2 * linux/fs/binfmt_aout.c
4 * Copyright (C) 1991, 1992, 1996 Linus Torvalds
7 #include <linux/module.h>
9 #include <linux/time.h>
10 #include <linux/kernel.h>
12 #include <linux/mman.h>
13 #include <linux/a.out.h>
14 #include <linux/errno.h>
15 #include <linux/signal.h>
16 #include <linux/string.h>
18 #include <linux/file.h>
19 #include <linux/stat.h>
20 #include <linux/fcntl.h>
21 #include <linux/ptrace.h>
22 #include <linux/user.h>
23 #include <linux/binfmts.h>
24 #include <linux/personality.h>
25 #include <linux/init.h>
26 #include <linux/coredump.h>
27 #include <linux/slab.h>
29 #include <asm/uaccess.h>
30 #include <asm/cacheflush.h>
31 #include <asm/a.out-core.h>
33 static int load_aout_binary(struct linux_binprm
*);
34 static int load_aout_library(struct file
*);
36 #ifdef CONFIG_COREDUMP
38 * Routine writes a core dump image in the current directory.
39 * Currently only a stub-function.
41 * Note that setuid/setgid files won't make a core-dump if the uid/gid
42 * changed due to the set[u|g]id. It's enforced by the "current->mm->dumpable"
43 * field, which also makes sure the core-dumps won't be recursive if the
44 * dumping of the process results in another error..
46 static int aout_core_dump(struct coredump_params
*cprm
)
48 struct file
*file
= cprm
->file
;
51 void __user
*dump_start
;
55 # define START_DATA(u) ((void __user *)u.start_data)
57 # define START_DATA(u) ((void __user *)((u.u_tsize << PAGE_SHIFT) + \
60 # define START_STACK(u) ((void __user *)u.start_stack)
65 strncpy(dump
.u_comm
, current
->comm
, sizeof(dump
.u_comm
));
66 dump
.u_ar0
= offsetof(struct user
, regs
);
67 dump
.signal
= cprm
->siginfo
->si_signo
;
68 aout_dump_thread(cprm
->regs
, &dump
);
70 /* If the size of the dump file exceeds the rlimit, then see what would happen
71 if we wrote the stack, but not the data area. */
72 if ((dump
.u_dsize
+ dump
.u_ssize
+1) * PAGE_SIZE
> cprm
->limit
)
75 /* Make sure we have enough room to write the stack and data areas. */
76 if ((dump
.u_ssize
+ 1) * PAGE_SIZE
> cprm
->limit
)
79 /* make sure we actually have a data and stack area to dump */
81 if (!access_ok(VERIFY_READ
, START_DATA(dump
), dump
.u_dsize
<< PAGE_SHIFT
))
83 if (!access_ok(VERIFY_READ
, START_STACK(dump
), dump
.u_ssize
<< PAGE_SHIFT
))
88 if (!dump_write(file
, &dump
, sizeof(dump
)))
90 /* Now dump all of the user data. Include malloced stuff as well */
91 if (!dump_seek(cprm
->file
, PAGE_SIZE
- sizeof(dump
)))
93 /* now we start writing out the user space info */
95 /* Dump the data area */
96 if (dump
.u_dsize
!= 0) {
97 dump_start
= START_DATA(dump
);
98 dump_size
= dump
.u_dsize
<< PAGE_SHIFT
;
99 if (!dump_write(file
, dump_start
, dump_size
))
102 /* Now prepare to dump the stack area */
103 if (dump
.u_ssize
!= 0) {
104 dump_start
= START_STACK(dump
);
105 dump_size
= dump
.u_ssize
<< PAGE_SHIFT
;
106 if (!dump_write(file
, dump_start
, dump_size
))
114 #define aout_core_dump NULL
117 static struct linux_binfmt aout_format
= {
118 .module
= THIS_MODULE
,
119 .load_binary
= load_aout_binary
,
120 .load_shlib
= load_aout_library
,
121 .core_dump
= aout_core_dump
,
122 .min_coredump
= PAGE_SIZE
125 #define BAD_ADDR(x) ((unsigned long)(x) >= TASK_SIZE)
127 static int set_brk(unsigned long start
, unsigned long end
)
129 start
= PAGE_ALIGN(start
);
130 end
= PAGE_ALIGN(end
);
133 addr
= vm_brk(start
, end
- start
);
141 * create_aout_tables() parses the env- and arg-strings in new user
142 * memory and creates the pointer tables from them, and puts their
143 * addresses on the "stack", returning the new stack pointer value.
145 static unsigned long __user
*create_aout_tables(char __user
*p
, struct linux_binprm
* bprm
)
147 char __user
* __user
*argv
;
148 char __user
* __user
*envp
;
149 unsigned long __user
*sp
;
150 int argc
= bprm
->argc
;
151 int envc
= bprm
->envc
;
153 sp
= (void __user
*)((-(unsigned long)sizeof(char *)) & (unsigned long) p
);
155 /* whee.. test-programs are so much fun. */
160 put_user(1003, --sp
);
161 put_user(bprm
->loader
, --sp
);
162 put_user(1002, --sp
);
164 put_user(bprm
->exec
, --sp
);
165 put_user(1001, --sp
);
168 envp
= (char __user
* __user
*) sp
;
170 argv
= (char __user
* __user
*) sp
;
172 put_user((unsigned long) envp
,--sp
);
173 put_user((unsigned long) argv
,--sp
);
176 current
->mm
->arg_start
= (unsigned long) p
;
185 current
->mm
->arg_end
= current
->mm
->env_start
= (unsigned long) p
;
194 current
->mm
->env_end
= (unsigned long) p
;
199 * These are the functions used to load a.out style executables and shared
200 * libraries. There is no binary dependent code anywhere else.
203 static int load_aout_binary(struct linux_binprm
* bprm
)
205 struct pt_regs
*regs
= current_pt_regs();
208 unsigned long fd_offset
;
212 ex
= *((struct exec
*) bprm
->buf
); /* exec-header */
213 if ((N_MAGIC(ex
) != ZMAGIC
&& N_MAGIC(ex
) != OMAGIC
&&
214 N_MAGIC(ex
) != QMAGIC
&& N_MAGIC(ex
) != NMAGIC
) ||
215 N_TRSIZE(ex
) || N_DRSIZE(ex
) ||
216 i_size_read(file_inode(bprm
->file
)) < ex
.a_text
+ex
.a_data
+N_SYMSIZE(ex
)+N_TXTOFF(ex
)) {
221 * Requires a mmap handler. This prevents people from using a.out
222 * as part of an exploit attack against /proc-related vulnerabilities.
224 if (!bprm
->file
->f_op
|| !bprm
->file
->f_op
->mmap
)
227 fd_offset
= N_TXTOFF(ex
);
229 /* Check initial limits. This avoids letting people circumvent
230 * size limits imposed on them by creating programs with large
231 * arrays in the data or bss.
233 rlim
= rlimit(RLIMIT_DATA
);
234 if (rlim
>= RLIM_INFINITY
)
236 if (ex
.a_data
+ ex
.a_bss
> rlim
)
239 /* Flush all traces of the currently running executable */
240 retval
= flush_old_exec(bprm
);
244 /* OK, This is the point of no return */
246 SET_AOUT_PERSONALITY(bprm
, ex
);
248 set_personality(PER_LINUX
);
250 setup_new_exec(bprm
);
252 current
->mm
->end_code
= ex
.a_text
+
253 (current
->mm
->start_code
= N_TXTADDR(ex
));
254 current
->mm
->end_data
= ex
.a_data
+
255 (current
->mm
->start_data
= N_DATADDR(ex
));
256 current
->mm
->brk
= ex
.a_bss
+
257 (current
->mm
->start_brk
= N_BSSADDR(ex
));
259 retval
= setup_arg_pages(bprm
, STACK_TOP
, EXSTACK_DEFAULT
);
261 /* Someone check-me: is this error path enough? */
262 send_sig(SIGKILL
, current
, 0);
266 install_exec_creds(bprm
);
268 if (N_MAGIC(ex
) == OMAGIC
) {
269 unsigned long text_addr
, map_size
;
272 text_addr
= N_TXTADDR(ex
);
276 map_size
= ex
.a_text
+ex
.a_data
+ PAGE_SIZE
- 1;
279 map_size
= ex
.a_text
+ex
.a_data
;
281 error
= vm_brk(text_addr
& PAGE_MASK
, map_size
);
282 if (error
!= (text_addr
& PAGE_MASK
)) {
283 send_sig(SIGKILL
, current
, 0);
287 error
= read_code(bprm
->file
, text_addr
, pos
,
288 ex
.a_text
+ex
.a_data
);
289 if ((signed long)error
< 0) {
290 send_sig(SIGKILL
, current
, 0);
294 if ((ex
.a_text
& 0xfff || ex
.a_data
& 0xfff) &&
295 (N_MAGIC(ex
) != NMAGIC
) && printk_ratelimit())
297 printk(KERN_NOTICE
"executable not page aligned\n");
300 if ((fd_offset
& ~PAGE_MASK
) != 0 && printk_ratelimit())
303 "fd_offset is not page aligned. Please convert program: %s\n",
304 bprm
->file
->f_path
.dentry
->d_name
.name
);
307 if (!bprm
->file
->f_op
->mmap
||((fd_offset
& ~PAGE_MASK
) != 0)) {
308 vm_brk(N_TXTADDR(ex
), ex
.a_text
+ex
.a_data
);
309 read_code(bprm
->file
, N_TXTADDR(ex
), fd_offset
,
310 ex
.a_text
+ ex
.a_data
);
314 error
= vm_mmap(bprm
->file
, N_TXTADDR(ex
), ex
.a_text
,
315 PROT_READ
| PROT_EXEC
,
316 MAP_FIXED
| MAP_PRIVATE
| MAP_DENYWRITE
| MAP_EXECUTABLE
,
319 if (error
!= N_TXTADDR(ex
)) {
320 send_sig(SIGKILL
, current
, 0);
324 error
= vm_mmap(bprm
->file
, N_DATADDR(ex
), ex
.a_data
,
325 PROT_READ
| PROT_WRITE
| PROT_EXEC
,
326 MAP_FIXED
| MAP_PRIVATE
| MAP_DENYWRITE
| MAP_EXECUTABLE
,
327 fd_offset
+ ex
.a_text
);
328 if (error
!= N_DATADDR(ex
)) {
329 send_sig(SIGKILL
, current
, 0);
334 set_binfmt(&aout_format
);
336 retval
= set_brk(current
->mm
->start_brk
, current
->mm
->brk
);
338 send_sig(SIGKILL
, current
, 0);
342 current
->mm
->start_stack
=
343 (unsigned long) create_aout_tables((char __user
*) bprm
->p
, bprm
);
345 regs
->gp
= ex
.a_gpvalue
;
347 start_thread(regs
, ex
.a_entry
, current
->mm
->start_stack
);
351 static int load_aout_library(struct file
*file
)
353 struct inode
* inode
;
354 unsigned long bss
, start_addr
, len
;
359 inode
= file_inode(file
);
362 error
= kernel_read(file
, 0, (char *) &ex
, sizeof(ex
));
363 if (error
!= sizeof(ex
))
366 /* We come in here for the regular a.out style of shared libraries */
367 if ((N_MAGIC(ex
) != ZMAGIC
&& N_MAGIC(ex
) != QMAGIC
) || N_TRSIZE(ex
) ||
368 N_DRSIZE(ex
) || ((ex
.a_entry
& 0xfff) && N_MAGIC(ex
) == ZMAGIC
) ||
369 i_size_read(inode
) < ex
.a_text
+ex
.a_data
+N_SYMSIZE(ex
)+N_TXTOFF(ex
)) {
374 * Requires a mmap handler. This prevents people from using a.out
375 * as part of an exploit attack against /proc-related vulnerabilities.
377 if (!file
->f_op
|| !file
->f_op
->mmap
)
383 /* For QMAGIC, the starting address is 0x20 into the page. We mask
384 this off to get the starting address for the page */
386 start_addr
= ex
.a_entry
& 0xfffff000;
388 if ((N_TXTOFF(ex
) & ~PAGE_MASK
) != 0) {
389 if (printk_ratelimit())
392 "N_TXTOFF is not page aligned. Please convert library: %s\n",
393 file
->f_path
.dentry
->d_name
.name
);
395 vm_brk(start_addr
, ex
.a_text
+ ex
.a_data
+ ex
.a_bss
);
397 read_code(file
, start_addr
, N_TXTOFF(ex
),
398 ex
.a_text
+ ex
.a_data
);
402 /* Now use mmap to map the library into memory. */
403 error
= vm_mmap(file
, start_addr
, ex
.a_text
+ ex
.a_data
,
404 PROT_READ
| PROT_WRITE
| PROT_EXEC
,
405 MAP_FIXED
| MAP_PRIVATE
| MAP_DENYWRITE
,
408 if (error
!= start_addr
)
411 len
= PAGE_ALIGN(ex
.a_text
+ ex
.a_data
);
412 bss
= ex
.a_text
+ ex
.a_data
+ ex
.a_bss
;
414 error
= vm_brk(start_addr
+ len
, bss
- len
);
416 if (error
!= start_addr
+ len
)
424 static int __init
init_aout_binfmt(void)
426 register_binfmt(&aout_format
);
430 static void __exit
exit_aout_binfmt(void)
432 unregister_binfmt(&aout_format
);
435 core_initcall(init_aout_binfmt
);
436 module_exit(exit_aout_binfmt
);
437 MODULE_LICENSE("GPL");