
2249
2250 sq = sig == SIGKILL ? curproc->p_killsqp : lwp->lwp_curinfo;
2251
2252 if (sq != NULL) {
2253 bcopy(&sq->sq_info, &killinfo.prk_info,
2254 sizeof (sq->sq_info));
2255 } else {
2256 killinfo.prk_info.si_signo = lwp->lwp_cursig;
2257 killinfo.prk_info.si_code = SI_NOINFO;
2258 }
2259
2260 #if (defined(_SYSCALL32_IMPL) || defined(_LP64))
2261 /*
2262 * If this is a 32-bit process, we need to translate from the
2263 * native siginfo to the 32-bit variant. (Core readers must
2264 * always have the same data model as their target or must
2265 * be aware of -- and compensate for -- data model differences.)
2266 */
2267 if (curproc->p_model == DATAMODEL_ILP32) {
2268 siginfo32_t si32;
2269
2270 siginfo_kto32((k_siginfo_t *)&killinfo.prk_info, &si32);
2271 bcopy(&si32, &killinfo.prk_info, sizeof (si32));
2272 }
2273 #endif
2274
2275 (void) core_write(vp, UIO_SYSSPACE, v[i].p_offset,
2276 &killinfo, sizeof (killinfo), rlimit, credp);
2277
2278 /*
2279 * For the segment on which we took the signal, indicate that
2280 * its data now refers to a siginfo.
2281 */
2282 v[i].p_filesz = 0;
2283 v[i].p_flags |= PF_SUNW_FAILURE | PF_SUNW_KILLED |
2284 PF_SUNW_SIGINFO;
2285
2286 /*
2287 * And for every other segment, indicate that its absence
2288 * is due to a signal.
2289 */
2290 for (j = i + 1; j < nphdrs; j++) {
2291 v[j].p_filesz = 0;
2292 v[j].p_flags |= PF_SUNW_FAILURE | PF_SUNW_KILLED;
2293 }
2294
2295 /*
2296 * Finally, write out our modified program headers.
2297 */
2298 if ((error = core_write(vp, UIO_SYSSPACE,
2299 poffset + sizeof (v[i]) * i, &v[i],
2300 sizeof (v[i]) * (nphdrs - i), rlimit, credp)) != 0)
2301 goto done;
2302
2303 break;
2304 }
2305
2306 if (nshdrs > 0) {
2307 bzero(&bigwad->shdr[0], shdrsz);
2308
2309 if (nshdrs >= SHN_LORESERVE)
2310 bigwad->shdr[0].sh_size = nshdrs;
2311
2312 if (nshdrs - 1 >= SHN_LORESERVE)
2313 bigwad->shdr[0].sh_link = nshdrs - 1;
2314
2315 if (nphdrs >= PN_XNUM)
2316 bigwad->shdr[0].sh_info = nphdrs;
2317
2318 if (nshdrs > 1) {
2319 AS_LOCK_ENTER(as, RW_WRITER);
2320 if ((error = process_scns(content, p, credp, vp,
2321 &bigwad->shdr[0], nshdrs, rlimit, &doffset,
2322 NULL)) != 0) {
2323 AS_LOCK_EXIT(as);
2324 goto done;
2325 }
2326 AS_LOCK_EXIT(as);
2327 }
2328
2329 if ((error = core_write(vp, UIO_SYSSPACE, soffset,
2330 &bigwad->shdr[0], shdrsz, rlimit, credp)) != 0)
2331 goto done;
2332 }
2333
2334 done:
2335 kmem_free(bigwad, bigsize);
2336 return (error);
2337 }
2338
2339 #ifndef _ELF32_COMPAT
2340
2341 static struct execsw esw = {
2342 #ifdef _LP64
2343 elf64magicstr,
2344 #else /* _LP64 */
2345 elf32magicstr,
2346 #endif /* _LP64 */
2347 0,
2348 5,
2349 elfexec,
2350 elfcore
2351 };
2352
2353 static struct modlexec modlexec = {
2354 &mod_execops, "exec module for elf", &esw
2355 };
2356
2357 #ifdef _LP64
2358 extern int elf32exec(vnode_t *vp, execa_t *uap, uarg_t *args,
2359 intpdata_t *idatap, int level, long *execsz,
2360 int setid, caddr_t exec_file, cred_t *cred,
2361 int brand_action);
2362 extern int elf32core(vnode_t *vp, proc_t *p, cred_t *credp,
2363 rlim64_t rlimit, int sig, core_content_t content);
2364
2365 static struct execsw esw32 = {
2366 elf32magicstr,
2367 0,
2368 5,
2369 elf32exec,
2370 elf32core
2371 };
2372
2373 static struct modlexec modlexec32 = {
2374 &mod_execops, "32-bit exec module for elf", &esw32
2375 };
2376 #endif /* _LP64 */
2377
2378 static struct modlinkage modlinkage = {
2379 MODREV_1,
2380 (void *)&modlexec,
2381 #ifdef _LP64
2382 (void *)&modlexec32,
2383 #endif /* _LP64 */
2384 NULL
2385 };
2386
2387 int
2388 _init(void)
2389 {
2390 return (mod_install(&modlinkage));
2391 }
2392
2393 int
2394 _fini(void)
2395 {
2396 return (mod_remove(&modlinkage));
2397 }
2398
2399 int
2400 _info(struct modinfo *modinfop)
2401 {
2402 return (mod_info(&modlinkage, modinfop));
2403 }
2404
2405 #endif /* !_ELF32_COMPAT */
Unleashed OS