aboutsummaryrefslogtreecommitdiffstats
path: root/fs/exec.c
diff options
context:
space:
mode:
authorMichal Marek <mmarek@suse.cz>2011-03-09 10:15:44 -0500
committerMichal Marek <mmarek@suse.cz>2011-03-09 10:15:44 -0500
commit2d8ad8719591fa803b0d589ed057fa46f49b7155 (patch)
tree4ae051577dad1161c91dafbf4207bb10a9dc91bb /fs/exec.c
parent9b4ce7bce5f30712fd926ab4599a803314a07719 (diff)
parentc56eb8fb6dccb83d9fe62fd4dc00c834de9bc470 (diff)
Merge commit 'v2.6.38-rc1' into kbuild/packaging
Diffstat (limited to 'fs/exec.c')
-rw-r--r--fs/exec.c573
1 files changed, 380 insertions, 193 deletions
diff --git a/fs/exec.c b/fs/exec.c
index 675c3f44c2ea..c62efcb959c7 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -28,7 +28,6 @@
28#include <linux/mm.h> 28#include <linux/mm.h>
29#include <linux/stat.h> 29#include <linux/stat.h>
30#include <linux/fcntl.h> 30#include <linux/fcntl.h>
31#include <linux/smp_lock.h>
32#include <linux/swap.h> 31#include <linux/swap.h>
33#include <linux/string.h> 32#include <linux/string.h>
34#include <linux/init.h> 33#include <linux/init.h>
@@ -55,6 +54,7 @@
55#include <linux/fsnotify.h> 54#include <linux/fsnotify.h>
56#include <linux/fs_struct.h> 55#include <linux/fs_struct.h>
57#include <linux/pipe_fs_i.h> 56#include <linux/pipe_fs_i.h>
57#include <linux/oom.h>
58 58
59#include <asm/uaccess.h> 59#include <asm/uaccess.h>
60#include <asm/mmu_context.h> 60#include <asm/mmu_context.h>
@@ -66,6 +66,12 @@ char core_pattern[CORENAME_MAX_SIZE] = "core";
66unsigned int core_pipe_limit; 66unsigned int core_pipe_limit;
67int suid_dumpable = 0; 67int suid_dumpable = 0;
68 68
69struct core_name {
70 char *corename;
71 int used, size;
72};
73static atomic_t call_count = ATOMIC_INIT(1);
74
69/* The maximal length of core_pattern is also specified in sysctl.c */ 75/* The maximal length of core_pattern is also specified in sysctl.c */
70 76
71static LIST_HEAD(formats); 77static LIST_HEAD(formats);
@@ -129,7 +135,7 @@ SYSCALL_DEFINE1(uselib, const char __user *, library)
129 if (file->f_path.mnt->mnt_flags & MNT_NOEXEC) 135 if (file->f_path.mnt->mnt_flags & MNT_NOEXEC)
130 goto exit; 136 goto exit;
131 137
132 fsnotify_open(file->f_path.dentry); 138 fsnotify_open(file);
133 139
134 error = -ENOEXEC; 140 error = -ENOEXEC;
135 if(file->f_op) { 141 if(file->f_op) {
@@ -158,7 +164,26 @@ out:
158 164
159#ifdef CONFIG_MMU 165#ifdef CONFIG_MMU
160 166
161static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, 167void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
168{
169 struct mm_struct *mm = current->mm;
170 long diff = (long)(pages - bprm->vma_pages);
171
172 if (!mm || !diff)
173 return;
174
175 bprm->vma_pages = pages;
176
177#ifdef SPLIT_RSS_COUNTING
178 add_mm_counter(mm, MM_ANONPAGES, diff);
179#else
180 spin_lock(&mm->page_table_lock);
181 add_mm_counter(mm, MM_ANONPAGES, diff);
182 spin_unlock(&mm->page_table_lock);
183#endif
184}
185
186struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
162 int write) 187 int write)
163{ 188{
164 struct page *page; 189 struct page *page;
@@ -180,6 +205,8 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
180 unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start; 205 unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start;
181 struct rlimit *rlim; 206 struct rlimit *rlim;
182 207
208 acct_arg_size(bprm, size / PAGE_SIZE);
209
183 /* 210 /*
184 * We've historically supported up to 32 pages (ARG_MAX) 211 * We've historically supported up to 32 pages (ARG_MAX)
185 * of argument strings even with small stacks 212 * of argument strings even with small stacks
@@ -195,7 +222,7 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
195 * to work from. 222 * to work from.
196 */ 223 */
197 rlim = current->signal->rlim; 224 rlim = current->signal->rlim;
198 if (size > rlim[RLIMIT_STACK].rlim_cur / 4) { 225 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4) {
199 put_page(page); 226 put_page(page);
200 return NULL; 227 return NULL;
201 } 228 }
@@ -242,10 +269,17 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
242 * use STACK_TOP because that can depend on attributes which aren't 269 * use STACK_TOP because that can depend on attributes which aren't
243 * configured yet. 270 * configured yet.
244 */ 271 */
272 BUG_ON(VM_STACK_FLAGS & VM_STACK_INCOMPLETE_SETUP);
245 vma->vm_end = STACK_TOP_MAX; 273 vma->vm_end = STACK_TOP_MAX;
246 vma->vm_start = vma->vm_end - PAGE_SIZE; 274 vma->vm_start = vma->vm_end - PAGE_SIZE;
247 vma->vm_flags = VM_STACK_FLAGS; 275 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
248 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); 276 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
277 INIT_LIST_HEAD(&vma->anon_vma_chain);
278
279 err = security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1);
280 if (err)
281 goto err;
282
249 err = insert_vm_struct(mm, vma); 283 err = insert_vm_struct(mm, vma);
250 if (err) 284 if (err)
251 goto err; 285 goto err;
@@ -268,7 +302,11 @@ static bool valid_arg_len(struct linux_binprm *bprm, long len)
268 302
269#else 303#else
270 304
271static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, 305void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
306{
307}
308
309struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
272 int write) 310 int write)
273{ 311{
274 struct page *page; 312 struct page *page;
@@ -360,13 +398,13 @@ err:
360/* 398/*
361 * count() counts the number of strings in array ARGV. 399 * count() counts the number of strings in array ARGV.
362 */ 400 */
363static int count(char __user * __user * argv, int max) 401static int count(const char __user * const __user * argv, int max)
364{ 402{
365 int i = 0; 403 int i = 0;
366 404
367 if (argv != NULL) { 405 if (argv != NULL) {
368 for (;;) { 406 for (;;) {
369 char __user * p; 407 const char __user * p;
370 408
371 if (get_user(p, argv)) 409 if (get_user(p, argv))
372 return -EFAULT; 410 return -EFAULT;
@@ -375,6 +413,9 @@ static int count(char __user * __user * argv, int max)
375 argv++; 413 argv++;
376 if (i++ >= max) 414 if (i++ >= max)
377 return -E2BIG; 415 return -E2BIG;
416
417 if (fatal_signal_pending(current))
418 return -ERESTARTNOHAND;
378 cond_resched(); 419 cond_resched();
379 } 420 }
380 } 421 }
@@ -386,7 +427,7 @@ static int count(char __user * __user * argv, int max)
386 * processes's memory to the new process's stack. The call to get_user_pages() 427 * processes's memory to the new process's stack. The call to get_user_pages()
387 * ensures the destination page is created and not swapped out. 428 * ensures the destination page is created and not swapped out.
388 */ 429 */
389static int copy_strings(int argc, char __user * __user * argv, 430static int copy_strings(int argc, const char __user *const __user *argv,
390 struct linux_binprm *bprm) 431 struct linux_binprm *bprm)
391{ 432{
392 struct page *kmapped_page = NULL; 433 struct page *kmapped_page = NULL;
@@ -395,7 +436,7 @@ static int copy_strings(int argc, char __user * __user * argv,
395 int ret; 436 int ret;
396 437
397 while (argc-- > 0) { 438 while (argc-- > 0) {
398 char __user *str; 439 const char __user *str;
399 int len; 440 int len;
400 unsigned long pos; 441 unsigned long pos;
401 442
@@ -418,6 +459,12 @@ static int copy_strings(int argc, char __user * __user * argv,
418 while (len > 0) { 459 while (len > 0) {
419 int offset, bytes_to_copy; 460 int offset, bytes_to_copy;
420 461
462 if (fatal_signal_pending(current)) {
463 ret = -ERESTARTNOHAND;
464 goto out;
465 }
466 cond_resched();
467
421 offset = pos % PAGE_SIZE; 468 offset = pos % PAGE_SIZE;
422 if (offset == 0) 469 if (offset == 0)
423 offset = PAGE_SIZE; 470 offset = PAGE_SIZE;
@@ -469,12 +516,13 @@ out:
469/* 516/*
470 * Like copy_strings, but get argv and its values from kernel memory. 517 * Like copy_strings, but get argv and its values from kernel memory.
471 */ 518 */
472int copy_strings_kernel(int argc,char ** argv, struct linux_binprm *bprm) 519int copy_strings_kernel(int argc, const char *const *argv,
520 struct linux_binprm *bprm)
473{ 521{
474 int r; 522 int r;
475 mm_segment_t oldfs = get_fs(); 523 mm_segment_t oldfs = get_fs();
476 set_fs(KERNEL_DS); 524 set_fs(KERNEL_DS);
477 r = copy_strings(argc, (char __user * __user *)argv, bprm); 525 r = copy_strings(argc, (const char __user *const __user *)argv, bprm);
478 set_fs(oldfs); 526 set_fs(oldfs);
479 return r; 527 return r;
480} 528}
@@ -516,7 +564,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
516 /* 564 /*
517 * cover the whole range: [new_start, old_end) 565 * cover the whole range: [new_start, old_end)
518 */ 566 */
519 vma_adjust(vma, new_start, old_end, vma->vm_pgoff, NULL); 567 if (vma_adjust(vma, new_start, old_end, vma->vm_pgoff, NULL))
568 return -ENOMEM;
520 569
521 /* 570 /*
522 * move the page tables downwards, on failure we rely on 571 * move the page tables downwards, on failure we rely on
@@ -547,15 +596,13 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
547 tlb_finish_mmu(tlb, new_end, old_end); 596 tlb_finish_mmu(tlb, new_end, old_end);
548 597
549 /* 598 /*
550 * shrink the vma to just the new range. 599 * Shrink the vma to just the new range. Always succeeds.
551 */ 600 */
552 vma_adjust(vma, new_start, new_end, vma->vm_pgoff, NULL); 601 vma_adjust(vma, new_start, new_end, vma->vm_pgoff, NULL);
553 602
554 return 0; 603 return 0;
555} 604}
556 605
557#define EXTRA_STACK_VM_PAGES 20 /* random */
558
559/* 606/*
560 * Finalizes the stack vm_area_struct. The flags and permissions are updated, 607 * Finalizes the stack vm_area_struct. The flags and permissions are updated,
561 * the stack is optionally relocated, and some extra space is added. 608 * the stack is optionally relocated, and some extra space is added.
@@ -571,10 +618,13 @@ int setup_arg_pages(struct linux_binprm *bprm,
571 struct vm_area_struct *prev = NULL; 618 struct vm_area_struct *prev = NULL;
572 unsigned long vm_flags; 619 unsigned long vm_flags;
573 unsigned long stack_base; 620 unsigned long stack_base;
621 unsigned long stack_size;
622 unsigned long stack_expand;
623 unsigned long rlim_stack;
574 624
575#ifdef CONFIG_STACK_GROWSUP 625#ifdef CONFIG_STACK_GROWSUP
576 /* Limit stack size to 1GB */ 626 /* Limit stack size to 1GB */
577 stack_base = current->signal->rlim[RLIMIT_STACK].rlim_max; 627 stack_base = rlimit_max(RLIMIT_STACK);
578 if (stack_base > (1 << 30)) 628 if (stack_base > (1 << 30))
579 stack_base = 1 << 30; 629 stack_base = 1 << 30;
580 630
@@ -590,6 +640,11 @@ int setup_arg_pages(struct linux_binprm *bprm,
590#else 640#else
591 stack_top = arch_align_stack(stack_top); 641 stack_top = arch_align_stack(stack_top);
592 stack_top = PAGE_ALIGN(stack_top); 642 stack_top = PAGE_ALIGN(stack_top);
643
644 if (unlikely(stack_top < mmap_min_addr) ||
645 unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
646 return -ENOMEM;
647
593 stack_shift = vma->vm_end - stack_top; 648 stack_shift = vma->vm_end - stack_top;
594 649
595 bprm->p -= stack_shift; 650 bprm->p -= stack_shift;
@@ -613,6 +668,7 @@ int setup_arg_pages(struct linux_binprm *bprm,
613 else if (executable_stack == EXSTACK_DISABLE_X) 668 else if (executable_stack == EXSTACK_DISABLE_X)
614 vm_flags &= ~VM_EXEC; 669 vm_flags &= ~VM_EXEC;
615 vm_flags |= mm->def_flags; 670 vm_flags |= mm->def_flags;
671 vm_flags |= VM_STACK_INCOMPLETE_SETUP;
616 672
617 ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end, 673 ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
618 vm_flags); 674 vm_flags);
@@ -627,11 +683,28 @@ int setup_arg_pages(struct linux_binprm *bprm,
627 goto out_unlock; 683 goto out_unlock;
628 } 684 }
629 685
686 /* mprotect_fixup is overkill to remove the temporary stack flags */
687 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
688
689 stack_expand = 131072UL; /* randomly 32*4k (or 2*64k) pages */
690 stack_size = vma->vm_end - vma->vm_start;
691 /*
692 * Align this down to a page boundary as expand_stack
693 * will align it up.
694 */
695 rlim_stack = rlimit(RLIMIT_STACK) & PAGE_MASK;
630#ifdef CONFIG_STACK_GROWSUP 696#ifdef CONFIG_STACK_GROWSUP
631 stack_base = vma->vm_end + EXTRA_STACK_VM_PAGES * PAGE_SIZE; 697 if (stack_size + stack_expand > rlim_stack)
698 stack_base = vma->vm_start + rlim_stack;
699 else
700 stack_base = vma->vm_end + stack_expand;
632#else 701#else
633 stack_base = vma->vm_start - EXTRA_STACK_VM_PAGES * PAGE_SIZE; 702 if (stack_size + stack_expand > rlim_stack)
703 stack_base = vma->vm_end - rlim_stack;
704 else
705 stack_base = vma->vm_start - stack_expand;
634#endif 706#endif
707 current->mm->start_stack = bprm->p;
635 ret = expand_stack(vma, stack_base); 708 ret = expand_stack(vma, stack_base);
636 if (ret) 709 if (ret)
637 ret = -EFAULT; 710 ret = -EFAULT;
@@ -662,7 +735,7 @@ struct file *open_exec(const char *name)
662 if (file->f_path.mnt->mnt_flags & MNT_NOEXEC) 735 if (file->f_path.mnt->mnt_flags & MNT_NOEXEC)
663 goto exit; 736 goto exit;
664 737
665 fsnotify_open(file->f_path.dentry); 738 fsnotify_open(file);
666 739
667 err = deny_write_access(file); 740 err = deny_write_access(file);
668 if (err) 741 if (err)
@@ -702,6 +775,7 @@ static int exec_mmap(struct mm_struct *mm)
702 /* Notify parent that we're no longer interested in the old VM */ 775 /* Notify parent that we're no longer interested in the old VM */
703 tsk = current; 776 tsk = current;
704 old_mm = current->mm; 777 old_mm = current->mm;
778 sync_mm_rss(tsk, old_mm);
705 mm_release(tsk, old_mm); 779 mm_release(tsk, old_mm);
706 780
707 if (old_mm) { 781 if (old_mm) {
@@ -722,6 +796,10 @@ static int exec_mmap(struct mm_struct *mm)
722 tsk->mm = mm; 796 tsk->mm = mm;
723 tsk->active_mm = mm; 797 tsk->active_mm = mm;
724 activate_mm(active_mm, mm); 798 activate_mm(active_mm, mm);
799 if (old_mm && tsk->signal->oom_score_adj == OOM_SCORE_ADJ_MIN) {
800 atomic_dec(&old_mm->oom_disable_count);
801 atomic_inc(&tsk->mm->oom_disable_count);
802 }
725 task_unlock(tsk); 803 task_unlock(tsk);
726 arch_pick_mmap_layout(mm); 804 arch_pick_mmap_layout(mm);
727 if (old_mm) { 805 if (old_mm) {
@@ -746,7 +824,6 @@ static int de_thread(struct task_struct *tsk)
746 struct signal_struct *sig = tsk->signal; 824 struct signal_struct *sig = tsk->signal;
747 struct sighand_struct *oldsighand = tsk->sighand; 825 struct sighand_struct *oldsighand = tsk->sighand;
748 spinlock_t *lock = &oldsighand->siglock; 826 spinlock_t *lock = &oldsighand->siglock;
749 int count;
750 827
751 if (thread_group_empty(tsk)) 828 if (thread_group_empty(tsk))
752 goto no_thread_group; 829 goto no_thread_group;
@@ -763,13 +840,13 @@ static int de_thread(struct task_struct *tsk)
763 spin_unlock_irq(lock); 840 spin_unlock_irq(lock);
764 return -EAGAIN; 841 return -EAGAIN;
765 } 842 }
843
766 sig->group_exit_task = tsk; 844 sig->group_exit_task = tsk;
767 zap_other_threads(tsk); 845 sig->notify_count = zap_other_threads(tsk);
846 if (!thread_group_leader(tsk))
847 sig->notify_count--;
768 848
769 /* Account for the thread group leader hanging around: */ 849 while (sig->notify_count) {
770 count = thread_group_leader(tsk) ? 1 : 2;
771 sig->notify_count = count;
772 while (atomic_read(&sig->count) > count) {
773 __set_current_state(TASK_UNINTERRUPTIBLE); 850 __set_current_state(TASK_UNINTERRUPTIBLE);
774 spin_unlock_irq(lock); 851 spin_unlock_irq(lock);
775 schedule(); 852 schedule();
@@ -956,11 +1033,17 @@ int flush_old_exec(struct linux_binprm * bprm)
956 /* 1033 /*
957 * Release all of the old mmap stuff 1034 * Release all of the old mmap stuff
958 */ 1035 */
1036 acct_arg_size(bprm, 0);
959 retval = exec_mmap(bprm->mm); 1037 retval = exec_mmap(bprm->mm);
960 if (retval) 1038 if (retval)
961 goto out; 1039 goto out;
962 1040
963 bprm->mm = NULL; /* We're using it now */ 1041 bprm->mm = NULL; /* We're using it now */
1042
1043 current->flags &= ~(PF_RANDOMIZE | PF_KTHREAD);
1044 flush_thread();
1045 current->personality &= ~bprm->per_clear;
1046
964 return 0; 1047 return 0;
965 1048
966out: 1049out:
@@ -971,7 +1054,7 @@ EXPORT_SYMBOL(flush_old_exec);
971void setup_new_exec(struct linux_binprm * bprm) 1054void setup_new_exec(struct linux_binprm * bprm)
972{ 1055{
973 int i, ch; 1056 int i, ch;
974 char * name; 1057 const char *name;
975 char tcomm[sizeof(current->comm)]; 1058 char tcomm[sizeof(current->comm)];
976 1059
977 arch_pick_mmap_layout(current->mm); 1060 arch_pick_mmap_layout(current->mm);
@@ -997,9 +1080,6 @@ void setup_new_exec(struct linux_binprm * bprm)
997 tcomm[i] = '\0'; 1080 tcomm[i] = '\0';
998 set_task_comm(current, tcomm); 1081 set_task_comm(current, tcomm);
999 1082
1000 current->flags &= ~PF_RANDOMIZE;
1001 flush_thread();
1002
1003 /* Set the new mm task size. We have to do that late because it may 1083 /* Set the new mm task size. We have to do that late because it may
1004 * depend on TIF_32BIT which is only updated in flush_thread() on 1084 * depend on TIF_32BIT which is only updated in flush_thread() on
1005 * some architectures like powerpc 1085 * some architectures like powerpc
@@ -1015,8 +1095,6 @@ void setup_new_exec(struct linux_binprm * bprm)
1015 set_dumpable(current->mm, suid_dumpable); 1095 set_dumpable(current->mm, suid_dumpable);
1016 } 1096 }
1017 1097
1018 current->personality &= ~bprm->per_clear;
1019
1020 /* 1098 /*
1021 * Flush performance counters when crossing a 1099 * Flush performance counters when crossing a
1022 * security domain: 1100 * security domain:
@@ -1042,14 +1120,14 @@ EXPORT_SYMBOL(setup_new_exec);
1042 */ 1120 */
1043int prepare_bprm_creds(struct linux_binprm *bprm) 1121int prepare_bprm_creds(struct linux_binprm *bprm)
1044{ 1122{
1045 if (mutex_lock_interruptible(&current->cred_guard_mutex)) 1123 if (mutex_lock_interruptible(&current->signal->cred_guard_mutex))
1046 return -ERESTARTNOINTR; 1124 return -ERESTARTNOINTR;
1047 1125
1048 bprm->cred = prepare_exec_creds(); 1126 bprm->cred = prepare_exec_creds();
1049 if (likely(bprm->cred)) 1127 if (likely(bprm->cred))
1050 return 0; 1128 return 0;
1051 1129
1052 mutex_unlock(&current->cred_guard_mutex); 1130 mutex_unlock(&current->signal->cred_guard_mutex);
1053 return -ENOMEM; 1131 return -ENOMEM;
1054} 1132}
1055 1133
@@ -1057,7 +1135,7 @@ void free_bprm(struct linux_binprm *bprm)
1057{ 1135{
1058 free_arg_pages(bprm); 1136 free_arg_pages(bprm);
1059 if (bprm->cred) { 1137 if (bprm->cred) {
1060 mutex_unlock(&current->cred_guard_mutex); 1138 mutex_unlock(&current->signal->cred_guard_mutex);
1061 abort_creds(bprm->cred); 1139 abort_creds(bprm->cred);
1062 } 1140 }
1063 kfree(bprm); 1141 kfree(bprm);
@@ -1078,13 +1156,13 @@ void install_exec_creds(struct linux_binprm *bprm)
1078 * credentials; any time after this it may be unlocked. 1156 * credentials; any time after this it may be unlocked.
1079 */ 1157 */
1080 security_bprm_committed_creds(bprm); 1158 security_bprm_committed_creds(bprm);
1081 mutex_unlock(&current->cred_guard_mutex); 1159 mutex_unlock(&current->signal->cred_guard_mutex);
1082} 1160}
1083EXPORT_SYMBOL(install_exec_creds); 1161EXPORT_SYMBOL(install_exec_creds);
1084 1162
1085/* 1163/*
1086 * determine how safe it is to execute the proposed program 1164 * determine how safe it is to execute the proposed program
1087 * - the caller must hold current->cred_guard_mutex to protect against 1165 * - the caller must hold ->cred_guard_mutex to protect against
1088 * PTRACE_ATTACH 1166 * PTRACE_ATTACH
1089 */ 1167 */
1090int check_unsafe_exec(struct linux_binprm *bprm) 1168int check_unsafe_exec(struct linux_binprm *bprm)
@@ -1096,7 +1174,7 @@ int check_unsafe_exec(struct linux_binprm *bprm)
1096 bprm->unsafe = tracehook_unsafe_exec(p); 1174 bprm->unsafe = tracehook_unsafe_exec(p);
1097 1175
1098 n_fs = 1; 1176 n_fs = 1;
1099 write_lock(&p->fs->lock); 1177 spin_lock(&p->fs->lock);
1100 rcu_read_lock(); 1178 rcu_read_lock();
1101 for (t = next_thread(p); t != p; t = next_thread(t)) { 1179 for (t = next_thread(p); t != p; t = next_thread(t)) {
1102 if (t->fs == p->fs) 1180 if (t->fs == p->fs)
@@ -1113,7 +1191,7 @@ int check_unsafe_exec(struct linux_binprm *bprm)
1113 res = 1; 1191 res = 1;
1114 } 1192 }
1115 } 1193 }
1116 write_unlock(&p->fs->lock); 1194 spin_unlock(&p->fs->lock);
1117 1195
1118 return res; 1196 return res;
1119} 1197}
@@ -1295,9 +1373,9 @@ EXPORT_SYMBOL(search_binary_handler);
1295/* 1373/*
1296 * sys_execve() executes a new program. 1374 * sys_execve() executes a new program.
1297 */ 1375 */
1298int do_execve(char * filename, 1376int do_execve(const char * filename,
1299 char __user *__user *argv, 1377 const char __user *const __user *argv,
1300 char __user *__user *envp, 1378 const char __user *const __user *envp,
1301 struct pt_regs * regs) 1379 struct pt_regs * regs)
1302{ 1380{
1303 struct linux_binprm *bprm; 1381 struct linux_binprm *bprm;
@@ -1365,13 +1443,10 @@ int do_execve(char * filename,
1365 if (retval < 0) 1443 if (retval < 0)
1366 goto out; 1444 goto out;
1367 1445
1368 current->flags &= ~PF_KTHREAD;
1369 retval = search_binary_handler(bprm,regs); 1446 retval = search_binary_handler(bprm,regs);
1370 if (retval < 0) 1447 if (retval < 0)
1371 goto out; 1448 goto out;
1372 1449
1373 current->stack_start = current->mm->start_stack;
1374
1375 /* execve succeeded */ 1450 /* execve succeeded */
1376 current->fs->in_exec = 0; 1451 current->fs->in_exec = 0;
1377 current->in_execve = 0; 1452 current->in_execve = 0;
@@ -1382,8 +1457,10 @@ int do_execve(char * filename,
1382 return retval; 1457 return retval;
1383 1458
1384out: 1459out:
1385 if (bprm->mm) 1460 if (bprm->mm) {
1386 mmput (bprm->mm); 1461 acct_arg_size(bprm, 0);
1462 mmput(bprm->mm);
1463 }
1387 1464
1388out_file: 1465out_file:
1389 if (bprm->file) { 1466 if (bprm->file) {
@@ -1420,136 +1497,158 @@ void set_binfmt(struct linux_binfmt *new)
1420 1497
1421EXPORT_SYMBOL(set_binfmt); 1498EXPORT_SYMBOL(set_binfmt);
1422 1499
1500static int expand_corename(struct core_name *cn)
1501{
1502 char *old_corename = cn->corename;
1503
1504 cn->size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count);
1505 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
1506
1507 if (!cn->corename) {
1508 kfree(old_corename);
1509 return -ENOMEM;
1510 }
1511
1512 return 0;
1513}
1514
1515static int cn_printf(struct core_name *cn, const char *fmt, ...)
1516{
1517 char *cur;
1518 int need;
1519 int ret;
1520 va_list arg;
1521
1522 va_start(arg, fmt);
1523 need = vsnprintf(NULL, 0, fmt, arg);
1524 va_end(arg);
1525
1526 if (likely(need < cn->size - cn->used - 1))
1527 goto out_printf;
1528
1529 ret = expand_corename(cn);
1530 if (ret)
1531 goto expand_fail;
1532
1533out_printf:
1534 cur = cn->corename + cn->used;
1535 va_start(arg, fmt);
1536 vsnprintf(cur, need + 1, fmt, arg);
1537 va_end(arg);
1538 cn->used += need;
1539 return 0;
1540
1541expand_fail:
1542 return ret;
1543}
1544
1423/* format_corename will inspect the pattern parameter, and output a 1545/* format_corename will inspect the pattern parameter, and output a
1424 * name into corename, which must have space for at least 1546 * name into corename, which must have space for at least
1425 * CORENAME_MAX_SIZE bytes plus one byte for the zero terminator. 1547 * CORENAME_MAX_SIZE bytes plus one byte for the zero terminator.
1426 */ 1548 */
1427static int format_corename(char *corename, long signr) 1549static int format_corename(struct core_name *cn, long signr)
1428{ 1550{
1429 const struct cred *cred = current_cred(); 1551 const struct cred *cred = current_cred();
1430 const char *pat_ptr = core_pattern; 1552 const char *pat_ptr = core_pattern;
1431 int ispipe = (*pat_ptr == '|'); 1553 int ispipe = (*pat_ptr == '|');
1432 char *out_ptr = corename;
1433 char *const out_end = corename + CORENAME_MAX_SIZE;
1434 int rc;
1435 int pid_in_pattern = 0; 1554 int pid_in_pattern = 0;
1555 int err = 0;
1556
1557 cn->size = CORENAME_MAX_SIZE * atomic_read(&call_count);
1558 cn->corename = kmalloc(cn->size, GFP_KERNEL);
1559 cn->used = 0;
1560
1561 if (!cn->corename)
1562 return -ENOMEM;
1436 1563
1437 /* Repeat as long as we have more pattern to process and more output 1564 /* Repeat as long as we have more pattern to process and more output
1438 space */ 1565 space */
1439 while (*pat_ptr) { 1566 while (*pat_ptr) {
1440 if (*pat_ptr != '%') { 1567 if (*pat_ptr != '%') {
1441 if (out_ptr == out_end) 1568 if (*pat_ptr == 0)
1442 goto out; 1569 goto out;
1443 *out_ptr++ = *pat_ptr++; 1570 err = cn_printf(cn, "%c", *pat_ptr++);
1444 } else { 1571 } else {
1445 switch (*++pat_ptr) { 1572 switch (*++pat_ptr) {
1573 /* single % at the end, drop that */
1446 case 0: 1574 case 0:
1447 goto out; 1575 goto out;
1448 /* Double percent, output one percent */ 1576 /* Double percent, output one percent */
1449 case '%': 1577 case '%':
1450 if (out_ptr == out_end) 1578 err = cn_printf(cn, "%c", '%');
1451 goto out;
1452 *out_ptr++ = '%';
1453 break; 1579 break;
1454 /* pid */ 1580 /* pid */
1455 case 'p': 1581 case 'p':
1456 pid_in_pattern = 1; 1582 pid_in_pattern = 1;
1457 rc = snprintf(out_ptr, out_end - out_ptr, 1583 err = cn_printf(cn, "%d",
1458 "%d", task_tgid_vnr(current)); 1584 task_tgid_vnr(current));
1459 if (rc > out_end - out_ptr)
1460 goto out;
1461 out_ptr += rc;
1462 break; 1585 break;
1463 /* uid */ 1586 /* uid */
1464 case 'u': 1587 case 'u':
1465 rc = snprintf(out_ptr, out_end - out_ptr, 1588 err = cn_printf(cn, "%d", cred->uid);
1466 "%d", cred->uid);
1467 if (rc > out_end - out_ptr)
1468 goto out;
1469 out_ptr += rc;
1470 break; 1589 break;
1471 /* gid */ 1590 /* gid */
1472 case 'g': 1591 case 'g':
1473 rc = snprintf(out_ptr, out_end - out_ptr, 1592 err = cn_printf(cn, "%d", cred->gid);
1474 "%d", cred->gid);
1475 if (rc > out_end - out_ptr)
1476 goto out;
1477 out_ptr += rc;
1478 break; 1593 break;
1479 /* signal that caused the coredump */ 1594 /* signal that caused the coredump */
1480 case 's': 1595 case 's':
1481 rc = snprintf(out_ptr, out_end - out_ptr, 1596 err = cn_printf(cn, "%ld", signr);
1482 "%ld", signr);
1483 if (rc > out_end - out_ptr)
1484 goto out;
1485 out_ptr += rc;
1486 break; 1597 break;
1487 /* UNIX time of coredump */ 1598 /* UNIX time of coredump */
1488 case 't': { 1599 case 't': {
1489 struct timeval tv; 1600 struct timeval tv;
1490 do_gettimeofday(&tv); 1601 do_gettimeofday(&tv);
1491 rc = snprintf(out_ptr, out_end - out_ptr, 1602 err = cn_printf(cn, "%lu", tv.tv_sec);
1492 "%lu", tv.tv_sec);
1493 if (rc > out_end - out_ptr)
1494 goto out;
1495 out_ptr += rc;
1496 break; 1603 break;
1497 } 1604 }
1498 /* hostname */ 1605 /* hostname */
1499 case 'h': 1606 case 'h':
1500 down_read(&uts_sem); 1607 down_read(&uts_sem);
1501 rc = snprintf(out_ptr, out_end - out_ptr, 1608 err = cn_printf(cn, "%s",
1502 "%s", utsname()->nodename); 1609 utsname()->nodename);
1503 up_read(&uts_sem); 1610 up_read(&uts_sem);
1504 if (rc > out_end - out_ptr)
1505 goto out;
1506 out_ptr += rc;
1507 break; 1611 break;
1508 /* executable */ 1612 /* executable */
1509 case 'e': 1613 case 'e':
1510 rc = snprintf(out_ptr, out_end - out_ptr, 1614 err = cn_printf(cn, "%s", current->comm);
1511 "%s", current->comm);
1512 if (rc > out_end - out_ptr)
1513 goto out;
1514 out_ptr += rc;
1515 break; 1615 break;
1516 /* core limit size */ 1616 /* core limit size */
1517 case 'c': 1617 case 'c':
1518 rc = snprintf(out_ptr, out_end - out_ptr, 1618 err = cn_printf(cn, "%lu",
1519 "%lu", current->signal->rlim[RLIMIT_CORE].rlim_cur); 1619 rlimit(RLIMIT_CORE));
1520 if (rc > out_end - out_ptr)
1521 goto out;
1522 out_ptr += rc;
1523 break; 1620 break;
1524 default: 1621 default:
1525 break; 1622 break;
1526 } 1623 }
1527 ++pat_ptr; 1624 ++pat_ptr;
1528 } 1625 }
1626
1627 if (err)
1628 return err;
1529 } 1629 }
1630
1530 /* Backward compatibility with core_uses_pid: 1631 /* Backward compatibility with core_uses_pid:
1531 * 1632 *
1532 * If core_pattern does not include a %p (as is the default) 1633 * If core_pattern does not include a %p (as is the default)
1533 * and core_uses_pid is set, then .%pid will be appended to 1634 * and core_uses_pid is set, then .%pid will be appended to
1534 * the filename. Do not do this for piped commands. */ 1635 * the filename. Do not do this for piped commands. */
1535 if (!ispipe && !pid_in_pattern && core_uses_pid) { 1636 if (!ispipe && !pid_in_pattern && core_uses_pid) {
1536 rc = snprintf(out_ptr, out_end - out_ptr, 1637 err = cn_printf(cn, ".%d", task_tgid_vnr(current));
1537 ".%d", task_tgid_vnr(current)); 1638 if (err)
1538 if (rc > out_end - out_ptr) 1639 return err;
1539 goto out;
1540 out_ptr += rc;
1541 } 1640 }
1542out: 1641out:
1543 *out_ptr = 0;
1544 return ispipe; 1642 return ispipe;
1545} 1643}
1546 1644
1547static int zap_process(struct task_struct *start) 1645static int zap_process(struct task_struct *start, int exit_code)
1548{ 1646{
1549 struct task_struct *t; 1647 struct task_struct *t;
1550 int nr = 0; 1648 int nr = 0;
1551 1649
1552 start->signal->flags = SIGNAL_GROUP_EXIT; 1650 start->signal->flags = SIGNAL_GROUP_EXIT;
1651 start->signal->group_exit_code = exit_code;
1553 start->signal->group_stop_count = 0; 1652 start->signal->group_stop_count = 0;
1554 1653
1555 t = start; 1654 t = start;
@@ -1574,8 +1673,7 @@ static inline int zap_threads(struct task_struct *tsk, struct mm_struct *mm,
1574 spin_lock_irq(&tsk->sighand->siglock); 1673 spin_lock_irq(&tsk->sighand->siglock);
1575 if (!signal_group_exit(tsk->signal)) { 1674 if (!signal_group_exit(tsk->signal)) {
1576 mm->core_state = core_state; 1675 mm->core_state = core_state;
1577 tsk->signal->group_exit_code = exit_code; 1676 nr = zap_process(tsk, exit_code);
1578 nr = zap_process(tsk);
1579 } 1677 }
1580 spin_unlock_irq(&tsk->sighand->siglock); 1678 spin_unlock_irq(&tsk->sighand->siglock);
1581 if (unlikely(nr < 0)) 1679 if (unlikely(nr < 0))
@@ -1624,7 +1722,7 @@ static inline int zap_threads(struct task_struct *tsk, struct mm_struct *mm,
1624 if (p->mm) { 1722 if (p->mm) {
1625 if (unlikely(p->mm == mm)) { 1723 if (unlikely(p->mm == mm)) {
1626 lock_task_sighand(p, &flags); 1724 lock_task_sighand(p, &flags);
1627 nr += zap_process(p); 1725 nr += zap_process(p, exit_code);
1628 unlock_task_sighand(p, &flags); 1726 unlock_task_sighand(p, &flags);
1629 } 1727 }
1630 break; 1728 break;
@@ -1642,12 +1740,15 @@ static int coredump_wait(int exit_code, struct core_state *core_state)
1642 struct task_struct *tsk = current; 1740 struct task_struct *tsk = current;
1643 struct mm_struct *mm = tsk->mm; 1741 struct mm_struct *mm = tsk->mm;
1644 struct completion *vfork_done; 1742 struct completion *vfork_done;
1645 int core_waiters; 1743 int core_waiters = -EBUSY;
1646 1744
1647 init_completion(&core_state->startup); 1745 init_completion(&core_state->startup);
1648 core_state->dumper.task = tsk; 1746 core_state->dumper.task = tsk;
1649 core_state->dumper.next = NULL; 1747 core_state->dumper.next = NULL;
1650 core_waiters = zap_threads(tsk, mm, core_state, exit_code); 1748
1749 down_write(&mm->mmap_sem);
1750 if (!mm->core_state)
1751 core_waiters = zap_threads(tsk, mm, core_state, exit_code);
1651 up_write(&mm->mmap_sem); 1752 up_write(&mm->mmap_sem);
1652 1753
1653 if (unlikely(core_waiters < 0)) 1754 if (unlikely(core_waiters < 0))
@@ -1731,14 +1832,19 @@ void set_dumpable(struct mm_struct *mm, int value)
1731 } 1832 }
1732} 1833}
1733 1834
1734int get_dumpable(struct mm_struct *mm) 1835static int __get_dumpable(unsigned long mm_flags)
1735{ 1836{
1736 int ret; 1837 int ret;
1737 1838
1738 ret = mm->flags & 0x3; 1839 ret = mm_flags & MMF_DUMPABLE_MASK;
1739 return (ret >= 2) ? 2 : ret; 1840 return (ret >= 2) ? 2 : ret;
1740} 1841}
1741 1842
1843int get_dumpable(struct mm_struct *mm)
1844{
1845 return __get_dumpable(mm->flags);
1846}
1847
1742static void wait_for_dump_helpers(struct file *file) 1848static void wait_for_dump_helpers(struct file *file)
1743{ 1849{
1744 struct pipe_inode_info *pipe; 1850 struct pipe_inode_info *pipe;
@@ -1762,26 +1868,72 @@ static void wait_for_dump_helpers(struct file *file)
1762} 1868}
1763 1869
1764 1870
1871/*
1872 * uhm_pipe_setup
1873 * helper function to customize the process used
1874 * to collect the core in userspace. Specifically
1875 * it sets up a pipe and installs it as fd 0 (stdin)
1876 * for the process. Returns 0 on success, or
1877 * PTR_ERR on failure.
1878 * Note that it also sets the core limit to 1. This
1879 * is a special value that we use to trap recursive
1880 * core dumps
1881 */
1882static int umh_pipe_setup(struct subprocess_info *info)
1883{
1884 struct file *rp, *wp;
1885 struct fdtable *fdt;
1886 struct coredump_params *cp = (struct coredump_params *)info->data;
1887 struct files_struct *cf = current->files;
1888
1889 wp = create_write_pipe(0);
1890 if (IS_ERR(wp))
1891 return PTR_ERR(wp);
1892
1893 rp = create_read_pipe(wp, 0);
1894 if (IS_ERR(rp)) {
1895 free_write_pipe(wp);
1896 return PTR_ERR(rp);
1897 }
1898
1899 cp->file = wp;
1900
1901 sys_close(0);
1902 fd_install(0, rp);
1903 spin_lock(&cf->file_lock);
1904 fdt = files_fdtable(cf);
1905 FD_SET(0, fdt->open_fds);
1906 FD_CLR(0, fdt->close_on_exec);
1907 spin_unlock(&cf->file_lock);
1908
1909 /* and disallow core files too */
1910 current->signal->rlim[RLIMIT_CORE] = (struct rlimit){1, 1};
1911
1912 return 0;
1913}
1914
1765void do_coredump(long signr, int exit_code, struct pt_regs *regs) 1915void do_coredump(long signr, int exit_code, struct pt_regs *regs)
1766{ 1916{
1767 struct core_state core_state; 1917 struct core_state core_state;
1768 char corename[CORENAME_MAX_SIZE + 1]; 1918 struct core_name cn;
1769 struct mm_struct *mm = current->mm; 1919 struct mm_struct *mm = current->mm;
1770 struct linux_binfmt * binfmt; 1920 struct linux_binfmt * binfmt;
1771 struct inode * inode;
1772 const struct cred *old_cred; 1921 const struct cred *old_cred;
1773 struct cred *cred; 1922 struct cred *cred;
1774 int retval = 0; 1923 int retval = 0;
1775 int flag = 0; 1924 int flag = 0;
1776 int ispipe = 0; 1925 int ispipe;
1777 char **helper_argv = NULL;
1778 int helper_argc = 0;
1779 int dump_count = 0;
1780 static atomic_t core_dump_count = ATOMIC_INIT(0); 1926 static atomic_t core_dump_count = ATOMIC_INIT(0);
1781 struct coredump_params cprm = { 1927 struct coredump_params cprm = {
1782 .signr = signr, 1928 .signr = signr,
1783 .regs = regs, 1929 .regs = regs,
1784 .limit = current->signal->rlim[RLIMIT_CORE].rlim_cur, 1930 .limit = rlimit(RLIMIT_CORE),
1931 /*
1932 * We must use the same mm->flags while dumping core to avoid
1933 * inconsistency of bit flags, since this flag is not protected
1934 * by any locks.
1935 */
1936 .mm_flags = mm->flags,
1785 }; 1937 };
1786 1938
1787 audit_core_dumps(signr); 1939 audit_core_dumps(signr);
@@ -1789,38 +1941,26 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
1789 binfmt = mm->binfmt; 1941 binfmt = mm->binfmt;
1790 if (!binfmt || !binfmt->core_dump) 1942 if (!binfmt || !binfmt->core_dump)
1791 goto fail; 1943 goto fail;
1792 1944 if (!__get_dumpable(cprm.mm_flags))
1793 cred = prepare_creds();
1794 if (!cred) {
1795 retval = -ENOMEM;
1796 goto fail; 1945 goto fail;
1797 }
1798 1946
1799 down_write(&mm->mmap_sem); 1947 cred = prepare_creds();
1800 /* 1948 if (!cred)
1801 * If another thread got here first, or we are not dumpable, bail out.
1802 */
1803 if (mm->core_state || !get_dumpable(mm)) {
1804 up_write(&mm->mmap_sem);
1805 put_cred(cred);
1806 goto fail; 1949 goto fail;
1807 }
1808
1809 /* 1950 /*
1810 * We cannot trust fsuid as being the "true" uid of the 1951 * We cannot trust fsuid as being the "true" uid of the
1811 * process nor do we know its entire history. We only know it 1952 * process nor do we know its entire history. We only know it
1812 * was tainted so we dump it as root in mode 2. 1953 * was tainted so we dump it as root in mode 2.
1813 */ 1954 */
1814 if (get_dumpable(mm) == 2) { /* Setuid core dump mode */ 1955 if (__get_dumpable(cprm.mm_flags) == 2) {
1956 /* Setuid core dump mode */
1815 flag = O_EXCL; /* Stop rewrite attacks */ 1957 flag = O_EXCL; /* Stop rewrite attacks */
1816 cred->fsuid = 0; /* Dump root private */ 1958 cred->fsuid = 0; /* Dump root private */
1817 } 1959 }
1818 1960
1819 retval = coredump_wait(exit_code, &core_state); 1961 retval = coredump_wait(exit_code, &core_state);
1820 if (retval < 0) { 1962 if (retval < 0)
1821 put_cred(cred); 1963 goto fail_creds;
1822 goto fail;
1823 }
1824 1964
1825 old_cred = override_creds(cred); 1965 old_cred = override_creds(cred);
1826 1966
@@ -1830,27 +1970,27 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
1830 */ 1970 */
1831 clear_thread_flag(TIF_SIGPENDING); 1971 clear_thread_flag(TIF_SIGPENDING);
1832 1972
1833 /* 1973 ispipe = format_corename(&cn, signr);
1834 * lock_kernel() because format_corename() is controlled by sysctl, which
1835 * uses lock_kernel()
1836 */
1837 lock_kernel();
1838 ispipe = format_corename(corename, signr);
1839 unlock_kernel();
1840 1974
1841 if ((!ispipe) && (cprm.limit < binfmt->min_coredump)) 1975 if (ispipe == -ENOMEM) {
1842 goto fail_unlock; 1976 printk(KERN_WARNING "format_corename failed\n");
1977 printk(KERN_WARNING "Aborting core\n");
1978 goto fail_corename;
1979 }
1843 1980
1844 if (ispipe) { 1981 if (ispipe) {
1845 if (cprm.limit == 0) { 1982 int dump_count;
1983 char **helper_argv;
1984
1985 if (cprm.limit == 1) {
1846 /* 1986 /*
1847 * Normally core limits are irrelevant to pipes, since 1987 * Normally core limits are irrelevant to pipes, since
1848 * we're not writing to the file system, but we use 1988 * we're not writing to the file system, but we use
1849 * cprm.limit of 0 here as a speacial value. Any 1989 * cprm.limit of 1 here as a speacial value. Any
1850 * non-zero limit gets set to RLIM_INFINITY below, but 1990 * non-1 limit gets set to RLIM_INFINITY below, but
1851 * a limit of 0 skips the dump. This is a consistent 1991 * a limit of 0 skips the dump. This is a consistent
1852 * way to catch recursive crashes. We can still crash 1992 * way to catch recursive crashes. We can still crash
1853 * if the core_pattern binary sets RLIM_CORE = !0 1993 * if the core_pattern binary sets RLIM_CORE = !1
1854 * but it runs as root, and can do lots of stupid things 1994 * but it runs as root, and can do lots of stupid things
1855 * Note that we use task_tgid_vnr here to grab the pid 1995 * Note that we use task_tgid_vnr here to grab the pid
1856 * of the process group leader. That way we get the 1996 * of the process group leader. That way we get the
@@ -1858,11 +1998,12 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
1858 * core_pattern process dies. 1998 * core_pattern process dies.
1859 */ 1999 */
1860 printk(KERN_WARNING 2000 printk(KERN_WARNING
1861 "Process %d(%s) has RLIMIT_CORE set to 0\n", 2001 "Process %d(%s) has RLIMIT_CORE set to 1\n",
1862 task_tgid_vnr(current), current->comm); 2002 task_tgid_vnr(current), current->comm);
1863 printk(KERN_WARNING "Aborting core\n"); 2003 printk(KERN_WARNING "Aborting core\n");
1864 goto fail_unlock; 2004 goto fail_unlock;
1865 } 2005 }
2006 cprm.limit = RLIM_INFINITY;
1866 2007
1867 dump_count = atomic_inc_return(&core_dump_count); 2008 dump_count = atomic_inc_return(&core_dump_count);
1868 if (core_pipe_limit && (core_pipe_limit < dump_count)) { 2009 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
@@ -1872,70 +2013,116 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
1872 goto fail_dropcount; 2013 goto fail_dropcount;
1873 } 2014 }
1874 2015
1875 helper_argv = argv_split(GFP_KERNEL, corename+1, &helper_argc); 2016 helper_argv = argv_split(GFP_KERNEL, cn.corename+1, NULL);
1876 if (!helper_argv) { 2017 if (!helper_argv) {
1877 printk(KERN_WARNING "%s failed to allocate memory\n", 2018 printk(KERN_WARNING "%s failed to allocate memory\n",
1878 __func__); 2019 __func__);
1879 goto fail_dropcount; 2020 goto fail_dropcount;
1880 } 2021 }
1881 2022
1882 cprm.limit = RLIM_INFINITY; 2023 retval = call_usermodehelper_fns(helper_argv[0], helper_argv,
1883 2024 NULL, UMH_WAIT_EXEC, umh_pipe_setup,
1884 /* SIGPIPE can happen, but it's just never processed */ 2025 NULL, &cprm);
1885 if (call_usermodehelper_pipe(helper_argv[0], helper_argv, NULL, 2026 argv_free(helper_argv);
1886 &cprm.file)) { 2027 if (retval) {
1887 printk(KERN_INFO "Core dump to %s pipe failed\n", 2028 printk(KERN_INFO "Core dump to %s pipe failed\n",
1888 corename); 2029 cn.corename);
1889 goto fail_dropcount; 2030 goto close_fail;
1890 } 2031 }
1891 } else 2032 } else {
1892 cprm.file = filp_open(corename, 2033 struct inode *inode;
2034
2035 if (cprm.limit < binfmt->min_coredump)
2036 goto fail_unlock;
2037
2038 cprm.file = filp_open(cn.corename,
1893 O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, 2039 O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
1894 0600); 2040 0600);
1895 if (IS_ERR(cprm.file)) 2041 if (IS_ERR(cprm.file))
1896 goto fail_dropcount; 2042 goto fail_unlock;
1897 inode = cprm.file->f_path.dentry->d_inode;
1898 if (inode->i_nlink > 1)
1899 goto close_fail; /* multiple links - don't dump */
1900 if (!ispipe && d_unhashed(cprm.file->f_path.dentry))
1901 goto close_fail;
1902
1903 /* AK: actually i see no reason to not allow this for named pipes etc.,
1904 but keep the previous behaviour for now. */
1905 if (!ispipe && !S_ISREG(inode->i_mode))
1906 goto close_fail;
1907 /*
1908 * Dont allow local users get cute and trick others to coredump
1909 * into their pre-created files:
1910 */
1911 if (inode->i_uid != current_fsuid())
1912 goto close_fail;
1913 if (!cprm.file->f_op)
1914 goto close_fail;
1915 if (!cprm.file->f_op->write)
1916 goto close_fail;
1917 if (!ispipe &&
1918 do_truncate(cprm.file->f_path.dentry, 0, 0, cprm.file) != 0)
1919 goto close_fail;
1920 2043
1921 retval = binfmt->core_dump(&cprm); 2044 inode = cprm.file->f_path.dentry->d_inode;
2045 if (inode->i_nlink > 1)
2046 goto close_fail;
2047 if (d_unhashed(cprm.file->f_path.dentry))
2048 goto close_fail;
2049 /*
2050 * AK: actually i see no reason to not allow this for named
2051 * pipes etc, but keep the previous behaviour for now.
2052 */
2053 if (!S_ISREG(inode->i_mode))
2054 goto close_fail;
2055 /*
2056 * Dont allow local users get cute and trick others to coredump
2057 * into their pre-created files.
2058 */
2059 if (inode->i_uid != current_fsuid())
2060 goto close_fail;
2061 if (!cprm.file->f_op || !cprm.file->f_op->write)
2062 goto close_fail;
2063 if (do_truncate(cprm.file->f_path.dentry, 0, 0, cprm.file))
2064 goto close_fail;
2065 }
1922 2066
2067 retval = binfmt->core_dump(&cprm);
1923 if (retval) 2068 if (retval)
1924 current->signal->group_exit_code |= 0x80; 2069 current->signal->group_exit_code |= 0x80;
1925close_fail: 2070
1926 if (ispipe && core_pipe_limit) 2071 if (ispipe && core_pipe_limit)
1927 wait_for_dump_helpers(cprm.file); 2072 wait_for_dump_helpers(cprm.file);
1928 filp_close(cprm.file, NULL); 2073close_fail:
2074 if (cprm.file)
2075 filp_close(cprm.file, NULL);
1929fail_dropcount: 2076fail_dropcount:
1930 if (dump_count) 2077 if (ispipe)
1931 atomic_dec(&core_dump_count); 2078 atomic_dec(&core_dump_count);
1932fail_unlock: 2079fail_unlock:
1933 if (helper_argv) 2080 kfree(cn.corename);
1934 argv_free(helper_argv); 2081fail_corename:
1935 2082 coredump_finish(mm);
1936 revert_creds(old_cred); 2083 revert_creds(old_cred);
2084fail_creds:
1937 put_cred(cred); 2085 put_cred(cred);
1938 coredump_finish(mm);
1939fail: 2086fail:
1940 return; 2087 return;
1941} 2088}
2089
2090/*
2091 * Core dumping helper functions. These are the only things you should
2092 * do on a core-file: use only these functions to write out all the
2093 * necessary info.
2094 */
2095int dump_write(struct file *file, const void *addr, int nr)
2096{
2097 return access_ok(VERIFY_READ, addr, nr) && file->f_op->write(file, addr, nr, &file->f_pos) == nr;
2098}
2099EXPORT_SYMBOL(dump_write);
2100
2101int dump_seek(struct file *file, loff_t off)
2102{
2103 int ret = 1;
2104
2105 if (file->f_op->llseek && file->f_op->llseek != no_llseek) {
2106 if (file->f_op->llseek(file, off, SEEK_CUR) < 0)
2107 return 0;
2108 } else {
2109 char *buf = (char *)get_zeroed_page(GFP_KERNEL);
2110
2111 if (!buf)
2112 return 0;
2113 while (off > 0) {
2114 unsigned long n = off;
2115
2116 if (n > PAGE_SIZE)
2117 n = PAGE_SIZE;
2118 if (!dump_write(file, buf, n)) {
2119 ret = 0;
2120 break;
2121 }
2122 off -= n;
2123 }
2124 free_page((unsigned long)buf);
2125 }
2126 return ret;
2127}
2128EXPORT_SYMBOL(dump_seek);
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-14 10:22:22 -0400