root/fs/exec.c

/* [previous][next][first][last][top][bottom][index][help] [+1 fs/exec.c] */

DEFINITIONS

This source file includes following definitions.
  1. __register_binfmt
  2. unregister_binfmt
  3. put_binfmt
  4. path_noexec
  5. SYSCALL_DEFINE1
  6. acct_arg_size
  7. get_arg_page
  8. put_arg_page
  9. free_arg_page
  10. free_arg_pages
  11. flush_arg_page
  12. __bprm_mm_init
  13. valid_arg_len
  14. acct_arg_size
  15. get_arg_page
  16. put_arg_page
  17. free_arg_page
  18. free_arg_pages
  19. flush_arg_page
  20. __bprm_mm_init
  21. valid_arg_len
  22. bprm_mm_init
  23. get_user_arg_ptr
  24. count
  25. copy_strings
  26. copy_strings_kernel
  27. shift_arg_pages
  28. setup_arg_pages
  29. do_open_execat
  30. open_exec
  31. kernel_read
  32. read_code
  33. exec_mmap
  34. de_thread
  35. get_task_comm
  36. __set_task_comm
  37. flush_old_exec
  38. would_dump
  39. setup_new_exec
  40. prepare_bprm_creds
  41. free_bprm
  42. bprm_change_interp
  43. install_exec_creds
  44. check_unsafe_exec
  45. bprm_fill_uid
  46. prepare_binprm
  47. remove_arg_zero
  48. search_binary_handler
  49. exec_binprm
  50. do_execveat_common
  51. do_execve
  52. do_execveat
  53. compat_do_execve
  54. compat_do_execveat
  55. set_binfmt
  56. set_dumpable
  57. SYSCALL_DEFINE3
  58. SYSCALL_DEFINE5
  59. COMPAT_SYSCALL_DEFINE3
  60. COMPAT_SYSCALL_DEFINE5

   1 /*
   2  *  linux/fs/exec.c
   3  *
   4  *  Copyright (C) 1991, 1992  Linus Torvalds
   5  */
   6 
   7 /*
   8  * #!-checking implemented by tytso.
   9  */
  10 /*
  11  * Demand-loading implemented 01.12.91 - no need to read anything but
  12  * the header into memory. The inode of the executable is put into
  13  * "current->executable", and page faults do the actual loading. Clean.
  14  *
  15  * Once more I can proudly say that linux stood up to being changed: it
  16  * was less than 2 hours work to get demand-loading completely implemented.
  17  *
  18  * Demand loading changed July 1993 by Eric Youngdale.   Use mmap instead,
  19  * current->executable is only used by the procfs.  This allows a dispatch
  20  * table to check for several different types  of binary formats.  We keep
  21  * trying until we recognize the file or we run out of supported binary
  22  * formats. 
  23  */
  24 
  25 #include <linux/slab.h>
  26 #include <linux/file.h>
  27 #include <linux/fdtable.h>
  28 #include <linux/mm.h>
  29 #include <linux/vmacache.h>
  30 #include <linux/stat.h>
  31 #include <linux/fcntl.h>
  32 #include <linux/swap.h>
  33 #include <linux/string.h>
  34 #include <linux/init.h>
  35 #include <linux/pagemap.h>
  36 #include <linux/perf_event.h>
  37 #include <linux/highmem.h>
  38 #include <linux/spinlock.h>
  39 #include <linux/key.h>
  40 #include <linux/personality.h>
  41 #include <linux/binfmts.h>
  42 #include <linux/utsname.h>
  43 #include <linux/pid_namespace.h>
  44 #include <linux/module.h>
  45 #include <linux/namei.h>
  46 #include <linux/mount.h>
  47 #include <linux/security.h>
  48 #include <linux/syscalls.h>
  49 #include <linux/tsacct_kern.h>
  50 #include <linux/cn_proc.h>
  51 #include <linux/audit.h>
  52 #include <linux/tracehook.h>
  53 #include <linux/kmod.h>
  54 #include <linux/fsnotify.h>
  55 #include <linux/fs_struct.h>
  56 #include <linux/pipe_fs_i.h>
  57 #include <linux/oom.h>
  58 #include <linux/compat.h>
  59 
  60 #include <asm/uaccess.h>
  61 #include <asm/mmu_context.h>
  62 #include <asm/tlb.h>
  63 
  64 #include <trace/events/task.h>
  65 #include "internal.h"
  66 
  67 #include <trace/events/sched.h>
  68 
  69 int suid_dumpable = 0;
  70 
  71 static LIST_HEAD(formats);
  72 static DEFINE_RWLOCK(binfmt_lock);
  73 
  74 void __register_binfmt(struct linux_binfmt * fmt, int insert)
     /* [previous][next][first][last][top][bottom][index][help] [+74 fs/exec.c] */
  75 {
  76         BUG_ON(!fmt);
  77         if (WARN_ON(!fmt->load_binary))
  78                 return;
  79         write_lock(&binfmt_lock);
  80         insert ? list_add(&fmt->lh, &formats) :
  81                  list_add_tail(&fmt->lh, &formats);
  82         write_unlock(&binfmt_lock);
  83 }
  84 
  85 EXPORT_SYMBOL(__register_binfmt);
  86 
  87 void unregister_binfmt(struct linux_binfmt * fmt)
     /* [previous][next][first][last][top][bottom][index][help] [+87 fs/exec.c] */
  88 {
  89         write_lock(&binfmt_lock);
  90         list_del(&fmt->lh);
  91         write_unlock(&binfmt_lock);
  92 }
  93 
  94 EXPORT_SYMBOL(unregister_binfmt);
  95 
  96 static inline void put_binfmt(struct linux_binfmt * fmt)
     /* [previous][next][first][last][top][bottom][index][help] [+96 fs/exec.c] */
  97 {
  98         module_put(fmt->module);
  99 }
 100 
 101 bool path_noexec(const struct path *path)
     /* [previous][next][first][last][top][bottom][index][help] [+101 fs/exec.c] */
 102 {
 103         return (path->mnt->mnt_flags & MNT_NOEXEC) ||
 104                (path->mnt->mnt_sb->s_iflags & SB_I_NOEXEC);
 105 }
 106 
 107 #ifdef CONFIG_USELIB
 108 /*
 109  * Note that a shared library must be both readable and executable due to
 110  * security reasons.
 111  *
 112  * Also note that we take the address to load from from the file itself.
 113  */
 114 SYSCALL_DEFINE1(uselib, const char __user *, library)
     /* [previous][next][first][last][top][bottom][index][help] [+114 fs/exec.c] */
 115 {
 116         struct linux_binfmt *fmt;
 117         struct file *file;
 118         struct filename *tmp = getname(library);
 119         int error = PTR_ERR(tmp);
 120         static const struct open_flags uselib_flags = {
 121                 .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
 122                 .acc_mode = MAY_READ | MAY_EXEC | MAY_OPEN,
 123                 .intent = LOOKUP_OPEN,
 124                 .lookup_flags = LOOKUP_FOLLOW,
 125         };
 126 
 127         if (IS_ERR(tmp))
 128                 goto out;
 129 
 130         file = do_filp_open(AT_FDCWD, tmp, &uselib_flags);
 131         putname(tmp);
 132         error = PTR_ERR(file);
 133         if (IS_ERR(file))
 134                 goto out;
 135 
 136         error = -EINVAL;
 137         if (!S_ISREG(file_inode(file)->i_mode))
 138                 goto exit;
 139 
 140         error = -EACCES;
 141         if (path_noexec(&file->f_path))
 142                 goto exit;
 143 
 144         fsnotify_open(file);
 145 
 146         error = -ENOEXEC;
 147 
 148         read_lock(&binfmt_lock);
 149         list_for_each_entry(fmt, &formats, lh) {
 150                 if (!fmt->load_shlib)
 151                         continue;
 152                 if (!try_module_get(fmt->module))
 153                         continue;
 154                 read_unlock(&binfmt_lock);
 155                 error = fmt->load_shlib(file);
 156                 read_lock(&binfmt_lock);
 157                 put_binfmt(fmt);
 158                 if (error != -ENOEXEC)
 159                         break;
 160         }
 161         read_unlock(&binfmt_lock);
 162 exit:
 163         fput(file);
 164 out:
 165         return error;
 166 }
 167 #endif /* #ifdef CONFIG_USELIB */
 168 
 169 #ifdef CONFIG_MMU
 170 /*
 171  * The nascent bprm->mm is not visible until exec_mmap() but it can
 172  * use a lot of memory, account these pages in current->mm temporary
 173  * for oom_badness()->get_mm_rss(). Once exec succeeds or fails, we
 174  * change the counter back via acct_arg_size(0).
 175  */
 176 static void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
     /* [previous][next][first][last][top][bottom][index][help] [+176 fs/exec.c] */
 177 {
 178         struct mm_struct *mm = current->mm;
 179         long diff = (long)(pages - bprm->vma_pages);
 180 
 181         if (!mm || !diff)
 182                 return;
 183 
 184         bprm->vma_pages = pages;
 185         add_mm_counter(mm, MM_ANONPAGES, diff);
 186 }
 187 
 188 static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
     /* [previous][next][first][last][top][bottom][index][help] [+188 fs/exec.c] */
 189                 int write)
 190 {
 191         struct page *page;
 192         int ret;
 193 
 194 #ifdef CONFIG_STACK_GROWSUP
 195         if (write) {
 196                 ret = expand_downwards(bprm->vma, pos);
 197                 if (ret < 0)
 198                         return NULL;
 199         }
 200 #endif
 201         ret = get_user_pages(current, bprm->mm, pos,
 202                         1, write, 1, &page, NULL);
 203         if (ret <= 0)
 204                 return NULL;
 205 
 206         if (write) {
 207                 unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start;
 208                 struct rlimit *rlim;
 209 
 210                 acct_arg_size(bprm, size / PAGE_SIZE);
 211 
 212                 /*
 213                  * We've historically supported up to 32 pages (ARG_MAX)
 214                  * of argument strings even with small stacks
 215                  */
 216                 if (size <= ARG_MAX)
 217                         return page;
 218 
 219                 /*
 220                  * Limit to 1/4-th the stack size for the argv+env strings.
 221                  * This ensures that:
 222                  *  - the remaining binfmt code will not run out of stack space,
 223                  *  - the program will have a reasonable amount of stack left
 224                  *    to work from.
 225                  */
 226                 rlim = current->signal->rlim;
 227                 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4) {
 228                         put_page(page);
 229                         return NULL;
 230                 }
 231         }
 232 
 233         return page;
 234 }
 235 
 236 static void put_arg_page(struct page *page)
     /* [previous][next][first][last][top][bottom][index][help] [+236 fs/exec.c] */
 237 {
 238         put_page(page);
 239 }
 240 
 241 static void free_arg_page(struct linux_binprm *bprm, int i)
     /* [previous][next][first][last][top][bottom][index][help] [+241 fs/exec.c] */
 242 {
 243 }
 244 
 245 static void free_arg_pages(struct linux_binprm *bprm)
     /* [previous][next][first][last][top][bottom][index][help] [+245 fs/exec.c] */
 246 {
 247 }
 248 
 249 static void flush_arg_page(struct linux_binprm *bprm, unsigned long pos,
     /* [previous][next][first][last][top][bottom][index][help] [+249 fs/exec.c] */
 250                 struct page *page)
 251 {
 252         flush_cache_page(bprm->vma, pos, page_to_pfn(page));
 253 }
 254 
 255 static int __bprm_mm_init(struct linux_binprm *bprm)
     /* [previous][next][first][last][top][bottom][index][help] [+255 fs/exec.c] */
 256 {
 257         int err;
 258         struct vm_area_struct *vma = NULL;
 259         struct mm_struct *mm = bprm->mm;
 260 
 261         bprm->vma = vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
 262         if (!vma)
 263                 return -ENOMEM;
 264 
 265         down_write(&mm->mmap_sem);
 266         vma->vm_mm = mm;
 267 
 268         /*
 269          * Place the stack at the largest stack address the architecture
 270          * supports. Later, we'll move this to an appropriate place. We don't
 271          * use STACK_TOP because that can depend on attributes which aren't
 272          * configured yet.
 273          */
 274         BUILD_BUG_ON(VM_STACK_FLAGS & VM_STACK_INCOMPLETE_SETUP);
 275         vma->vm_end = STACK_TOP_MAX;
 276         vma->vm_start = vma->vm_end - PAGE_SIZE;
 277         vma->vm_flags = VM_SOFTDIRTY | VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
 278         vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
 279         INIT_LIST_HEAD(&vma->anon_vma_chain);
 280 
 281         err = insert_vm_struct(mm, vma);
 282         if (err)
 283                 goto err;
 284 
 285         mm->stack_vm = mm->total_vm = 1;
 286         arch_bprm_mm_init(mm, vma);
 287         up_write(&mm->mmap_sem);
 288         bprm->p = vma->vm_end - sizeof(void *);
 289         return 0;
 290 err:
 291         up_write(&mm->mmap_sem);
 292         bprm->vma = NULL;
 293         kmem_cache_free(vm_area_cachep, vma);
 294         return err;
 295 }
 296 
 297 static bool valid_arg_len(struct linux_binprm *bprm, long len)
     /* [previous][next][first][last][top][bottom][index][help] [+297 fs/exec.c] */
 298 {
 299         return len <= MAX_ARG_STRLEN;
 300 }
 301 
 302 #else
 303 
 304 static inline void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
     /* [previous][next][first][last][top][bottom][index][help] [+304 fs/exec.c] */
 305 {
 306 }
 307 
 308 static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
     /* [previous][next][first][last][top][bottom][index][help] [+308 fs/exec.c] */
 309                 int write)
 310 {
 311         struct page *page;
 312 
 313         page = bprm->page[pos / PAGE_SIZE];
 314         if (!page && write) {
 315                 page = alloc_page(GFP_HIGHUSER|__GFP_ZERO);
 316                 if (!page)
 317                         return NULL;
 318                 bprm->page[pos / PAGE_SIZE] = page;
 319         }
 320 
 321         return page;
 322 }
 323 
 324 static void put_arg_page(struct page *page)
     /* [previous][next][first][last][top][bottom][index][help] [+324 fs/exec.c] */
 325 {
 326 }
 327 
 328 static void free_arg_page(struct linux_binprm *bprm, int i)
     /* [previous][next][first][last][top][bottom][index][help] [+328 fs/exec.c] */
 329 {
 330         if (bprm->page[i]) {
 331                 __free_page(bprm->page[i]);
 332                 bprm->page[i] = NULL;
 333         }
 334 }
 335 
 336 static void free_arg_pages(struct linux_binprm *bprm)
     /* [previous][next][first][last][top][bottom][index][help] [+336 fs/exec.c] */
 337 {
 338         int i;
 339 
 340         for (i = 0; i < MAX_ARG_PAGES; i++)
 341                 free_arg_page(bprm, i);
 342 }
 343 
 344 static void flush_arg_page(struct linux_binprm *bprm, unsigned long pos,
     /* [previous][next][first][last][top][bottom][index][help] [+344 fs/exec.c] */
 345                 struct page *page)
 346 {
 347 }
 348 
 349 static int __bprm_mm_init(struct linux_binprm *bprm)
     /* [previous][next][first][last][top][bottom][index][help] [+349 fs/exec.c] */
 350 {
 351         bprm->p = PAGE_SIZE * MAX_ARG_PAGES - sizeof(void *);
 352         return 0;
 353 }
 354 
 355 static bool valid_arg_len(struct linux_binprm *bprm, long len)
     /* [previous][next][first][last][top][bottom][index][help] [+355 fs/exec.c] */
 356 {
 357         return len <= bprm->p;
 358 }
 359 
 360 #endif /* CONFIG_MMU */
 361 
 362 /*
 363  * Create a new mm_struct and populate it with a temporary stack
 364  * vm_area_struct.  We don't have enough context at this point to set the stack
 365  * flags, permissions, and offset, so we use temporary values.  We'll update
 366  * them later in setup_arg_pages().
 367  */
 368 static int bprm_mm_init(struct linux_binprm *bprm)
     /* [previous][next][first][last][top][bottom][index][help] [+368 fs/exec.c] */
 369 {
 370         int err;
 371         struct mm_struct *mm = NULL;
 372 
 373         bprm->mm = mm = mm_alloc();
 374         err = -ENOMEM;
 375         if (!mm)
 376                 goto err;
 377 
 378         err = __bprm_mm_init(bprm);
 379         if (err)
 380                 goto err;
 381 
 382         return 0;
 383 
 384 err:
 385         if (mm) {
 386                 bprm->mm = NULL;
 387                 mmdrop(mm);
 388         }
 389 
 390         return err;
 391 }
 392 
 393 struct user_arg_ptr {
 394 #ifdef CONFIG_COMPAT
 395         bool is_compat;
 396 #endif
 397         union {
 398                 const char __user *const __user *native;
 399 #ifdef CONFIG_COMPAT
 400                 const compat_uptr_t __user *compat;
 401 #endif
 402         } ptr;
 403 };
 404 
 405 static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
     /* [previous][next][first][last][top][bottom][index][help] [+405 fs/exec.c] */
 406 {
 407         const char __user *native;
 408 
 409 #ifdef CONFIG_COMPAT
 410         if (unlikely(argv.is_compat)) {
 411                 compat_uptr_t compat;
 412 
 413                 if (get_user(compat, argv.ptr.compat + nr))
 414                         return ERR_PTR(-EFAULT);
 415 
 416                 return compat_ptr(compat);
 417         }
 418 #endif
 419 
 420         if (get_user(native, argv.ptr.native + nr))
 421                 return ERR_PTR(-EFAULT);
 422 
 423         return native;
 424 }
 425 
 426 /*
 427  * count() counts the number of strings in array ARGV.
 428  */
 429 static int count(struct user_arg_ptr argv, int max)
     /* [previous][next][first][last][top][bottom][index][help] [+429 fs/exec.c] */
 430 {
 431         int i = 0;
 432 
 433         if (argv.ptr.native != NULL) {
 434                 for (;;) {
 435                         const char __user *p = get_user_arg_ptr(argv, i);
 436 
 437                         if (!p)
 438                                 break;
 439 
 440                         if (IS_ERR(p))
 441                                 return -EFAULT;
 442 
 443                         if (i >= max)
 444                                 return -E2BIG;
 445                         ++i;
 446 
 447                         if (fatal_signal_pending(current))
 448                                 return -ERESTARTNOHAND;
 449                         cond_resched();
 450                 }
 451         }
 452         return i;
 453 }
 454 
 455 /*
 456  * 'copy_strings()' copies argument/environment strings from the old
 457  * processes's memory to the new process's stack.  The call to get_user_pages()
 458  * ensures the destination page is created and not swapped out.
 459  */
 460 static int copy_strings(int argc, struct user_arg_ptr argv,
     /* [previous][next][first][last][top][bottom][index][help] [+460 fs/exec.c] */
 461                         struct linux_binprm *bprm)
 462 {
 463         struct page *kmapped_page = NULL;
 464         char *kaddr = NULL;
 465         unsigned long kpos = 0;
 466         int ret;
 467 
 468         while (argc-- > 0) {
 469                 const char __user *str;
 470                 int len;
 471                 unsigned long pos;
 472 
 473                 ret = -EFAULT;
 474                 str = get_user_arg_ptr(argv, argc);
 475                 if (IS_ERR(str))
 476                         goto out;
 477 
 478                 len = strnlen_user(str, MAX_ARG_STRLEN);
 479                 if (!len)
 480                         goto out;
 481 
 482                 ret = -E2BIG;
 483                 if (!valid_arg_len(bprm, len))
 484                         goto out;
 485 
 486                 /* We're going to work our way backwords. */
 487                 pos = bprm->p;
 488                 str += len;
 489                 bprm->p -= len;
 490 
 491                 while (len > 0) {
 492                         int offset, bytes_to_copy;
 493 
 494                         if (fatal_signal_pending(current)) {
 495                                 ret = -ERESTARTNOHAND;
 496                                 goto out;
 497                         }
 498                         cond_resched();
 499 
 500                         offset = pos % PAGE_SIZE;
 501                         if (offset == 0)
 502                                 offset = PAGE_SIZE;
 503 
 504                         bytes_to_copy = offset;
 505                         if (bytes_to_copy > len)
 506                                 bytes_to_copy = len;
 507 
 508                         offset -= bytes_to_copy;
 509                         pos -= bytes_to_copy;
 510                         str -= bytes_to_copy;
 511                         len -= bytes_to_copy;
 512 
 513                         if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
 514                                 struct page *page;
 515 
 516                                 page = get_arg_page(bprm, pos, 1);
 517                                 if (!page) {
 518                                         ret = -E2BIG;
 519                                         goto out;
 520                                 }
 521 
 522                                 if (kmapped_page) {
 523                                         flush_kernel_dcache_page(kmapped_page);
 524                                         kunmap(kmapped_page);
 525                                         put_arg_page(kmapped_page);
 526                                 }
 527                                 kmapped_page = page;
 528                                 kaddr = kmap(kmapped_page);
 529                                 kpos = pos & PAGE_MASK;
 530                                 flush_arg_page(bprm, kpos, kmapped_page);
 531                         }
 532                         if (copy_from_user(kaddr+offset, str, bytes_to_copy)) {
 533                                 ret = -EFAULT;
 534                                 goto out;
 535                         }
 536                 }
 537         }
 538         ret = 0;
 539 out:
 540         if (kmapped_page) {
 541                 flush_kernel_dcache_page(kmapped_page);
 542                 kunmap(kmapped_page);
 543                 put_arg_page(kmapped_page);
 544         }
 545         return ret;
 546 }
 547 
 548 /*
 549  * Like copy_strings, but get argv and its values from kernel memory.
 550  */
 551 int copy_strings_kernel(int argc, const char *const *__argv,
     /* [previous][next][first][last][top][bottom][index][help] [+551 fs/exec.c] */
 552                         struct linux_binprm *bprm)
 553 {
 554         int r;
 555         mm_segment_t oldfs = get_fs();
 556         struct user_arg_ptr argv = {
 557                 .ptr.native = (const char __user *const  __user *)__argv,
 558         };
 559 
 560         set_fs(KERNEL_DS);
 561         r = copy_strings(argc, argv, bprm);
 562         set_fs(oldfs);
 563 
 564         return r;
 565 }
 566 EXPORT_SYMBOL(copy_strings_kernel);
 567 
 568 #ifdef CONFIG_MMU
 569 
 570 /*
 571  * During bprm_mm_init(), we create a temporary stack at STACK_TOP_MAX.  Once
 572  * the binfmt code determines where the new stack should reside, we shift it to
 573  * its final location.  The process proceeds as follows:
 574  *
 575  * 1) Use shift to calculate the new vma endpoints.
 576  * 2) Extend vma to cover both the old and new ranges.  This ensures the
 577  *    arguments passed to subsequent functions are consistent.
 578  * 3) Move vma's page tables to the new range.
 579  * 4) Free up any cleared pgd range.
 580  * 5) Shrink the vma to cover only the new range.
 581  */
 582 static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
     /* [previous][next][first][last][top][bottom][index][help] [+582 fs/exec.c] */
 583 {
 584         struct mm_struct *mm = vma->vm_mm;
 585         unsigned long old_start = vma->vm_start;
 586         unsigned long old_end = vma->vm_end;
 587         unsigned long length = old_end - old_start;
 588         unsigned long new_start = old_start - shift;
 589         unsigned long new_end = old_end - shift;
 590         struct mmu_gather tlb;
 591 
 592         BUG_ON(new_start > new_end);
 593 
 594         /*
 595          * ensure there are no vmas between where we want to go
 596          * and where we are
 597          */
 598         if (vma != find_vma(mm, new_start))
 599                 return -EFAULT;
 600 
 601         /*
 602          * cover the whole range: [new_start, old_end)
 603          */
 604         if (vma_adjust(vma, new_start, old_end, vma->vm_pgoff, NULL))
 605                 return -ENOMEM;
 606 
 607         /*
 608          * move the page tables downwards, on failure we rely on
 609          * process cleanup to remove whatever mess we made.
 610          */
 611         if (length != move_page_tables(vma, old_start,
 612                                        vma, new_start, length, false))
 613                 return -ENOMEM;
 614 
 615         lru_add_drain();
 616         tlb_gather_mmu(&tlb, mm, old_start, old_end);
 617         if (new_end > old_start) {
 618                 /*
 619                  * when the old and new regions overlap clear from new_end.
 620                  */
 621                 free_pgd_range(&tlb, new_end, old_end, new_end,
 622                         vma->vm_next ? vma->vm_next->vm_start : USER_PGTABLES_CEILING);
 623         } else {
 624                 /*
 625                  * otherwise, clean from old_start; this is done to not touch
 626                  * the address space in [new_end, old_start) some architectures
 627                  * have constraints on va-space that make this illegal (IA64) -
 628                  * for the others its just a little faster.
 629                  */
 630                 free_pgd_range(&tlb, old_start, old_end, new_end,
 631                         vma->vm_next ? vma->vm_next->vm_start : USER_PGTABLES_CEILING);
 632         }
 633         tlb_finish_mmu(&tlb, old_start, old_end);
 634 
 635         /*
 636          * Shrink the vma to just the new range.  Always succeeds.
 637          */
 638         vma_adjust(vma, new_start, new_end, vma->vm_pgoff, NULL);
 639 
 640         return 0;
 641 }
 642 
 643 /*
 644  * Finalizes the stack vm_area_struct. The flags and permissions are updated,
 645  * the stack is optionally relocated, and some extra space is added.
 646  */
 647 int setup_arg_pages(struct linux_binprm *bprm,
     /* [previous][next][first][last][top][bottom][index][help] [+647 fs/exec.c] */
 648                     unsigned long stack_top,
 649                     int executable_stack)
 650 {
 651         unsigned long ret;
 652         unsigned long stack_shift;
 653         struct mm_struct *mm = current->mm;
 654         struct vm_area_struct *vma = bprm->vma;
 655         struct vm_area_struct *prev = NULL;
 656         unsigned long vm_flags;
 657         unsigned long stack_base;
 658         unsigned long stack_size;
 659         unsigned long stack_expand;
 660         unsigned long rlim_stack;
 661 
 662 #ifdef CONFIG_STACK_GROWSUP
 663         /* Limit stack size */
 664         stack_base = rlimit_max(RLIMIT_STACK);
 665         if (stack_base > STACK_SIZE_MAX)
 666                 stack_base = STACK_SIZE_MAX;
 667 
 668         /* Add space for stack randomization. */
 669         stack_base += (STACK_RND_MASK << PAGE_SHIFT);
 670 
 671         /* Make sure we didn't let the argument array grow too large. */
 672         if (vma->vm_end - vma->vm_start > stack_base)
 673                 return -ENOMEM;
 674 
 675         stack_base = PAGE_ALIGN(stack_top - stack_base);
 676 
 677         stack_shift = vma->vm_start - stack_base;
 678         mm->arg_start = bprm->p - stack_shift;
 679         bprm->p = vma->vm_end - stack_shift;
 680 #else
 681         stack_top = arch_align_stack(stack_top);
 682         stack_top = PAGE_ALIGN(stack_top);
 683 
 684         if (unlikely(stack_top < mmap_min_addr) ||
 685             unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
 686                 return -ENOMEM;
 687 
 688         stack_shift = vma->vm_end - stack_top;
 689 
 690         bprm->p -= stack_shift;
 691         mm->arg_start = bprm->p;
 692 #endif
 693 
 694         if (bprm->loader)
 695                 bprm->loader -= stack_shift;
 696         bprm->exec -= stack_shift;
 697 
 698         down_write(&mm->mmap_sem);
 699         vm_flags = VM_STACK_FLAGS;
 700 
 701         /*
 702          * Adjust stack execute permissions; explicitly enable for
 703          * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
 704          * (arch default) otherwise.
 705          */
 706         if (unlikely(executable_stack == EXSTACK_ENABLE_X))
 707                 vm_flags |= VM_EXEC;
 708         else if (executable_stack == EXSTACK_DISABLE_X)
 709                 vm_flags &= ~VM_EXEC;
 710         vm_flags |= mm->def_flags;
 711         vm_flags |= VM_STACK_INCOMPLETE_SETUP;
 712 
 713         ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
 714                         vm_flags);
 715         if (ret)
 716                 goto out_unlock;
 717         BUG_ON(prev != vma);
 718 
 719         /* Move stack pages down in memory. */
 720         if (stack_shift) {
 721                 ret = shift_arg_pages(vma, stack_shift);
 722                 if (ret)
 723                         goto out_unlock;
 724         }
 725 
 726         /* mprotect_fixup is overkill to remove the temporary stack flags */
 727         vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
 728 
 729         stack_expand = 131072UL; /* randomly 32*4k (or 2*64k) pages */
 730         stack_size = vma->vm_end - vma->vm_start;
 731         /*
 732          * Align this down to a page boundary as expand_stack
 733          * will align it up.
 734          */
 735         rlim_stack = rlimit(RLIMIT_STACK) & PAGE_MASK;
 736 #ifdef CONFIG_STACK_GROWSUP
 737         if (stack_size + stack_expand > rlim_stack)
 738                 stack_base = vma->vm_start + rlim_stack;
 739         else
 740                 stack_base = vma->vm_end + stack_expand;
 741 #else
 742         if (stack_size + stack_expand > rlim_stack)
 743                 stack_base = vma->vm_end - rlim_stack;
 744         else
 745                 stack_base = vma->vm_start - stack_expand;
 746 #endif
 747         current->mm->start_stack = bprm->p;
 748         ret = expand_stack(vma, stack_base);
 749         if (ret)
 750                 ret = -EFAULT;
 751 
 752 out_unlock:
 753         up_write(&mm->mmap_sem);
 754         return ret;
 755 }
 756 EXPORT_SYMBOL(setup_arg_pages);
 757 
 758 #endif /* CONFIG_MMU */
 759 
 760 static struct file *do_open_execat(int fd, struct filename *name, int flags)
     /* [previous][next][first][last][top][bottom][index][help] [+760 fs/exec.c] */
 761 {
 762         struct file *file;
 763         int err;
 764         struct open_flags open_exec_flags = {
 765                 .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
 766                 .acc_mode = MAY_EXEC | MAY_OPEN,
 767                 .intent = LOOKUP_OPEN,
 768                 .lookup_flags = LOOKUP_FOLLOW,
 769         };
 770 
 771         if ((flags & ~(AT_SYMLINK_NOFOLLOW | AT_EMPTY_PATH)) != 0)
 772                 return ERR_PTR(-EINVAL);
 773         if (flags & AT_SYMLINK_NOFOLLOW)
 774                 open_exec_flags.lookup_flags &= ~LOOKUP_FOLLOW;
 775         if (flags & AT_EMPTY_PATH)
 776                 open_exec_flags.lookup_flags |= LOOKUP_EMPTY;
 777 
 778         file = do_filp_open(fd, name, &open_exec_flags);
 779         if (IS_ERR(file))
 780                 goto out;
 781 
 782         err = -EACCES;
 783         if (!S_ISREG(file_inode(file)->i_mode))
 784                 goto exit;
 785 
 786         if (path_noexec(&file->f_path))
 787                 goto exit;
 788 
 789         err = deny_write_access(file);
 790         if (err)
 791                 goto exit;
 792 
 793         if (name->name[0] != '\0')
 794                 fsnotify_open(file);
 795 
 796 out:
 797         return file;
 798 
 799 exit:
 800         fput(file);
 801         return ERR_PTR(err);
 802 }
 803 
 804 struct file *open_exec(const char *name)
     /* [previous][next][first][last][top][bottom][index][help] [+804 fs/exec.c] */
 805 {
 806         struct filename *filename = getname_kernel(name);
 807         struct file *f = ERR_CAST(filename);
 808 
 809         if (!IS_ERR(filename)) {
 810                 f = do_open_execat(AT_FDCWD, filename, 0);
 811                 putname(filename);
 812         }
 813         return f;
 814 }
 815 EXPORT_SYMBOL(open_exec);
 816 
 817 int kernel_read(struct file *file, loff_t offset,
     /* [previous][next][first][last][top][bottom][index][help] [+817 fs/exec.c] */
 818                 char *addr, unsigned long count)
 819 {
 820         mm_segment_t old_fs;
 821         loff_t pos = offset;
 822         int result;
 823 
 824         old_fs = get_fs();
 825         set_fs(get_ds());
 826         /* The cast to a user pointer is valid due to the set_fs() */
 827         result = vfs_read(file, (void __user *)addr, count, &pos);
 828         set_fs(old_fs);
 829         return result;
 830 }
 831 
 832 EXPORT_SYMBOL(kernel_read);
 833 
 834 ssize_t read_code(struct file *file, unsigned long addr, loff_t pos, size_t len)
     /* [previous][next][first][last][top][bottom][index][help] [+834 fs/exec.c] */
 835 {
 836         ssize_t res = vfs_read(file, (void __user *)addr, len, &pos);
 837         if (res > 0)
 838                 flush_icache_range(addr, addr + len);
 839         return res;
 840 }
 841 EXPORT_SYMBOL(read_code);
 842 
 843 static int exec_mmap(struct mm_struct *mm)
     /* [previous][next][first][last][top][bottom][index][help] [+843 fs/exec.c] */
 844 {
 845         struct task_struct *tsk;
 846         struct mm_struct *old_mm, *active_mm;
 847 
 848         /* Notify parent that we're no longer interested in the old VM */
 849         tsk = current;
 850         old_mm = current->mm;
 851         mm_release(tsk, old_mm);
 852 
 853         if (old_mm) {
 854                 sync_mm_rss(old_mm);
 855                 /*
 856                  * Make sure that if there is a core dump in progress
 857                  * for the old mm, we get out and die instead of going
 858                  * through with the exec.  We must hold mmap_sem around
 859                  * checking core_state and changing tsk->mm.
 860                  */
 861                 down_read(&old_mm->mmap_sem);
 862                 if (unlikely(old_mm->core_state)) {
 863                         up_read(&old_mm->mmap_sem);
 864                         return -EINTR;
 865                 }
 866         }
 867         task_lock(tsk);
 868         active_mm = tsk->active_mm;
 869         tsk->mm = mm;
 870         tsk->active_mm = mm;
 871         activate_mm(active_mm, mm);
 872         tsk->mm->vmacache_seqnum = 0;
 873         vmacache_flush(tsk);
 874         task_unlock(tsk);
 875         if (old_mm) {
 876                 up_read(&old_mm->mmap_sem);
 877                 BUG_ON(active_mm != old_mm);
 878                 setmax_mm_hiwater_rss(&tsk->signal->maxrss, old_mm);
 879                 mm_update_next_owner(old_mm);
 880                 mmput(old_mm);
 881                 return 0;
 882         }
 883         mmdrop(active_mm);
 884         return 0;
 885 }
 886 
 887 /*
 888  * This function makes sure the current process has its own signal table,
 889  * so that flush_signal_handlers can later reset the handlers without
 890  * disturbing other processes.  (Other processes might share the signal
 891  * table via the CLONE_SIGHAND option to clone().)
 892  */
 893 static int de_thread(struct task_struct *tsk)
     /* [previous][next][first][last][top][bottom][index][help] [+893 fs/exec.c] */
 894 {
 895         struct signal_struct *sig = tsk->signal;
 896         struct sighand_struct *oldsighand = tsk->sighand;
 897         spinlock_t *lock = &oldsighand->siglock;
 898 
 899         if (thread_group_empty(tsk))
 900                 goto no_thread_group;
 901 
 902         /*
 903          * Kill all other threads in the thread group.
 904          */
 905         spin_lock_irq(lock);
 906         if (signal_group_exit(sig)) {
 907                 /*
 908                  * Another group action in progress, just
 909                  * return so that the signal is processed.
 910                  */
 911                 spin_unlock_irq(lock);
 912                 return -EAGAIN;
 913         }
 914 
 915         sig->group_exit_task = tsk;
 916         sig->notify_count = zap_other_threads(tsk);
 917         if (!thread_group_leader(tsk))
 918                 sig->notify_count--;
 919 
 920         while (sig->notify_count) {
 921                 __set_current_state(TASK_KILLABLE);
 922                 spin_unlock_irq(lock);
 923                 schedule();
 924                 if (unlikely(__fatal_signal_pending(tsk)))
 925                         goto killed;
 926                 spin_lock_irq(lock);
 927         }
 928         spin_unlock_irq(lock);
 929 
 930         /*
 931          * At this point all other threads have exited, all we have to
 932          * do is to wait for the thread group leader to become inactive,
 933          * and to assume its PID:
 934          */
 935         if (!thread_group_leader(tsk)) {
 936                 struct task_struct *leader = tsk->group_leader;
 937 
 938                 for (;;) {
 939                         threadgroup_change_begin(tsk);
 940                         write_lock_irq(&tasklist_lock);
 941                         /*
 942                          * Do this under tasklist_lock to ensure that
 943                          * exit_notify() can't miss ->group_exit_task
 944                          */
 945                         sig->notify_count = -1;
 946                         if (likely(leader->exit_state))
 947                                 break;
 948                         __set_current_state(TASK_KILLABLE);
 949                         write_unlock_irq(&tasklist_lock);
 950                         threadgroup_change_end(tsk);
 951                         schedule();
 952                         if (unlikely(__fatal_signal_pending(tsk)))
 953                                 goto killed;
 954                 }
 955 
 956                 /*
 957                  * The only record we have of the real-time age of a
 958                  * process, regardless of execs it's done, is start_time.
 959                  * All the past CPU time is accumulated in signal_struct
 960                  * from sister threads now dead.  But in this non-leader
 961                  * exec, nothing survives from the original leader thread,
 962                  * whose birth marks the true age of this process now.
 963                  * When we take on its identity by switching to its PID, we
 964                  * also take its birthdate (always earlier than our own).
 965                  */
 966                 tsk->start_time = leader->start_time;
 967                 tsk->real_start_time = leader->real_start_time;
 968 
 969                 BUG_ON(!same_thread_group(leader, tsk));
 970                 BUG_ON(has_group_leader_pid(tsk));
 971                 /*
 972                  * An exec() starts a new thread group with the
 973                  * TGID of the previous thread group. Rehash the
 974                  * two threads with a switched PID, and release
 975                  * the former thread group leader:
 976                  */
 977 
 978                 /* Become a process group leader with the old leader's pid.
 979                  * The old leader becomes a thread of the this thread group.
 980                  * Note: The old leader also uses this pid until release_task
 981                  *       is called.  Odd but simple and correct.
 982                  */
 983                 tsk->pid = leader->pid;
 984                 change_pid(tsk, PIDTYPE_PID, task_pid(leader));
 985                 transfer_pid(leader, tsk, PIDTYPE_PGID);
 986                 transfer_pid(leader, tsk, PIDTYPE_SID);
 987 
 988                 list_replace_rcu(&leader->tasks, &tsk->tasks);
 989                 list_replace_init(&leader->sibling, &tsk->sibling);
 990 
 991                 tsk->group_leader = tsk;
 992                 leader->group_leader = tsk;
 993 
 994                 tsk->exit_signal = SIGCHLD;
 995                 leader->exit_signal = -1;
 996 
 997                 BUG_ON(leader->exit_state != EXIT_ZOMBIE);
 998                 leader->exit_state = EXIT_DEAD;
 999 
1000                 /*
1001                  * We are going to release_task()->ptrace_unlink() silently,
1002                  * the tracer can sleep in do_wait(). EXIT_DEAD guarantees
1003                  * the tracer wont't block again waiting for this thread.
1004                  */
1005                 if (unlikely(leader->ptrace))
1006                         __wake_up_parent(leader, leader->parent);
1007                 write_unlock_irq(&tasklist_lock);
1008                 threadgroup_change_end(tsk);
1009 
1010                 release_task(leader);
1011         }
1012 
1013         sig->group_exit_task = NULL;
1014         sig->notify_count = 0;
1015 
1016 no_thread_group:
1017         /* we have changed execution domain */
1018         tsk->exit_signal = SIGCHLD;
1019 
1020         exit_itimers(sig);
1021         flush_itimer_signals();
1022 
1023         if (atomic_read(&oldsighand->count) != 1) {
1024                 struct sighand_struct *newsighand;
1025                 /*
1026                  * This ->sighand is shared with the CLONE_SIGHAND
1027                  * but not CLONE_THREAD task, switch to the new one.
1028                  */
1029                 newsighand = kmem_cache_alloc(sighand_cachep, GFP_KERNEL);
1030                 if (!newsighand)
1031                         return -ENOMEM;
1032 
1033                 atomic_set(&newsighand->count, 1);
1034                 memcpy(newsighand->action, oldsighand->action,
1035                        sizeof(newsighand->action));
1036 
1037                 write_lock_irq(&tasklist_lock);
1038                 spin_lock(&oldsighand->siglock);
1039                 rcu_assign_pointer(tsk->sighand, newsighand);
1040                 spin_unlock(&oldsighand->siglock);
1041                 write_unlock_irq(&tasklist_lock);
1042 
1043                 __cleanup_sighand(oldsighand);
1044         }
1045 
1046         BUG_ON(!thread_group_leader(tsk));
1047         return 0;
1048 
1049 killed:
1050         /* protects against exit_notify() and __exit_signal() */
1051         read_lock(&tasklist_lock);
1052         sig->group_exit_task = NULL;
1053         sig->notify_count = 0;
1054         read_unlock(&tasklist_lock);
1055         return -EAGAIN;
1056 }
1057 
1058 char *get_task_comm(char *buf, struct task_struct *tsk)
     /* [previous][next][first][last][top][bottom][index][help] [+1058 fs/exec.c] */
1059 {
1060         /* buf must be at least sizeof(tsk->comm) in size */
1061         task_lock(tsk);
1062         strncpy(buf, tsk->comm, sizeof(tsk->comm));
1063         task_unlock(tsk);
1064         return buf;
1065 }
1066 EXPORT_SYMBOL_GPL(get_task_comm);
1067 
1068 /*
1069  * These functions flushes out all traces of the currently running executable
1070  * so that a new one can be started
1071  */
1072 
1073 void __set_task_comm(struct task_struct *tsk, const char *buf, bool exec)
     /* [previous][next][first][last][top][bottom][index][help] [+1073 fs/exec.c] */
1074 {
1075         task_lock(tsk);
1076         trace_task_rename(tsk, buf);
1077         strlcpy(tsk->comm, buf, sizeof(tsk->comm));
1078         task_unlock(tsk);
1079         perf_event_comm(tsk, exec);
1080 }
1081 
1082 int flush_old_exec(struct linux_binprm * bprm)
     /* [previous][next][first][last][top][bottom][index][help] [+1082 fs/exec.c] */
1083 {
1084         int retval;
1085 
1086         /*
1087          * Make sure we have a private signal table and that
1088          * we are unassociated from the previous thread group.
1089          */
1090         retval = de_thread(current);
1091         if (retval)
1092                 goto out;
1093 
1094         /*
1095          * Must be called _before_ exec_mmap() as bprm->mm is
1096          * not visibile until then. This also enables the update
1097          * to be lockless.
1098          */
1099         set_mm_exe_file(bprm->mm, bprm->file);
1100 
1101         /*
1102          * Release all of the old mmap stuff
1103          */
1104         acct_arg_size(bprm, 0);
1105         retval = exec_mmap(bprm->mm);
1106         if (retval)
1107                 goto out;
1108 
1109         bprm->mm = NULL;                /* We're using it now */
1110 
1111         set_fs(USER_DS);
1112         current->flags &= ~(PF_RANDOMIZE | PF_FORKNOEXEC | PF_KTHREAD |
1113                                         PF_NOFREEZE | PF_NO_SETAFFINITY);
1114         flush_thread();
1115         current->personality &= ~bprm->per_clear;
1116 
1117         return 0;
1118 
1119 out:
1120         return retval;
1121 }
1122 EXPORT_SYMBOL(flush_old_exec);
1123 
1124 void would_dump(struct linux_binprm *bprm, struct file *file)
     /* [previous][next][first][last][top][bottom][index][help] [+1124 fs/exec.c] */
1125 {
1126         if (inode_permission(file_inode(file), MAY_READ) < 0)
1127                 bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;
1128 }
1129 EXPORT_SYMBOL(would_dump);
1130 
1131 void setup_new_exec(struct linux_binprm * bprm)
     /* [previous][next][first][last][top][bottom][index][help] [+1131 fs/exec.c] */
1132 {
1133         arch_pick_mmap_layout(current->mm);
1134 
1135         /* This is the point of no return */
1136         current->sas_ss_sp = current->sas_ss_size = 0;
1137 
1138         if (uid_eq(current_euid(), current_uid()) && gid_eq(current_egid(), current_gid()))
1139                 set_dumpable(current->mm, SUID_DUMP_USER);
1140         else
1141                 set_dumpable(current->mm, suid_dumpable);
1142 
1143         perf_event_exec();
1144         __set_task_comm(current, kbasename(bprm->filename), true);
1145 
1146         /* Set the new mm task size. We have to do that late because it may
1147          * depend on TIF_32BIT which is only updated in flush_thread() on
1148          * some architectures like powerpc
1149          */
1150         current->mm->task_size = TASK_SIZE;
1151 
1152         /* install the new credentials */
1153         if (!uid_eq(bprm->cred->uid, current_euid()) ||
1154             !gid_eq(bprm->cred->gid, current_egid())) {
1155                 current->pdeath_signal = 0;
1156         } else {
1157                 would_dump(bprm, bprm->file);
1158                 if (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)
1159                         set_dumpable(current->mm, suid_dumpable);
1160         }
1161 
1162         /* An exec changes our domain. We are no longer part of the thread
1163            group */
1164         current->self_exec_id++;
1165         flush_signal_handlers(current, 0);
1166         do_close_on_exec(current->files);
1167 }
1168 EXPORT_SYMBOL(setup_new_exec);
1169 
1170 /*
1171  * Prepare credentials and lock ->cred_guard_mutex.
1172  * install_exec_creds() commits the new creds and drops the lock.
1173  * Or, if exec fails before, free_bprm() should release ->cred and
1174  * and unlock.
1175  */
1176 int prepare_bprm_creds(struct linux_binprm *bprm)
     /* [previous][next][first][last][top][bottom][index][help] [+1176 fs/exec.c] */
1177 {
1178         if (mutex_lock_interruptible(&current->signal->cred_guard_mutex))
1179                 return -ERESTARTNOINTR;
1180 
1181         bprm->cred = prepare_exec_creds();
1182         if (likely(bprm->cred))
1183                 return 0;
1184 
1185         mutex_unlock(&current->signal->cred_guard_mutex);
1186         return -ENOMEM;
1187 }
1188 
1189 static void free_bprm(struct linux_binprm *bprm)
     /* [previous][next][first][last][top][bottom][index][help] [+1189 fs/exec.c] */
1190 {
1191         free_arg_pages(bprm);
1192         if (bprm->cred) {
1193                 mutex_unlock(&current->signal->cred_guard_mutex);
1194                 abort_creds(bprm->cred);
1195         }
1196         if (bprm->file) {
1197                 allow_write_access(bprm->file);
1198                 fput(bprm->file);
1199         }
1200         /* If a binfmt changed the interp, free it. */
1201         if (bprm->interp != bprm->filename)
1202                 kfree(bprm->interp);
1203         kfree(bprm);
1204 }
1205 
1206 int bprm_change_interp(char *interp, struct linux_binprm *bprm)
     /* [previous][next][first][last][top][bottom][index][help] [+1206 fs/exec.c] */
1207 {
1208         /* If a binfmt changed the interp, free it first. */
1209         if (bprm->interp != bprm->filename)
1210                 kfree(bprm->interp);
1211         bprm->interp = kstrdup(interp, GFP_KERNEL);
1212         if (!bprm->interp)
1213                 return -ENOMEM;
1214         return 0;
1215 }
1216 EXPORT_SYMBOL(bprm_change_interp);
1217 
1218 /*
1219  * install the new credentials for this executable
1220  */
1221 void install_exec_creds(struct linux_binprm *bprm)
     /* [previous][next][first][last][top][bottom][index][help] [+1221 fs/exec.c] */
1222 {
1223         security_bprm_committing_creds(bprm);
1224 
1225         commit_creds(bprm->cred);
1226         bprm->cred = NULL;
1227 
1228         /*
1229          * Disable monitoring for regular users
1230          * when executing setuid binaries. Must
1231          * wait until new credentials are committed
1232          * by commit_creds() above
1233          */
1234         if (get_dumpable(current->mm) != SUID_DUMP_USER)
1235                 perf_event_exit_task(current);
1236         /*
1237          * cred_guard_mutex must be held at least to this point to prevent
1238          * ptrace_attach() from altering our determination of the task's
1239          * credentials; any time after this it may be unlocked.
1240          */
1241         security_bprm_committed_creds(bprm);
1242         mutex_unlock(&current->signal->cred_guard_mutex);
1243 }
1244 EXPORT_SYMBOL(install_exec_creds);
1245 
1246 /*
1247  * determine how safe it is to execute the proposed program
1248  * - the caller must hold ->cred_guard_mutex to protect against
1249  *   PTRACE_ATTACH or seccomp thread-sync
1250  */
1251 static void check_unsafe_exec(struct linux_binprm *bprm)
     /* [previous][next][first][last][top][bottom][index][help] [+1251 fs/exec.c] */
1252 {
1253         struct task_struct *p = current, *t;
1254         unsigned n_fs;
1255 
1256         if (p->ptrace) {
1257                 if (p->ptrace & PT_PTRACE_CAP)
1258                         bprm->unsafe |= LSM_UNSAFE_PTRACE_CAP;
1259                 else
1260                         bprm->unsafe |= LSM_UNSAFE_PTRACE;
1261         }
1262 
1263         /*
1264          * This isn't strictly necessary, but it makes it harder for LSMs to
1265          * mess up.
1266          */
1267         if (task_no_new_privs(current))
1268                 bprm->unsafe |= LSM_UNSAFE_NO_NEW_PRIVS;
1269 
1270         t = p;
1271         n_fs = 1;
1272         spin_lock(&p->fs->lock);
1273         rcu_read_lock();
1274         while_each_thread(p, t) {
1275                 if (t->fs == p->fs)
1276                         n_fs++;
1277         }
1278         rcu_read_unlock();
1279 
1280         if (p->fs->users > n_fs)
1281                 bprm->unsafe |= LSM_UNSAFE_SHARE;
1282         else
1283                 p->fs->in_exec = 1;
1284         spin_unlock(&p->fs->lock);
1285 }
1286 
1287 static void bprm_fill_uid(struct linux_binprm *bprm)
     /* [previous][next][first][last][top][bottom][index][help] [+1287 fs/exec.c] */
1288 {
1289         struct inode *inode;
1290         unsigned int mode;
1291         kuid_t uid;
1292         kgid_t gid;
1293 
1294         /* clear any previous set[ug]id data from a previous binary */
1295         bprm->cred->euid = current_euid();
1296         bprm->cred->egid = current_egid();
1297 
1298         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1299                 return;
1300 
1301         if (task_no_new_privs(current))
1302                 return;
1303 
1304         inode = file_inode(bprm->file);
1305         mode = READ_ONCE(inode->i_mode);
1306         if (!(mode & (S_ISUID|S_ISGID)))
1307                 return;
1308 
1309         /* Be careful if suid/sgid is set */
1310         mutex_lock(&inode->i_mutex);
1311 
1312         /* reload atomically mode/uid/gid now that lock held */
1313         mode = inode->i_mode;
1314         uid = inode->i_uid;
1315         gid = inode->i_gid;
1316         mutex_unlock(&inode->i_mutex);
1317 
1318         /* We ignore suid/sgid if there are no mappings for them in the ns */
1319         if (!kuid_has_mapping(bprm->cred->user_ns, uid) ||
1320                  !kgid_has_mapping(bprm->cred->user_ns, gid))
1321                 return;
1322 
1323         if (mode & S_ISUID) {
1324                 bprm->per_clear |= PER_CLEAR_ON_SETID;
1325                 bprm->cred->euid = uid;
1326         }
1327 
1328         if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
1329                 bprm->per_clear |= PER_CLEAR_ON_SETID;
1330                 bprm->cred->egid = gid;
1331         }
1332 }
1333 
1334 /*
1335  * Fill the binprm structure from the inode.
1336  * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
1337  *
1338  * This may be called multiple times for binary chains (scripts for example).
1339  */
1340 int prepare_binprm(struct linux_binprm *bprm)
     /* [previous][next][first][last][top][bottom][index][help] [+1340 fs/exec.c] */
1341 {
1342         int retval;
1343 
1344         bprm_fill_uid(bprm);
1345 
1346         /* fill in binprm security blob */
1347         retval = security_bprm_set_creds(bprm);
1348         if (retval)
1349                 return retval;
1350         bprm->cred_prepared = 1;
1351 
1352         memset(bprm->buf, 0, BINPRM_BUF_SIZE);
1353         return kernel_read(bprm->file, 0, bprm->buf, BINPRM_BUF_SIZE);
1354 }
1355 
1356 EXPORT_SYMBOL(prepare_binprm);
1357 
1358 /*
1359  * Arguments are '\0' separated strings found at the location bprm->p
1360  * points to; chop off the first by relocating brpm->p to right after
1361  * the first '\0' encountered.
1362  */
1363 int remove_arg_zero(struct linux_binprm *bprm)
     /* [previous][next][first][last][top][bottom][index][help] [+1363 fs/exec.c] */
1364 {
1365         int ret = 0;
1366         unsigned long offset;
1367         char *kaddr;
1368         struct page *page;
1369 
1370         if (!bprm->argc)
1371                 return 0;
1372 
1373         do {
1374                 offset = bprm->p & ~PAGE_MASK;
1375                 page = get_arg_page(bprm, bprm->p, 0);
1376                 if (!page) {
1377                         ret = -EFAULT;
1378                         goto out;
1379                 }
1380                 kaddr = kmap_atomic(page);
1381 
1382                 for (; offset < PAGE_SIZE && kaddr[offset];
1383                                 offset++, bprm->p++)
1384                         ;
1385 
1386                 kunmap_atomic(kaddr);
1387                 put_arg_page(page);
1388 
1389                 if (offset == PAGE_SIZE)
1390                         free_arg_page(bprm, (bprm->p >> PAGE_SHIFT) - 1);
1391         } while (offset == PAGE_SIZE);
1392 
1393         bprm->p++;
1394         bprm->argc--;
1395         ret = 0;
1396 
1397 out:
1398         return ret;
1399 }
1400 EXPORT_SYMBOL(remove_arg_zero);
1401 
1402 #define printable(c) (((c)=='\t') || ((c)=='\n') || (0x20<=(c) && (c)<=0x7e))
1403 /*
1404  * cycle the list of binary formats handler, until one recognizes the image
1405  */
1406 int search_binary_handler(struct linux_binprm *bprm)
     /* [previous][next][first][last][top][bottom][index][help] [+1406 fs/exec.c] */
1407 {
1408         bool need_retry = IS_ENABLED(CONFIG_MODULES);
1409         struct linux_binfmt *fmt;
1410         int retval;
1411 
1412         /* This allows 4 levels of binfmt rewrites before failing hard. */
1413         if (bprm->recursion_depth > 5)
1414                 return -ELOOP;
1415 
1416         retval = security_bprm_check(bprm);
1417         if (retval)
1418                 return retval;
1419 
1420         retval = -ENOENT;
1421  retry:
1422         read_lock(&binfmt_lock);
1423         list_for_each_entry(fmt, &formats, lh) {
1424                 if (!try_module_get(fmt->module))
1425                         continue;
1426                 read_unlock(&binfmt_lock);
1427                 bprm->recursion_depth++;
1428                 retval = fmt->load_binary(bprm);
1429                 read_lock(&binfmt_lock);
1430                 put_binfmt(fmt);
1431                 bprm->recursion_depth--;
1432                 if (retval < 0 && !bprm->mm) {
1433                         /* we got to flush_old_exec() and failed after it */
1434                         read_unlock(&binfmt_lock);
1435                         force_sigsegv(SIGSEGV, current);
1436                         return retval;
1437                 }
1438                 if (retval != -ENOEXEC || !bprm->file) {
1439                         read_unlock(&binfmt_lock);
1440                         return retval;
1441                 }
1442         }
1443         read_unlock(&binfmt_lock);
1444 
1445         if (need_retry) {
1446                 if (printable(bprm->buf[0]) && printable(bprm->buf[1]) &&
1447                     printable(bprm->buf[2]) && printable(bprm->buf[3]))
1448                         return retval;
1449                 if (request_module("binfmt-%04x", *(ushort *)(bprm->buf + 2)) < 0)
1450                         return retval;
1451                 need_retry = false;
1452                 goto retry;
1453         }
1454 
1455         return retval;
1456 }
1457 EXPORT_SYMBOL(search_binary_handler);
1458 
1459 static int exec_binprm(struct linux_binprm *bprm)
     /* [previous][next][first][last][top][bottom][index][help] [+1459 fs/exec.c] */
1460 {
1461         pid_t old_pid, old_vpid;
1462         int ret;
1463 
1464         /* Need to fetch pid before load_binary changes it */
1465         old_pid = current->pid;
1466         rcu_read_lock();
1467         old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
1468         rcu_read_unlock();
1469 
1470         ret = search_binary_handler(bprm);
1471         if (ret >= 0) {
1472                 audit_bprm(bprm);
1473                 trace_sched_process_exec(current, old_pid, bprm);
1474                 ptrace_event(PTRACE_EVENT_EXEC, old_vpid);
1475                 proc_exec_connector(current);
1476         }
1477 
1478         return ret;
1479 }
1480 
1481 /*
1482  * sys_execve() executes a new program.
1483  */
1484 static int do_execveat_common(int fd, struct filename *filename,
     /* [previous][next][first][last][top][bottom][index][help] [+1484 fs/exec.c] */
1485                               struct user_arg_ptr argv,
1486                               struct user_arg_ptr envp,
1487                               int flags)
1488 {
1489         char *pathbuf = NULL;
1490         struct linux_binprm *bprm;
1491         struct file *file;
1492         struct files_struct *displaced;
1493         int retval;
1494 
1495         if (IS_ERR(filename))
1496                 return PTR_ERR(filename);
1497 
1498         /*
1499          * We move the actual failure in case of RLIMIT_NPROC excess from
1500          * set*uid() to execve() because too many poorly written programs
1501          * don't check setuid() return code.  Here we additionally recheck
1502          * whether NPROC limit is still exceeded.
1503          */
1504         if ((current->flags & PF_NPROC_EXCEEDED) &&
1505             atomic_read(&current_user()->processes) > rlimit(RLIMIT_NPROC)) {
1506                 retval = -EAGAIN;
1507                 goto out_ret;
1508         }
1509 
1510         /* We're below the limit (still or again), so we don't want to make
1511          * further execve() calls fail. */
1512         current->flags &= ~PF_NPROC_EXCEEDED;
1513 
1514         retval = unshare_files(&displaced);
1515         if (retval)
1516                 goto out_ret;
1517 
1518         retval = -ENOMEM;
1519         bprm = kzalloc(sizeof(*bprm), GFP_KERNEL);
1520         if (!bprm)
1521                 goto out_files;
1522 
1523         retval = prepare_bprm_creds(bprm);
1524         if (retval)
1525                 goto out_free;
1526 
1527         check_unsafe_exec(bprm);
1528         current->in_execve = 1;
1529 
1530         file = do_open_execat(fd, filename, flags);
1531         retval = PTR_ERR(file);
1532         if (IS_ERR(file))
1533                 goto out_unmark;
1534 
1535         sched_exec();
1536 
1537         bprm->file = file;
1538         if (fd == AT_FDCWD || filename->name[0] == '/') {
1539                 bprm->filename = filename->name;
1540         } else {
1541                 if (filename->name[0] == '\0')
1542                         pathbuf = kasprintf(GFP_TEMPORARY, "/dev/fd/%d", fd);
1543                 else
1544                         pathbuf = kasprintf(GFP_TEMPORARY, "/dev/fd/%d/%s",
1545                                             fd, filename->name);
1546                 if (!pathbuf) {
1547                         retval = -ENOMEM;
1548                         goto out_unmark;
1549                 }
1550                 /*
1551                  * Record that a name derived from an O_CLOEXEC fd will be
1552                  * inaccessible after exec. Relies on having exclusive access to
1553                  * current->files (due to unshare_files above).
1554                  */
1555                 if (close_on_exec(fd, rcu_dereference_raw(current->files->fdt)))
1556                         bprm->interp_flags |= BINPRM_FLAGS_PATH_INACCESSIBLE;
1557                 bprm->filename = pathbuf;
1558         }
1559         bprm->interp = bprm->filename;
1560 
1561         retval = bprm_mm_init(bprm);
1562         if (retval)
1563                 goto out_unmark;
1564 
1565         bprm->argc = count(argv, MAX_ARG_STRINGS);
1566         if ((retval = bprm->argc) < 0)
1567                 goto out;
1568 
1569         bprm->envc = count(envp, MAX_ARG_STRINGS);
1570         if ((retval = bprm->envc) < 0)
1571                 goto out;
1572 
1573         retval = prepare_binprm(bprm);
1574         if (retval < 0)
1575                 goto out;
1576 
1577         retval = copy_strings_kernel(1, &bprm->filename, bprm);
1578         if (retval < 0)
1579                 goto out;
1580 
1581         bprm->exec = bprm->p;
1582         retval = copy_strings(bprm->envc, envp, bprm);
1583         if (retval < 0)
1584                 goto out;
1585 
1586         retval = copy_strings(bprm->argc, argv, bprm);
1587         if (retval < 0)
1588                 goto out;
1589 
1590         retval = exec_binprm(bprm);
1591         if (retval < 0)
1592                 goto out;
1593 
1594         /* execve succeeded */
1595         current->fs->in_exec = 0;
1596         current->in_execve = 0;
1597         acct_update_integrals(current);
1598         task_numa_free(current);
1599         free_bprm(bprm);
1600         kfree(pathbuf);
1601         putname(filename);
1602         if (displaced)
1603                 put_files_struct(displaced);
1604         return retval;
1605 
1606 out:
1607         if (bprm->mm) {
1608                 acct_arg_size(bprm, 0);
1609                 mmput(bprm->mm);
1610         }
1611 
1612 out_unmark:
1613         current->fs->in_exec = 0;
1614         current->in_execve = 0;
1615 
1616 out_free:
1617         free_bprm(bprm);
1618         kfree(pathbuf);
1619 
1620 out_files:
1621         if (displaced)
1622                 reset_files_struct(displaced);
1623 out_ret:
1624         putname(filename);
1625         return retval;
1626 }
1627 
1628 int do_execve(struct filename *filename,
     /* [previous][next][first][last][top][bottom][index][help] [+1628 fs/exec.c] */
1629         const char __user *const __user *__argv,
1630         const char __user *const __user *__envp)
1631 {
1632         struct user_arg_ptr argv = { .ptr.native = __argv };
1633         struct user_arg_ptr envp = { .ptr.native = __envp };
1634         return do_execveat_common(AT_FDCWD, filename, argv, envp, 0);
1635 }
1636 
1637 int do_execveat(int fd, struct filename *filename,
     /* [previous][next][first][last][top][bottom][index][help] [+1637 fs/exec.c] */
1638                 const char __user *const __user *__argv,
1639                 const char __user *const __user *__envp,
1640                 int flags)
1641 {
1642         struct user_arg_ptr argv = { .ptr.native = __argv };
1643         struct user_arg_ptr envp = { .ptr.native = __envp };
1644 
1645         return do_execveat_common(fd, filename, argv, envp, flags);
1646 }
1647 
1648 #ifdef CONFIG_COMPAT
1649 static int compat_do_execve(struct filename *filename,
     /* [previous][next][first][last][top][bottom][index][help] [+1649 fs/exec.c] */
1650         const compat_uptr_t __user *__argv,
1651         const compat_uptr_t __user *__envp)
1652 {
1653         struct user_arg_ptr argv = {
1654                 .is_compat = true,
1655                 .ptr.compat = __argv,
1656         };
1657         struct user_arg_ptr envp = {
1658                 .is_compat = true,
1659                 .ptr.compat = __envp,
1660         };
1661         return do_execveat_common(AT_FDCWD, filename, argv, envp, 0);
1662 }
1663 
1664 static int compat_do_execveat(int fd, struct filename *filename,
     /* [previous][next][first][last][top][bottom][index][help] [+1664 fs/exec.c] */
1665                               const compat_uptr_t __user *__argv,
1666                               const compat_uptr_t __user *__envp,
1667                               int flags)
1668 {
1669         struct user_arg_ptr argv = {
1670                 .is_compat = true,
1671                 .ptr.compat = __argv,
1672         };
1673         struct user_arg_ptr envp = {
1674                 .is_compat = true,
1675                 .ptr.compat = __envp,
1676         };
1677         return do_execveat_common(fd, filename, argv, envp, flags);
1678 }
1679 #endif
1680 
1681 void set_binfmt(struct linux_binfmt *new)
     /* [previous][next][first][last][top][bottom][index][help] [+1681 fs/exec.c] */
1682 {
1683         struct mm_struct *mm = current->mm;
1684 
1685         if (mm->binfmt)
1686                 module_put(mm->binfmt->module);
1687 
1688         mm->binfmt = new;
1689         if (new)
1690                 __module_get(new->module);
1691 }
1692 EXPORT_SYMBOL(set_binfmt);
1693 
1694 /*
1695  * set_dumpable stores three-value SUID_DUMP_* into mm->flags.
1696  */
1697 void set_dumpable(struct mm_struct *mm, int value)
     /* [previous][next][first][last][top][bottom][index][help] [+1697 fs/exec.c] */
1698 {
1699         unsigned long old, new;
1700 
1701         if (WARN_ON((unsigned)value > SUID_DUMP_ROOT))
1702                 return;
1703 
1704         do {
1705                 old = ACCESS_ONCE(mm->flags);
1706                 new = (old & ~MMF_DUMPABLE_MASK) | value;
1707         } while (cmpxchg(&mm->flags, old, new) != old);
1708 }
1709 
1710 SYSCALL_DEFINE3(execve,
     /* [previous][next][first][last][top][bottom][index][help] [+1710 fs/exec.c] */
1711                 const char __user *, filename,
1712                 const char __user *const __user *, argv,
1713                 const char __user *const __user *, envp)
1714 {
1715         return do_execve(getname(filename), argv, envp);
1716 }
1717 
1718 SYSCALL_DEFINE5(execveat,
     /* [previous][next][first][last][top][bottom][index][help] [+1718 fs/exec.c] */
1719                 int, fd, const char __user *, filename,
1720                 const char __user *const __user *, argv,
1721                 const char __user *const __user *, envp,
1722                 int, flags)
1723 {
1724         int lookup_flags = (flags & AT_EMPTY_PATH) ? LOOKUP_EMPTY : 0;
1725 
1726         return do_execveat(fd,
1727                            getname_flags(filename, lookup_flags, NULL),
1728                            argv, envp, flags);
1729 }
1730 
1731 #ifdef CONFIG_COMPAT
1732 COMPAT_SYSCALL_DEFINE3(execve, const char __user *, filename,
     /* [previous][next][first][last][top][bottom][index][help] [+1732 fs/exec.c] */
1733         const compat_uptr_t __user *, argv,
1734         const compat_uptr_t __user *, envp)
1735 {
1736         return compat_do_execve(getname(filename), argv, envp);
1737 }
1738 
1739 COMPAT_SYSCALL_DEFINE5(execveat, int, fd,
     /* [previous][next][first][last][top][bottom][index][help] [+1739 fs/exec.c] */
1740                        const char __user *, filename,
1741                        const compat_uptr_t __user *, argv,
1742                        const compat_uptr_t __user *, envp,
1743                        int,  flags)
1744 {
1745         int lookup_flags = (flags & AT_EMPTY_PATH) ? LOOKUP_EMPTY : 0;
1746 
1747         return compat_do_execveat(fd,
1748                                   getname_flags(filename, lookup_flags, NULL),
1749                                   argv, envp, flags);
1750 }
1751 #endif

/* [previous][next][first][last][top][bottom][index][help] [+1751 fs/exec.c] */