diff options
Diffstat (limited to 'fs')
-rw-r--r-- | fs/binfmt_elf.c | 28 | ||||
-rw-r--r-- | fs/binfmt_elf_fdpic.c | 8 | ||||
-rw-r--r-- | fs/binfmt_misc.c | 4 | ||||
-rw-r--r-- | fs/binfmt_script.c | 4 | ||||
-rw-r--r-- | fs/compat.c | 128 | ||||
-rw-r--r-- | fs/exec.c | 614 |
6 files changed, 478 insertions, 308 deletions
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index a27e42bf3400..295cbaa0e58a 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c | |||
@@ -148,6 +148,7 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec, | |||
148 | elf_addr_t *elf_info; | 148 | elf_addr_t *elf_info; |
149 | int ei_index = 0; | 149 | int ei_index = 0; |
150 | struct task_struct *tsk = current; | 150 | struct task_struct *tsk = current; |
151 | struct vm_area_struct *vma; | ||
151 | 152 | ||
152 | /* | 153 | /* |
153 | * If this architecture has a platform capability string, copy it | 154 | * If this architecture has a platform capability string, copy it |
@@ -234,6 +235,15 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec, | |||
234 | sp = (elf_addr_t __user *)bprm->p; | 235 | sp = (elf_addr_t __user *)bprm->p; |
235 | #endif | 236 | #endif |
236 | 237 | ||
238 | |||
239 | /* | ||
240 | * Grow the stack manually; some architectures have a limit on how | ||
241 | * far ahead a user-space access may be in order to grow the stack. | ||
242 | */ | ||
243 | vma = find_extend_vma(current->mm, bprm->p); | ||
244 | if (!vma) | ||
245 | return -EFAULT; | ||
246 | |||
237 | /* Now, let's put argc (and argv, envp if appropriate) on the stack */ | 247 | /* Now, let's put argc (and argv, envp if appropriate) on the stack */ |
238 | if (__put_user(argc, sp++)) | 248 | if (__put_user(argc, sp++)) |
239 | return -EFAULT; | 249 | return -EFAULT; |
@@ -254,8 +264,8 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec, | |||
254 | size_t len; | 264 | size_t len; |
255 | if (__put_user((elf_addr_t)p, argv++)) | 265 | if (__put_user((elf_addr_t)p, argv++)) |
256 | return -EFAULT; | 266 | return -EFAULT; |
257 | len = strnlen_user((void __user *)p, PAGE_SIZE*MAX_ARG_PAGES); | 267 | len = strnlen_user((void __user *)p, MAX_ARG_STRLEN); |
258 | if (!len || len > PAGE_SIZE*MAX_ARG_PAGES) | 268 | if (!len || len > MAX_ARG_STRLEN) |
259 | return 0; | 269 | return 0; |
260 | p += len; | 270 | p += len; |
261 | } | 271 | } |
@@ -266,8 +276,8 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec, | |||
266 | size_t len; | 276 | size_t len; |
267 | if (__put_user((elf_addr_t)p, envp++)) | 277 | if (__put_user((elf_addr_t)p, envp++)) |
268 | return -EFAULT; | 278 | return -EFAULT; |
269 | len = strnlen_user((void __user *)p, PAGE_SIZE*MAX_ARG_PAGES); | 279 | len = strnlen_user((void __user *)p, MAX_ARG_STRLEN); |
270 | if (!len || len > PAGE_SIZE*MAX_ARG_PAGES) | 280 | if (!len || len > MAX_ARG_STRLEN) |
271 | return 0; | 281 | return 0; |
272 | p += len; | 282 | p += len; |
273 | } | 283 | } |
@@ -826,10 +836,6 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) | |||
826 | } | 836 | } |
827 | 837 | ||
828 | /* OK, This is the point of no return */ | 838 | /* OK, This is the point of no return */ |
829 | current->mm->start_data = 0; | ||
830 | current->mm->end_data = 0; | ||
831 | current->mm->end_code = 0; | ||
832 | current->mm->mmap = NULL; | ||
833 | current->flags &= ~PF_FORKNOEXEC; | 839 | current->flags &= ~PF_FORKNOEXEC; |
834 | current->mm->def_flags = def_flags; | 840 | current->mm->def_flags = def_flags; |
835 | 841 | ||
@@ -1051,9 +1057,13 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) | |||
1051 | 1057 | ||
1052 | compute_creds(bprm); | 1058 | compute_creds(bprm); |
1053 | current->flags &= ~PF_FORKNOEXEC; | 1059 | current->flags &= ~PF_FORKNOEXEC; |
1054 | create_elf_tables(bprm, &loc->elf_ex, | 1060 | retval = create_elf_tables(bprm, &loc->elf_ex, |
1055 | (interpreter_type == INTERPRETER_AOUT), | 1061 | (interpreter_type == INTERPRETER_AOUT), |
1056 | load_addr, interp_load_addr); | 1062 | load_addr, interp_load_addr); |
1063 | if (retval < 0) { | ||
1064 | send_sig(SIGKILL, current, 0); | ||
1065 | goto out; | ||
1066 | } | ||
1057 | /* N.B. passed_fileno might not be initialized? */ | 1067 | /* N.B. passed_fileno might not be initialized? */ |
1058 | if (interpreter_type == INTERPRETER_AOUT) | 1068 | if (interpreter_type == INTERPRETER_AOUT) |
1059 | current->mm->arg_start += strlen(passed_fileno) + 1; | 1069 | current->mm->arg_start += strlen(passed_fileno) + 1; |
diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c index 9d62fbad3d4b..4739506fb083 100644 --- a/fs/binfmt_elf_fdpic.c +++ b/fs/binfmt_elf_fdpic.c | |||
@@ -621,8 +621,8 @@ static int create_elf_fdpic_tables(struct linux_binprm *bprm, | |||
621 | p = (char __user *) current->mm->arg_start; | 621 | p = (char __user *) current->mm->arg_start; |
622 | for (loop = bprm->argc; loop > 0; loop--) { | 622 | for (loop = bprm->argc; loop > 0; loop--) { |
623 | __put_user((elf_caddr_t) p, argv++); | 623 | __put_user((elf_caddr_t) p, argv++); |
624 | len = strnlen_user(p, PAGE_SIZE * MAX_ARG_PAGES); | 624 | len = strnlen_user(p, MAX_ARG_STRLEN); |
625 | if (!len || len > PAGE_SIZE * MAX_ARG_PAGES) | 625 | if (!len || len > MAX_ARG_STRLEN) |
626 | return -EINVAL; | 626 | return -EINVAL; |
627 | p += len; | 627 | p += len; |
628 | } | 628 | } |
@@ -633,8 +633,8 @@ static int create_elf_fdpic_tables(struct linux_binprm *bprm, | |||
633 | current->mm->env_start = (unsigned long) p; | 633 | current->mm->env_start = (unsigned long) p; |
634 | for (loop = bprm->envc; loop > 0; loop--) { | 634 | for (loop = bprm->envc; loop > 0; loop--) { |
635 | __put_user((elf_caddr_t)(unsigned long) p, envp++); | 635 | __put_user((elf_caddr_t)(unsigned long) p, envp++); |
636 | len = strnlen_user(p, PAGE_SIZE * MAX_ARG_PAGES); | 636 | len = strnlen_user(p, MAX_ARG_STRLEN); |
637 | if (!len || len > PAGE_SIZE * MAX_ARG_PAGES) | 637 | if (!len || len > MAX_ARG_STRLEN) |
638 | return -EINVAL; | 638 | return -EINVAL; |
639 | p += len; | 639 | p += len; |
640 | } | 640 | } |
diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c index 330fd3fe8546..42e94b3ab7be 100644 --- a/fs/binfmt_misc.c +++ b/fs/binfmt_misc.c | |||
@@ -126,7 +126,9 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs) | |||
126 | goto _ret; | 126 | goto _ret; |
127 | 127 | ||
128 | if (!(fmt->flags & MISC_FMT_PRESERVE_ARGV0)) { | 128 | if (!(fmt->flags & MISC_FMT_PRESERVE_ARGV0)) { |
129 | remove_arg_zero(bprm); | 129 | retval = remove_arg_zero(bprm); |
130 | if (retval) | ||
131 | goto _ret; | ||
130 | } | 132 | } |
131 | 133 | ||
132 | if (fmt->flags & MISC_FMT_OPEN_BINARY) { | 134 | if (fmt->flags & MISC_FMT_OPEN_BINARY) { |
diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c index 304c88544d89..4d0e0f6d3273 100644 --- a/fs/binfmt_script.c +++ b/fs/binfmt_script.c | |||
@@ -67,7 +67,9 @@ static int load_script(struct linux_binprm *bprm,struct pt_regs *regs) | |||
67 | * This is done in reverse order, because of how the | 67 | * This is done in reverse order, because of how the |
68 | * user environment and arguments are stored. | 68 | * user environment and arguments are stored. |
69 | */ | 69 | */ |
70 | remove_arg_zero(bprm); | 70 | retval = remove_arg_zero(bprm); |
71 | if (retval) | ||
72 | return retval; | ||
71 | retval = copy_strings_kernel(1, &bprm->interp, bprm); | 73 | retval = copy_strings_kernel(1, &bprm->interp, bprm); |
72 | if (retval < 0) return retval; | 74 | if (retval < 0) return retval; |
73 | bprm->argc++; | 75 | bprm->argc++; |
diff --git a/fs/compat.c b/fs/compat.c index 4db6216e5266..15078ce4c04a 100644 --- a/fs/compat.c +++ b/fs/compat.c | |||
@@ -1257,6 +1257,7 @@ static int compat_copy_strings(int argc, compat_uptr_t __user *argv, | |||
1257 | { | 1257 | { |
1258 | struct page *kmapped_page = NULL; | 1258 | struct page *kmapped_page = NULL; |
1259 | char *kaddr = NULL; | 1259 | char *kaddr = NULL; |
1260 | unsigned long kpos = 0; | ||
1260 | int ret; | 1261 | int ret; |
1261 | 1262 | ||
1262 | while (argc-- > 0) { | 1263 | while (argc-- > 0) { |
@@ -1265,92 +1266,84 @@ static int compat_copy_strings(int argc, compat_uptr_t __user *argv, | |||
1265 | unsigned long pos; | 1266 | unsigned long pos; |
1266 | 1267 | ||
1267 | if (get_user(str, argv+argc) || | 1268 | if (get_user(str, argv+argc) || |
1268 | !(len = strnlen_user(compat_ptr(str), bprm->p))) { | 1269 | !(len = strnlen_user(compat_ptr(str), MAX_ARG_STRLEN))) { |
1269 | ret = -EFAULT; | 1270 | ret = -EFAULT; |
1270 | goto out; | 1271 | goto out; |
1271 | } | 1272 | } |
1272 | 1273 | ||
1273 | if (bprm->p < len) { | 1274 | if (len > MAX_ARG_STRLEN) { |
1274 | ret = -E2BIG; | 1275 | ret = -E2BIG; |
1275 | goto out; | 1276 | goto out; |
1276 | } | 1277 | } |
1277 | 1278 | ||
1278 | bprm->p -= len; | 1279 | /* We're going to work our way backwords. */ |
1279 | /* XXX: add architecture specific overflow check here. */ | ||
1280 | pos = bprm->p; | 1280 | pos = bprm->p; |
1281 | str += len; | ||
1282 | bprm->p -= len; | ||
1281 | 1283 | ||
1282 | while (len > 0) { | 1284 | while (len > 0) { |
1283 | int i, new, err; | ||
1284 | int offset, bytes_to_copy; | 1285 | int offset, bytes_to_copy; |
1285 | struct page *page; | ||
1286 | 1286 | ||
1287 | offset = pos % PAGE_SIZE; | 1287 | offset = pos % PAGE_SIZE; |
1288 | i = pos/PAGE_SIZE; | 1288 | if (offset == 0) |
1289 | page = bprm->page[i]; | 1289 | offset = PAGE_SIZE; |
1290 | new = 0; | 1290 | |
1291 | if (!page) { | 1291 | bytes_to_copy = offset; |
1292 | page = alloc_page(GFP_HIGHUSER); | 1292 | if (bytes_to_copy > len) |
1293 | bprm->page[i] = page; | 1293 | bytes_to_copy = len; |
1294 | if (!page) { | 1294 | |
1295 | ret = -ENOMEM; | 1295 | offset -= bytes_to_copy; |
1296 | pos -= bytes_to_copy; | ||
1297 | str -= bytes_to_copy; | ||
1298 | len -= bytes_to_copy; | ||
1299 | |||
1300 | if (!kmapped_page || kpos != (pos & PAGE_MASK)) { | ||
1301 | struct page *page; | ||
1302 | |||
1303 | #ifdef CONFIG_STACK_GROWSUP | ||
1304 | ret = expand_stack_downwards(bprm->vma, pos); | ||
1305 | if (ret < 0) { | ||
1306 | /* We've exceed the stack rlimit. */ | ||
1307 | ret = -E2BIG; | ||
1308 | goto out; | ||
1309 | } | ||
1310 | #endif | ||
1311 | ret = get_user_pages(current, bprm->mm, pos, | ||
1312 | 1, 1, 1, &page, NULL); | ||
1313 | if (ret <= 0) { | ||
1314 | /* We've exceed the stack rlimit. */ | ||
1315 | ret = -E2BIG; | ||
1296 | goto out; | 1316 | goto out; |
1297 | } | 1317 | } |
1298 | new = 1; | ||
1299 | } | ||
1300 | 1318 | ||
1301 | if (page != kmapped_page) { | 1319 | if (kmapped_page) { |
1302 | if (kmapped_page) | 1320 | flush_kernel_dcache_page(kmapped_page); |
1303 | kunmap(kmapped_page); | 1321 | kunmap(kmapped_page); |
1322 | put_page(kmapped_page); | ||
1323 | } | ||
1304 | kmapped_page = page; | 1324 | kmapped_page = page; |
1305 | kaddr = kmap(kmapped_page); | 1325 | kaddr = kmap(kmapped_page); |
1326 | kpos = pos & PAGE_MASK; | ||
1327 | flush_cache_page(bprm->vma, kpos, | ||
1328 | page_to_pfn(kmapped_page)); | ||
1306 | } | 1329 | } |
1307 | if (new && offset) | 1330 | if (copy_from_user(kaddr+offset, compat_ptr(str), |
1308 | memset(kaddr, 0, offset); | 1331 | bytes_to_copy)) { |
1309 | bytes_to_copy = PAGE_SIZE - offset; | ||
1310 | if (bytes_to_copy > len) { | ||
1311 | bytes_to_copy = len; | ||
1312 | if (new) | ||
1313 | memset(kaddr+offset+len, 0, | ||
1314 | PAGE_SIZE-offset-len); | ||
1315 | } | ||
1316 | err = copy_from_user(kaddr+offset, compat_ptr(str), | ||
1317 | bytes_to_copy); | ||
1318 | if (err) { | ||
1319 | ret = -EFAULT; | 1332 | ret = -EFAULT; |
1320 | goto out; | 1333 | goto out; |
1321 | } | 1334 | } |
1322 | |||
1323 | pos += bytes_to_copy; | ||
1324 | str += bytes_to_copy; | ||
1325 | len -= bytes_to_copy; | ||
1326 | } | 1335 | } |
1327 | } | 1336 | } |
1328 | ret = 0; | 1337 | ret = 0; |
1329 | out: | 1338 | out: |
1330 | if (kmapped_page) | 1339 | if (kmapped_page) { |
1340 | flush_kernel_dcache_page(kmapped_page); | ||
1331 | kunmap(kmapped_page); | 1341 | kunmap(kmapped_page); |
1332 | return ret; | 1342 | put_page(kmapped_page); |
1333 | } | ||
1334 | |||
1335 | #ifdef CONFIG_MMU | ||
1336 | |||
1337 | #define free_arg_pages(bprm) do { } while (0) | ||
1338 | |||
1339 | #else | ||
1340 | |||
1341 | static inline void free_arg_pages(struct linux_binprm *bprm) | ||
1342 | { | ||
1343 | int i; | ||
1344 | |||
1345 | for (i = 0; i < MAX_ARG_PAGES; i++) { | ||
1346 | if (bprm->page[i]) | ||
1347 | __free_page(bprm->page[i]); | ||
1348 | bprm->page[i] = NULL; | ||
1349 | } | 1343 | } |
1344 | return ret; | ||
1350 | } | 1345 | } |
1351 | 1346 | ||
1352 | #endif /* CONFIG_MMU */ | ||
1353 | |||
1354 | /* | 1347 | /* |
1355 | * compat_do_execve() is mostly a copy of do_execve(), with the exception | 1348 | * compat_do_execve() is mostly a copy of do_execve(), with the exception |
1356 | * that it processes 32 bit argv and envp pointers. | 1349 | * that it processes 32 bit argv and envp pointers. |
@@ -1363,7 +1356,6 @@ int compat_do_execve(char * filename, | |||
1363 | struct linux_binprm *bprm; | 1356 | struct linux_binprm *bprm; |
1364 | struct file *file; | 1357 | struct file *file; |
1365 | int retval; | 1358 | int retval; |
1366 | int i; | ||
1367 | 1359 | ||
1368 | retval = -ENOMEM; | 1360 | retval = -ENOMEM; |
1369 | bprm = kzalloc(sizeof(*bprm), GFP_KERNEL); | 1361 | bprm = kzalloc(sizeof(*bprm), GFP_KERNEL); |
@@ -1377,24 +1369,19 @@ int compat_do_execve(char * filename, | |||
1377 | 1369 | ||
1378 | sched_exec(); | 1370 | sched_exec(); |
1379 | 1371 | ||
1380 | bprm->p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *); | ||
1381 | bprm->file = file; | 1372 | bprm->file = file; |
1382 | bprm->filename = filename; | 1373 | bprm->filename = filename; |
1383 | bprm->interp = filename; | 1374 | bprm->interp = filename; |
1384 | bprm->mm = mm_alloc(); | ||
1385 | retval = -ENOMEM; | ||
1386 | if (!bprm->mm) | ||
1387 | goto out_file; | ||
1388 | 1375 | ||
1389 | retval = init_new_context(current, bprm->mm); | 1376 | retval = bprm_mm_init(bprm); |
1390 | if (retval < 0) | 1377 | if (retval) |
1391 | goto out_mm; | 1378 | goto out_file; |
1392 | 1379 | ||
1393 | bprm->argc = compat_count(argv, bprm->p / sizeof(compat_uptr_t)); | 1380 | bprm->argc = compat_count(argv, MAX_ARG_STRINGS); |
1394 | if ((retval = bprm->argc) < 0) | 1381 | if ((retval = bprm->argc) < 0) |
1395 | goto out_mm; | 1382 | goto out_mm; |
1396 | 1383 | ||
1397 | bprm->envc = compat_count(envp, bprm->p / sizeof(compat_uptr_t)); | 1384 | bprm->envc = compat_count(envp, MAX_ARG_STRINGS); |
1398 | if ((retval = bprm->envc) < 0) | 1385 | if ((retval = bprm->envc) < 0) |
1399 | goto out_mm; | 1386 | goto out_mm; |
1400 | 1387 | ||
@@ -1421,8 +1408,6 @@ int compat_do_execve(char * filename, | |||
1421 | 1408 | ||
1422 | retval = search_binary_handler(bprm, regs); | 1409 | retval = search_binary_handler(bprm, regs); |
1423 | if (retval >= 0) { | 1410 | if (retval >= 0) { |
1424 | free_arg_pages(bprm); | ||
1425 | |||
1426 | /* execve success */ | 1411 | /* execve success */ |
1427 | security_bprm_free(bprm); | 1412 | security_bprm_free(bprm); |
1428 | acct_update_integrals(current); | 1413 | acct_update_integrals(current); |
@@ -1431,19 +1416,12 @@ int compat_do_execve(char * filename, | |||
1431 | } | 1416 | } |
1432 | 1417 | ||
1433 | out: | 1418 | out: |
1434 | /* Something went wrong, return the inode and free the argument pages*/ | ||
1435 | for (i = 0 ; i < MAX_ARG_PAGES ; i++) { | ||
1436 | struct page * page = bprm->page[i]; | ||
1437 | if (page) | ||
1438 | __free_page(page); | ||
1439 | } | ||
1440 | |||
1441 | if (bprm->security) | 1419 | if (bprm->security) |
1442 | security_bprm_free(bprm); | 1420 | security_bprm_free(bprm); |
1443 | 1421 | ||
1444 | out_mm: | 1422 | out_mm: |
1445 | if (bprm->mm) | 1423 | if (bprm->mm) |
1446 | mmdrop(bprm->mm); | 1424 | mmput(bprm->mm); |
1447 | 1425 | ||
1448 | out_file: | 1426 | out_file: |
1449 | if (bprm->file) { | 1427 | if (bprm->file) { |
@@ -54,6 +54,7 @@ | |||
54 | 54 | ||
55 | #include <asm/uaccess.h> | 55 | #include <asm/uaccess.h> |
56 | #include <asm/mmu_context.h> | 56 | #include <asm/mmu_context.h> |
57 | #include <asm/tlb.h> | ||
57 | 58 | ||
58 | #ifdef CONFIG_KMOD | 59 | #ifdef CONFIG_KMOD |
59 | #include <linux/kmod.h> | 60 | #include <linux/kmod.h> |
@@ -178,6 +179,207 @@ exit: | |||
178 | goto out; | 179 | goto out; |
179 | } | 180 | } |
180 | 181 | ||
182 | #ifdef CONFIG_MMU | ||
183 | |||
184 | static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, | ||
185 | int write) | ||
186 | { | ||
187 | struct page *page; | ||
188 | int ret; | ||
189 | |||
190 | #ifdef CONFIG_STACK_GROWSUP | ||
191 | if (write) { | ||
192 | ret = expand_stack_downwards(bprm->vma, pos); | ||
193 | if (ret < 0) | ||
194 | return NULL; | ||
195 | } | ||
196 | #endif | ||
197 | ret = get_user_pages(current, bprm->mm, pos, | ||
198 | 1, write, 1, &page, NULL); | ||
199 | if (ret <= 0) | ||
200 | return NULL; | ||
201 | |||
202 | if (write) { | ||
203 | struct rlimit *rlim = current->signal->rlim; | ||
204 | unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start; | ||
205 | |||
206 | /* | ||
207 | * Limit to 1/4-th the stack size for the argv+env strings. | ||
208 | * This ensures that: | ||
209 | * - the remaining binfmt code will not run out of stack space, | ||
210 | * - the program will have a reasonable amount of stack left | ||
211 | * to work from. | ||
212 | */ | ||
213 | if (size > rlim[RLIMIT_STACK].rlim_cur / 4) { | ||
214 | put_page(page); | ||
215 | return NULL; | ||
216 | } | ||
217 | } | ||
218 | |||
219 | return page; | ||
220 | } | ||
221 | |||
222 | static void put_arg_page(struct page *page) | ||
223 | { | ||
224 | put_page(page); | ||
225 | } | ||
226 | |||
227 | static void free_arg_page(struct linux_binprm *bprm, int i) | ||
228 | { | ||
229 | } | ||
230 | |||
231 | static void free_arg_pages(struct linux_binprm *bprm) | ||
232 | { | ||
233 | } | ||
234 | |||
235 | static void flush_arg_page(struct linux_binprm *bprm, unsigned long pos, | ||
236 | struct page *page) | ||
237 | { | ||
238 | flush_cache_page(bprm->vma, pos, page_to_pfn(page)); | ||
239 | } | ||
240 | |||
241 | static int __bprm_mm_init(struct linux_binprm *bprm) | ||
242 | { | ||
243 | int err = -ENOMEM; | ||
244 | struct vm_area_struct *vma = NULL; | ||
245 | struct mm_struct *mm = bprm->mm; | ||
246 | |||
247 | bprm->vma = vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); | ||
248 | if (!vma) | ||
249 | goto err; | ||
250 | |||
251 | down_write(&mm->mmap_sem); | ||
252 | vma->vm_mm = mm; | ||
253 | |||
254 | /* | ||
255 | * Place the stack at the largest stack address the architecture | ||
256 | * supports. Later, we'll move this to an appropriate place. We don't | ||
257 | * use STACK_TOP because that can depend on attributes which aren't | ||
258 | * configured yet. | ||
259 | */ | ||
260 | vma->vm_end = STACK_TOP_MAX; | ||
261 | vma->vm_start = vma->vm_end - PAGE_SIZE; | ||
262 | |||
263 | vma->vm_flags = VM_STACK_FLAGS; | ||
264 | vma->vm_page_prot = protection_map[vma->vm_flags & 0x7]; | ||
265 | err = insert_vm_struct(mm, vma); | ||
266 | if (err) { | ||
267 | up_write(&mm->mmap_sem); | ||
268 | goto err; | ||
269 | } | ||
270 | |||
271 | mm->stack_vm = mm->total_vm = 1; | ||
272 | up_write(&mm->mmap_sem); | ||
273 | |||
274 | bprm->p = vma->vm_end - sizeof(void *); | ||
275 | |||
276 | return 0; | ||
277 | |||
278 | err: | ||
279 | if (vma) { | ||
280 | bprm->vma = NULL; | ||
281 | kmem_cache_free(vm_area_cachep, vma); | ||
282 | } | ||
283 | |||
284 | return err; | ||
285 | } | ||
286 | |||
287 | static bool valid_arg_len(struct linux_binprm *bprm, long len) | ||
288 | { | ||
289 | return len <= MAX_ARG_STRLEN; | ||
290 | } | ||
291 | |||
292 | #else | ||
293 | |||
294 | static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, | ||
295 | int write) | ||
296 | { | ||
297 | struct page *page; | ||
298 | |||
299 | page = bprm->page[pos / PAGE_SIZE]; | ||
300 | if (!page && write) { | ||
301 | page = alloc_page(GFP_HIGHUSER|__GFP_ZERO); | ||
302 | if (!page) | ||
303 | return NULL; | ||
304 | bprm->page[pos / PAGE_SIZE] = page; | ||
305 | } | ||
306 | |||
307 | return page; | ||
308 | } | ||
309 | |||
310 | static void put_arg_page(struct page *page) | ||
311 | { | ||
312 | } | ||
313 | |||
314 | static void free_arg_page(struct linux_binprm *bprm, int i) | ||
315 | { | ||
316 | if (bprm->page[i]) { | ||
317 | __free_page(bprm->page[i]); | ||
318 | bprm->page[i] = NULL; | ||
319 | } | ||
320 | } | ||
321 | |||
322 | static void free_arg_pages(struct linux_binprm *bprm) | ||
323 | { | ||
324 | int i; | ||
325 | |||
326 | for (i = 0; i < MAX_ARG_PAGES; i++) | ||
327 | free_arg_page(bprm, i); | ||
328 | } | ||
329 | |||
330 | static void flush_arg_page(struct linux_binprm *bprm, unsigned long pos, | ||
331 | struct page *page) | ||
332 | { | ||
333 | } | ||
334 | |||
335 | static int __bprm_mm_init(struct linux_binprm *bprm) | ||
336 | { | ||
337 | bprm->p = PAGE_SIZE * MAX_ARG_PAGES - sizeof(void *); | ||
338 | return 0; | ||
339 | } | ||
340 | |||
341 | static bool valid_arg_len(struct linux_binprm *bprm, long len) | ||
342 | { | ||
343 | return len <= bprm->p; | ||
344 | } | ||
345 | |||
346 | #endif /* CONFIG_MMU */ | ||
347 | |||
348 | /* | ||
349 | * Create a new mm_struct and populate it with a temporary stack | ||
350 | * vm_area_struct. We don't have enough context at this point to set the stack | ||
351 | * flags, permissions, and offset, so we use temporary values. We'll update | ||
352 | * them later in setup_arg_pages(). | ||
353 | */ | ||
354 | int bprm_mm_init(struct linux_binprm *bprm) | ||
355 | { | ||
356 | int err; | ||
357 | struct mm_struct *mm = NULL; | ||
358 | |||
359 | bprm->mm = mm = mm_alloc(); | ||
360 | err = -ENOMEM; | ||
361 | if (!mm) | ||
362 | goto err; | ||
363 | |||
364 | err = init_new_context(current, mm); | ||
365 | if (err) | ||
366 | goto err; | ||
367 | |||
368 | err = __bprm_mm_init(bprm); | ||
369 | if (err) | ||
370 | goto err; | ||
371 | |||
372 | return 0; | ||
373 | |||
374 | err: | ||
375 | if (mm) { | ||
376 | bprm->mm = NULL; | ||
377 | mmdrop(mm); | ||
378 | } | ||
379 | |||
380 | return err; | ||
381 | } | ||
382 | |||
181 | /* | 383 | /* |
182 | * count() counts the number of strings in array ARGV. | 384 | * count() counts the number of strings in array ARGV. |
183 | */ | 385 | */ |
@@ -203,15 +405,16 @@ static int count(char __user * __user * argv, int max) | |||
203 | } | 405 | } |
204 | 406 | ||
205 | /* | 407 | /* |
206 | * 'copy_strings()' copies argument/environment strings from user | 408 | * 'copy_strings()' copies argument/environment strings from the old |
207 | * memory to free pages in kernel mem. These are in a format ready | 409 | * processes's memory to the new process's stack. The call to get_user_pages() |
208 | * to be put directly into the top of new user memory. | 410 | * ensures the destination page is created and not swapped out. |
209 | */ | 411 | */ |
210 | static int copy_strings(int argc, char __user * __user * argv, | 412 | static int copy_strings(int argc, char __user * __user * argv, |
211 | struct linux_binprm *bprm) | 413 | struct linux_binprm *bprm) |
212 | { | 414 | { |
213 | struct page *kmapped_page = NULL; | 415 | struct page *kmapped_page = NULL; |
214 | char *kaddr = NULL; | 416 | char *kaddr = NULL; |
417 | unsigned long kpos = 0; | ||
215 | int ret; | 418 | int ret; |
216 | 419 | ||
217 | while (argc-- > 0) { | 420 | while (argc-- > 0) { |
@@ -220,69 +423,69 @@ static int copy_strings(int argc, char __user * __user * argv, | |||
220 | unsigned long pos; | 423 | unsigned long pos; |
221 | 424 | ||
222 | if (get_user(str, argv+argc) || | 425 | if (get_user(str, argv+argc) || |
223 | !(len = strnlen_user(str, bprm->p))) { | 426 | !(len = strnlen_user(str, MAX_ARG_STRLEN))) { |
224 | ret = -EFAULT; | 427 | ret = -EFAULT; |
225 | goto out; | 428 | goto out; |
226 | } | 429 | } |
227 | 430 | ||
228 | if (bprm->p < len) { | 431 | if (!valid_arg_len(bprm, len)) { |
229 | ret = -E2BIG; | 432 | ret = -E2BIG; |
230 | goto out; | 433 | goto out; |
231 | } | 434 | } |
232 | 435 | ||
233 | bprm->p -= len; | 436 | /* We're going to work our way backwords. */ |
234 | /* XXX: add architecture specific overflow check here. */ | ||
235 | pos = bprm->p; | 437 | pos = bprm->p; |
438 | str += len; | ||
439 | bprm->p -= len; | ||
236 | 440 | ||
237 | while (len > 0) { | 441 | while (len > 0) { |
238 | int i, new, err; | ||
239 | int offset, bytes_to_copy; | 442 | int offset, bytes_to_copy; |
240 | struct page *page; | ||
241 | 443 | ||
242 | offset = pos % PAGE_SIZE; | 444 | offset = pos % PAGE_SIZE; |
243 | i = pos/PAGE_SIZE; | 445 | if (offset == 0) |
244 | page = bprm->page[i]; | 446 | offset = PAGE_SIZE; |
245 | new = 0; | 447 | |
246 | if (!page) { | 448 | bytes_to_copy = offset; |
247 | page = alloc_page(GFP_HIGHUSER); | 449 | if (bytes_to_copy > len) |
248 | bprm->page[i] = page; | 450 | bytes_to_copy = len; |
451 | |||
452 | offset -= bytes_to_copy; | ||
453 | pos -= bytes_to_copy; | ||
454 | str -= bytes_to_copy; | ||
455 | len -= bytes_to_copy; | ||
456 | |||
457 | if (!kmapped_page || kpos != (pos & PAGE_MASK)) { | ||
458 | struct page *page; | ||
459 | |||
460 | page = get_arg_page(bprm, pos, 1); | ||
249 | if (!page) { | 461 | if (!page) { |
250 | ret = -ENOMEM; | 462 | ret = -E2BIG; |
251 | goto out; | 463 | goto out; |
252 | } | 464 | } |
253 | new = 1; | ||
254 | } | ||
255 | 465 | ||
256 | if (page != kmapped_page) { | 466 | if (kmapped_page) { |
257 | if (kmapped_page) | 467 | flush_kernel_dcache_page(kmapped_page); |
258 | kunmap(kmapped_page); | 468 | kunmap(kmapped_page); |
469 | put_arg_page(kmapped_page); | ||
470 | } | ||
259 | kmapped_page = page; | 471 | kmapped_page = page; |
260 | kaddr = kmap(kmapped_page); | 472 | kaddr = kmap(kmapped_page); |
473 | kpos = pos & PAGE_MASK; | ||
474 | flush_arg_page(bprm, kpos, kmapped_page); | ||
261 | } | 475 | } |
262 | if (new && offset) | 476 | if (copy_from_user(kaddr+offset, str, bytes_to_copy)) { |
263 | memset(kaddr, 0, offset); | ||
264 | bytes_to_copy = PAGE_SIZE - offset; | ||
265 | if (bytes_to_copy > len) { | ||
266 | bytes_to_copy = len; | ||
267 | if (new) | ||
268 | memset(kaddr+offset+len, 0, | ||
269 | PAGE_SIZE-offset-len); | ||
270 | } | ||
271 | err = copy_from_user(kaddr+offset, str, bytes_to_copy); | ||
272 | if (err) { | ||
273 | ret = -EFAULT; | 477 | ret = -EFAULT; |
274 | goto out; | 478 | goto out; |
275 | } | 479 | } |
276 | |||
277 | pos += bytes_to_copy; | ||
278 | str += bytes_to_copy; | ||
279 | len -= bytes_to_copy; | ||
280 | } | 480 | } |
281 | } | 481 | } |
282 | ret = 0; | 482 | ret = 0; |
283 | out: | 483 | out: |
284 | if (kmapped_page) | 484 | if (kmapped_page) { |
485 | flush_kernel_dcache_page(kmapped_page); | ||
285 | kunmap(kmapped_page); | 486 | kunmap(kmapped_page); |
487 | put_arg_page(kmapped_page); | ||
488 | } | ||
286 | return ret; | 489 | return ret; |
287 | } | 490 | } |
288 | 491 | ||
@@ -298,181 +501,172 @@ int copy_strings_kernel(int argc,char ** argv, struct linux_binprm *bprm) | |||
298 | set_fs(oldfs); | 501 | set_fs(oldfs); |
299 | return r; | 502 | return r; |
300 | } | 503 | } |
301 | |||
302 | EXPORT_SYMBOL(copy_strings_kernel); | 504 | EXPORT_SYMBOL(copy_strings_kernel); |
303 | 505 | ||
304 | #ifdef CONFIG_MMU | 506 | #ifdef CONFIG_MMU |
507 | |||
305 | /* | 508 | /* |
306 | * This routine is used to map in a page into an address space: needed by | 509 | * During bprm_mm_init(), we create a temporary stack at STACK_TOP_MAX. Once |
307 | * execve() for the initial stack and environment pages. | 510 | * the binfmt code determines where the new stack should reside, we shift it to |
511 | * its final location. The process proceeds as follows: | ||
308 | * | 512 | * |
309 | * vma->vm_mm->mmap_sem is held for writing. | 513 | * 1) Use shift to calculate the new vma endpoints. |
514 | * 2) Extend vma to cover both the old and new ranges. This ensures the | ||
515 | * arguments passed to subsequent functions are consistent. | ||
516 | * 3) Move vma's page tables to the new range. | ||
517 | * 4) Free up any cleared pgd range. | ||
518 | * 5) Shrink the vma to cover only the new range. | ||
310 | */ | 519 | */ |
311 | void install_arg_page(struct vm_area_struct *vma, | 520 | static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) |
312 | struct page *page, unsigned long address) | ||
313 | { | 521 | { |
314 | struct mm_struct *mm = vma->vm_mm; | 522 | struct mm_struct *mm = vma->vm_mm; |
315 | pte_t * pte; | 523 | unsigned long old_start = vma->vm_start; |
316 | spinlock_t *ptl; | 524 | unsigned long old_end = vma->vm_end; |
525 | unsigned long length = old_end - old_start; | ||
526 | unsigned long new_start = old_start - shift; | ||
527 | unsigned long new_end = old_end - shift; | ||
528 | struct mmu_gather *tlb; | ||
317 | 529 | ||
318 | if (unlikely(anon_vma_prepare(vma))) | 530 | BUG_ON(new_start > new_end); |
319 | goto out; | ||
320 | 531 | ||
321 | flush_dcache_page(page); | 532 | /* |
322 | pte = get_locked_pte(mm, address, &ptl); | 533 | * ensure there are no vmas between where we want to go |
323 | if (!pte) | 534 | * and where we are |
324 | goto out; | 535 | */ |
325 | if (!pte_none(*pte)) { | 536 | if (vma != find_vma(mm, new_start)) |
326 | pte_unmap_unlock(pte, ptl); | 537 | return -EFAULT; |
327 | goto out; | 538 | |
539 | /* | ||
540 | * cover the whole range: [new_start, old_end) | ||
541 | */ | ||
542 | vma_adjust(vma, new_start, old_end, vma->vm_pgoff, NULL); | ||
543 | |||
544 | /* | ||
545 | * move the page tables downwards, on failure we rely on | ||
546 | * process cleanup to remove whatever mess we made. | ||
547 | */ | ||
548 | if (length != move_page_tables(vma, old_start, | ||
549 | vma, new_start, length)) | ||
550 | return -ENOMEM; | ||
551 | |||
552 | lru_add_drain(); | ||
553 | tlb = tlb_gather_mmu(mm, 0); | ||
554 | if (new_end > old_start) { | ||
555 | /* | ||
556 | * when the old and new regions overlap clear from new_end. | ||
557 | */ | ||
558 | free_pgd_range(&tlb, new_end, old_end, new_end, | ||
559 | vma->vm_next ? vma->vm_next->vm_start : 0); | ||
560 | } else { | ||
561 | /* | ||
562 | * otherwise, clean from old_start; this is done to not touch | ||
563 | * the address space in [new_end, old_start) some architectures | ||
564 | * have constraints on va-space that make this illegal (IA64) - | ||
565 | * for the others its just a little faster. | ||
566 | */ | ||
567 | free_pgd_range(&tlb, old_start, old_end, new_end, | ||
568 | vma->vm_next ? vma->vm_next->vm_start : 0); | ||
328 | } | 569 | } |
329 | inc_mm_counter(mm, anon_rss); | 570 | tlb_finish_mmu(tlb, new_end, old_end); |
330 | lru_cache_add_active(page); | 571 | |
331 | set_pte_at(mm, address, pte, pte_mkdirty(pte_mkwrite(mk_pte( | 572 | /* |
332 | page, vma->vm_page_prot)))); | 573 | * shrink the vma to just the new range. |
333 | page_add_new_anon_rmap(page, vma, address); | 574 | */ |
334 | pte_unmap_unlock(pte, ptl); | 575 | vma_adjust(vma, new_start, new_end, vma->vm_pgoff, NULL); |
335 | 576 | ||
336 | /* no need for flush_tlb */ | 577 | return 0; |
337 | return; | ||
338 | out: | ||
339 | __free_page(page); | ||
340 | force_sig(SIGKILL, current); | ||
341 | } | 578 | } |
342 | 579 | ||
343 | #define EXTRA_STACK_VM_PAGES 20 /* random */ | 580 | #define EXTRA_STACK_VM_PAGES 20 /* random */ |
344 | 581 | ||
582 | /* | ||
583 | * Finalizes the stack vm_area_struct. The flags and permissions are updated, | ||
584 | * the stack is optionally relocated, and some extra space is added. | ||
585 | */ | ||
345 | int setup_arg_pages(struct linux_binprm *bprm, | 586 | int setup_arg_pages(struct linux_binprm *bprm, |
346 | unsigned long stack_top, | 587 | unsigned long stack_top, |
347 | int executable_stack) | 588 | int executable_stack) |
348 | { | 589 | { |
349 | unsigned long stack_base; | 590 | unsigned long ret; |
350 | struct vm_area_struct *mpnt; | 591 | unsigned long stack_shift; |
351 | struct mm_struct *mm = current->mm; | 592 | struct mm_struct *mm = current->mm; |
352 | int i, ret; | 593 | struct vm_area_struct *vma = bprm->vma; |
353 | long arg_size; | 594 | struct vm_area_struct *prev = NULL; |
595 | unsigned long vm_flags; | ||
596 | unsigned long stack_base; | ||
354 | 597 | ||
355 | #ifdef CONFIG_STACK_GROWSUP | 598 | #ifdef CONFIG_STACK_GROWSUP |
356 | /* Move the argument and environment strings to the bottom of the | ||
357 | * stack space. | ||
358 | */ | ||
359 | int offset, j; | ||
360 | char *to, *from; | ||
361 | |||
362 | /* Start by shifting all the pages down */ | ||
363 | i = 0; | ||
364 | for (j = 0; j < MAX_ARG_PAGES; j++) { | ||
365 | struct page *page = bprm->page[j]; | ||
366 | if (!page) | ||
367 | continue; | ||
368 | bprm->page[i++] = page; | ||
369 | } | ||
370 | |||
371 | /* Now move them within their pages */ | ||
372 | offset = bprm->p % PAGE_SIZE; | ||
373 | to = kmap(bprm->page[0]); | ||
374 | for (j = 1; j < i; j++) { | ||
375 | memmove(to, to + offset, PAGE_SIZE - offset); | ||
376 | from = kmap(bprm->page[j]); | ||
377 | memcpy(to + PAGE_SIZE - offset, from, offset); | ||
378 | kunmap(bprm->page[j - 1]); | ||
379 | to = from; | ||
380 | } | ||
381 | memmove(to, to + offset, PAGE_SIZE - offset); | ||
382 | kunmap(bprm->page[j - 1]); | ||
383 | |||
384 | /* Limit stack size to 1GB */ | 599 | /* Limit stack size to 1GB */ |
385 | stack_base = current->signal->rlim[RLIMIT_STACK].rlim_max; | 600 | stack_base = current->signal->rlim[RLIMIT_STACK].rlim_max; |
386 | if (stack_base > (1 << 30)) | 601 | if (stack_base > (1 << 30)) |
387 | stack_base = 1 << 30; | 602 | stack_base = 1 << 30; |
388 | stack_base = PAGE_ALIGN(stack_top - stack_base); | ||
389 | 603 | ||
390 | /* Adjust bprm->p to point to the end of the strings. */ | 604 | /* Make sure we didn't let the argument array grow too large. */ |
391 | bprm->p = stack_base + PAGE_SIZE * i - offset; | 605 | if (vma->vm_end - vma->vm_start > stack_base) |
606 | return -ENOMEM; | ||
392 | 607 | ||
393 | mm->arg_start = stack_base; | 608 | stack_base = PAGE_ALIGN(stack_top - stack_base); |
394 | arg_size = i << PAGE_SHIFT; | ||
395 | 609 | ||
396 | /* zero pages that were copied above */ | 610 | stack_shift = vma->vm_start - stack_base; |
397 | while (i < MAX_ARG_PAGES) | 611 | mm->arg_start = bprm->p - stack_shift; |
398 | bprm->page[i++] = NULL; | 612 | bprm->p = vma->vm_end - stack_shift; |
399 | #else | 613 | #else |
400 | stack_base = arch_align_stack(stack_top - MAX_ARG_PAGES*PAGE_SIZE); | 614 | stack_top = arch_align_stack(stack_top); |
401 | stack_base = PAGE_ALIGN(stack_base); | 615 | stack_top = PAGE_ALIGN(stack_top); |
402 | bprm->p += stack_base; | 616 | stack_shift = vma->vm_end - stack_top; |
617 | |||
618 | bprm->p -= stack_shift; | ||
403 | mm->arg_start = bprm->p; | 619 | mm->arg_start = bprm->p; |
404 | arg_size = stack_top - (PAGE_MASK & (unsigned long) mm->arg_start); | ||
405 | #endif | 620 | #endif |
406 | 621 | ||
407 | arg_size += EXTRA_STACK_VM_PAGES * PAGE_SIZE; | ||
408 | |||
409 | if (bprm->loader) | 622 | if (bprm->loader) |
410 | bprm->loader += stack_base; | 623 | bprm->loader -= stack_shift; |
411 | bprm->exec += stack_base; | 624 | bprm->exec -= stack_shift; |
412 | |||
413 | mpnt = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); | ||
414 | if (!mpnt) | ||
415 | return -ENOMEM; | ||
416 | 625 | ||
417 | down_write(&mm->mmap_sem); | 626 | down_write(&mm->mmap_sem); |
418 | { | 627 | vm_flags = vma->vm_flags; |
419 | mpnt->vm_mm = mm; | 628 | |
420 | #ifdef CONFIG_STACK_GROWSUP | 629 | /* |
421 | mpnt->vm_start = stack_base; | 630 | * Adjust stack execute permissions; explicitly enable for |
422 | mpnt->vm_end = stack_base + arg_size; | 631 | * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone |
423 | #else | 632 | * (arch default) otherwise. |
424 | mpnt->vm_end = stack_top; | 633 | */ |
425 | mpnt->vm_start = mpnt->vm_end - arg_size; | 634 | if (unlikely(executable_stack == EXSTACK_ENABLE_X)) |
426 | #endif | 635 | vm_flags |= VM_EXEC; |
427 | /* Adjust stack execute permissions; explicitly enable | 636 | else if (executable_stack == EXSTACK_DISABLE_X) |
428 | * for EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X | 637 | vm_flags &= ~VM_EXEC; |
429 | * and leave alone (arch default) otherwise. */ | 638 | vm_flags |= mm->def_flags; |
430 | if (unlikely(executable_stack == EXSTACK_ENABLE_X)) | 639 | |
431 | mpnt->vm_flags = VM_STACK_FLAGS | VM_EXEC; | 640 | ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end, |
432 | else if (executable_stack == EXSTACK_DISABLE_X) | 641 | vm_flags); |
433 | mpnt->vm_flags = VM_STACK_FLAGS & ~VM_EXEC; | 642 | if (ret) |
434 | else | 643 | goto out_unlock; |
435 | mpnt->vm_flags = VM_STACK_FLAGS; | 644 | BUG_ON(prev != vma); |
436 | mpnt->vm_flags |= mm->def_flags; | 645 | |
437 | mpnt->vm_page_prot = protection_map[mpnt->vm_flags & 0x7]; | 646 | /* Move stack pages down in memory. */ |
438 | if ((ret = insert_vm_struct(mm, mpnt))) { | 647 | if (stack_shift) { |
648 | ret = shift_arg_pages(vma, stack_shift); | ||
649 | if (ret) { | ||
439 | up_write(&mm->mmap_sem); | 650 | up_write(&mm->mmap_sem); |
440 | kmem_cache_free(vm_area_cachep, mpnt); | ||
441 | return ret; | 651 | return ret; |
442 | } | 652 | } |
443 | mm->stack_vm = mm->total_vm = vma_pages(mpnt); | ||
444 | } | 653 | } |
445 | 654 | ||
446 | for (i = 0 ; i < MAX_ARG_PAGES ; i++) { | 655 | #ifdef CONFIG_STACK_GROWSUP |
447 | struct page *page = bprm->page[i]; | 656 | stack_base = vma->vm_end + EXTRA_STACK_VM_PAGES * PAGE_SIZE; |
448 | if (page) { | 657 | #else |
449 | bprm->page[i] = NULL; | 658 | stack_base = vma->vm_start - EXTRA_STACK_VM_PAGES * PAGE_SIZE; |
450 | install_arg_page(mpnt, page, stack_base); | 659 | #endif |
451 | } | 660 | ret = expand_stack(vma, stack_base); |
452 | stack_base += PAGE_SIZE; | 661 | if (ret) |
453 | } | 662 | ret = -EFAULT; |
663 | |||
664 | out_unlock: | ||
454 | up_write(&mm->mmap_sem); | 665 | up_write(&mm->mmap_sem); |
455 | |||
456 | return 0; | 666 | return 0; |
457 | } | 667 | } |
458 | |||
459 | EXPORT_SYMBOL(setup_arg_pages); | 668 | EXPORT_SYMBOL(setup_arg_pages); |
460 | 669 | ||
461 | #define free_arg_pages(bprm) do { } while (0) | ||
462 | |||
463 | #else | ||
464 | |||
465 | static inline void free_arg_pages(struct linux_binprm *bprm) | ||
466 | { | ||
467 | int i; | ||
468 | |||
469 | for (i = 0; i < MAX_ARG_PAGES; i++) { | ||
470 | if (bprm->page[i]) | ||
471 | __free_page(bprm->page[i]); | ||
472 | bprm->page[i] = NULL; | ||
473 | } | ||
474 | } | ||
475 | |||
476 | #endif /* CONFIG_MMU */ | 670 | #endif /* CONFIG_MMU */ |
477 | 671 | ||
478 | struct file *open_exec(const char *name) | 672 | struct file *open_exec(const char *name) |
@@ -1000,43 +1194,42 @@ EXPORT_SYMBOL(compute_creds); | |||
1000 | * points to; chop off the first by relocating brpm->p to right after | 1194 | * points to; chop off the first by relocating brpm->p to right after |
1001 | * the first '\0' encountered. | 1195 | * the first '\0' encountered. |
1002 | */ | 1196 | */ |
1003 | void remove_arg_zero(struct linux_binprm *bprm) | 1197 | int remove_arg_zero(struct linux_binprm *bprm) |
1004 | { | 1198 | { |
1005 | if (bprm->argc) { | 1199 | int ret = 0; |
1006 | char ch; | 1200 | unsigned long offset; |
1201 | char *kaddr; | ||
1202 | struct page *page; | ||
1007 | 1203 | ||
1008 | do { | 1204 | if (!bprm->argc) |
1009 | unsigned long offset; | 1205 | return 0; |
1010 | unsigned long index; | ||
1011 | char *kaddr; | ||
1012 | struct page *page; | ||
1013 | |||
1014 | offset = bprm->p & ~PAGE_MASK; | ||
1015 | index = bprm->p >> PAGE_SHIFT; | ||
1016 | 1206 | ||
1017 | page = bprm->page[index]; | 1207 | do { |
1018 | kaddr = kmap_atomic(page, KM_USER0); | 1208 | offset = bprm->p & ~PAGE_MASK; |
1209 | page = get_arg_page(bprm, bprm->p, 0); | ||
1210 | if (!page) { | ||
1211 | ret = -EFAULT; | ||
1212 | goto out; | ||
1213 | } | ||
1214 | kaddr = kmap_atomic(page, KM_USER0); | ||
1019 | 1215 | ||
1020 | /* run through page until we reach end or find NUL */ | 1216 | for (; offset < PAGE_SIZE && kaddr[offset]; |
1021 | do { | 1217 | offset++, bprm->p++) |
1022 | ch = *(kaddr + offset); | 1218 | ; |
1023 | 1219 | ||
1024 | /* discard that character... */ | 1220 | kunmap_atomic(kaddr, KM_USER0); |
1025 | bprm->p++; | 1221 | put_arg_page(page); |
1026 | offset++; | ||
1027 | } while (offset < PAGE_SIZE && ch != '\0'); | ||
1028 | 1222 | ||
1029 | kunmap_atomic(kaddr, KM_USER0); | 1223 | if (offset == PAGE_SIZE) |
1224 | free_arg_page(bprm, (bprm->p >> PAGE_SHIFT) - 1); | ||
1225 | } while (offset == PAGE_SIZE); | ||
1030 | 1226 | ||
1031 | /* free the old page */ | 1227 | bprm->p++; |
1032 | if (offset == PAGE_SIZE) { | 1228 | bprm->argc--; |
1033 | __free_page(page); | 1229 | ret = 0; |
1034 | bprm->page[index] = NULL; | ||
1035 | } | ||
1036 | } while (ch != '\0'); | ||
1037 | 1230 | ||
1038 | bprm->argc--; | 1231 | out: |
1039 | } | 1232 | return ret; |
1040 | } | 1233 | } |
1041 | EXPORT_SYMBOL(remove_arg_zero); | 1234 | EXPORT_SYMBOL(remove_arg_zero); |
1042 | 1235 | ||
@@ -1062,7 +1255,7 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) | |||
1062 | fput(bprm->file); | 1255 | fput(bprm->file); |
1063 | bprm->file = NULL; | 1256 | bprm->file = NULL; |
1064 | 1257 | ||
1065 | loader = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *); | 1258 | loader = bprm->vma->vm_end - sizeof(void *); |
1066 | 1259 | ||
1067 | file = open_exec("/sbin/loader"); | 1260 | file = open_exec("/sbin/loader"); |
1068 | retval = PTR_ERR(file); | 1261 | retval = PTR_ERR(file); |
@@ -1156,7 +1349,6 @@ int do_execve(char * filename, | |||
1156 | struct file *file; | 1349 | struct file *file; |
1157 | unsigned long env_p; | 1350 | unsigned long env_p; |
1158 | int retval; | 1351 | int retval; |
1159 | int i; | ||
1160 | 1352 | ||
1161 | retval = -ENOMEM; | 1353 | retval = -ENOMEM; |
1162 | bprm = kzalloc(sizeof(*bprm), GFP_KERNEL); | 1354 | bprm = kzalloc(sizeof(*bprm), GFP_KERNEL); |
@@ -1170,25 +1362,19 @@ int do_execve(char * filename, | |||
1170 | 1362 | ||
1171 | sched_exec(); | 1363 | sched_exec(); |
1172 | 1364 | ||
1173 | bprm->p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *); | ||
1174 | |||
1175 | bprm->file = file; | 1365 | bprm->file = file; |
1176 | bprm->filename = filename; | 1366 | bprm->filename = filename; |
1177 | bprm->interp = filename; | 1367 | bprm->interp = filename; |
1178 | bprm->mm = mm_alloc(); | ||
1179 | retval = -ENOMEM; | ||
1180 | if (!bprm->mm) | ||
1181 | goto out_file; | ||
1182 | 1368 | ||
1183 | retval = init_new_context(current, bprm->mm); | 1369 | retval = bprm_mm_init(bprm); |
1184 | if (retval < 0) | 1370 | if (retval) |
1185 | goto out_mm; | 1371 | goto out_file; |
1186 | 1372 | ||
1187 | bprm->argc = count(argv, bprm->p / sizeof(void *)); | 1373 | bprm->argc = count(argv, MAX_ARG_STRINGS); |
1188 | if ((retval = bprm->argc) < 0) | 1374 | if ((retval = bprm->argc) < 0) |
1189 | goto out_mm; | 1375 | goto out_mm; |
1190 | 1376 | ||
1191 | bprm->envc = count(envp, bprm->p / sizeof(void *)); | 1377 | bprm->envc = count(envp, MAX_ARG_STRINGS); |
1192 | if ((retval = bprm->envc) < 0) | 1378 | if ((retval = bprm->envc) < 0) |
1193 | goto out_mm; | 1379 | goto out_mm; |
1194 | 1380 | ||
@@ -1217,9 +1403,8 @@ int do_execve(char * filename, | |||
1217 | 1403 | ||
1218 | retval = search_binary_handler(bprm,regs); | 1404 | retval = search_binary_handler(bprm,regs); |
1219 | if (retval >= 0) { | 1405 | if (retval >= 0) { |
1220 | free_arg_pages(bprm); | ||
1221 | |||
1222 | /* execve success */ | 1406 | /* execve success */ |
1407 | free_arg_pages(bprm); | ||
1223 | security_bprm_free(bprm); | 1408 | security_bprm_free(bprm); |
1224 | acct_update_integrals(current); | 1409 | acct_update_integrals(current); |
1225 | kfree(bprm); | 1410 | kfree(bprm); |
@@ -1227,26 +1412,19 @@ int do_execve(char * filename, | |||
1227 | } | 1412 | } |
1228 | 1413 | ||
1229 | out: | 1414 | out: |
1230 | /* Something went wrong, return the inode and free the argument pages*/ | 1415 | free_arg_pages(bprm); |
1231 | for (i = 0 ; i < MAX_ARG_PAGES ; i++) { | ||
1232 | struct page * page = bprm->page[i]; | ||
1233 | if (page) | ||
1234 | __free_page(page); | ||
1235 | } | ||
1236 | |||
1237 | if (bprm->security) | 1416 | if (bprm->security) |
1238 | security_bprm_free(bprm); | 1417 | security_bprm_free(bprm); |
1239 | 1418 | ||
1240 | out_mm: | 1419 | out_mm: |
1241 | if (bprm->mm) | 1420 | if (bprm->mm) |
1242 | mmdrop(bprm->mm); | 1421 | mmput (bprm->mm); |
1243 | 1422 | ||
1244 | out_file: | 1423 | out_file: |
1245 | if (bprm->file) { | 1424 | if (bprm->file) { |
1246 | allow_write_access(bprm->file); | 1425 | allow_write_access(bprm->file); |
1247 | fput(bprm->file); | 1426 | fput(bprm->file); |
1248 | } | 1427 | } |
1249 | |||
1250 | out_kfree: | 1428 | out_kfree: |
1251 | kfree(bprm); | 1429 | kfree(bprm); |
1252 | 1430 | ||