search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge remote-tracking branch 'origin/master'
[unleashed/lotheac.git] / usr / src / uts / common / exec / elf / elf.c
blob682cc56a02d44db3b5fbcd00616c2b69867f7cfd
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 1989, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */
27 /* All Rights Reserved */
28 /*
29 * Copyright (c) 2018, Joyent, Inc.
30 */
31
32 #include <sys/types.h>
33 #include <sys/param.h>
34 #include <sys/thread.h>
35 #include <sys/sysmacros.h>
36 #include <sys/signal.h>
37 #include <sys/cred.h>
38 #include <sys/user.h>
39 #include <sys/errno.h>
40 #include <sys/vnode.h>
41 #include <sys/mman.h>
42 #include <sys/kmem.h>
43 #include <sys/proc.h>
44 #include <sys/pathname.h>
45 #include <sys/policy.h>
46 #include <sys/cmn_err.h>
47 #include <sys/systm.h>
48 #include <sys/elf.h>
49 #include <sys/vmsystm.h>
50 #include <sys/debug.h>
51 #include <sys/auxv.h>
52 #include <sys/exec.h>
53 #include <sys/prsystm.h>
54 #include <vm/as.h>
55 #include <vm/rm.h>
56 #include <vm/seg.h>
57 #include <vm/seg_vn.h>
58 #include <sys/modctl.h>
59 #include <sys/systeminfo.h>
60 #include <sys/vmparam.h>
61 #include <sys/machelf.h>
62 #include <sys/shm_impl.h>
63 #include <sys/archsystm.h>
64 #include <sys/fasttrap.h>
65 #include <sys/brand.h>
66 #include "elf_impl.h"
67 #include <sys/sdt.h>
68 #include <sys/siginfo.h>
69 #include <sys/random.h>
70
71 #if defined(__x86)
72 #include <sys/comm_page_util.h>
73 #include <sys/fp.h>
74 #endif /* defined(__x86) */
75
76
77 extern int at_flags;
78 extern volatile size_t aslr_max_brk_skew;
79
80 #define ORIGIN_STR "ORIGIN"
81 #define ORIGIN_STR_SIZE 6
82
83 static int getelfhead(vnode_t *, cred_t *, Ehdr *, int *, int *, int *);
84 static int getelfphdr(vnode_t *, cred_t *, const Ehdr *, int, caddr_t *,
85 ssize_t *);
86 static int getelfshdr(vnode_t *, cred_t *, const Ehdr *, int, int, caddr_t *,
87 ssize_t *, caddr_t *, ssize_t *);
88 static size_t elfsize(Ehdr *, int, caddr_t, uintptr_t *);
89 static int mapelfexec(vnode_t *, Ehdr *, int, caddr_t,
90 Phdr **, Phdr **, Phdr **, Phdr **, Phdr *,
91 caddr_t *, caddr_t *, intptr_t *, intptr_t *, size_t, long *, size_t *,
92 boolean_t);
93
94 typedef enum {
95 STR_CTF,
96 STR_SYMTAB,
97 STR_DYNSYM,
98 STR_STRTAB,
99 STR_DYNSTR,
100 STR_SHSTRTAB,
101 STR_NUM
102 } shstrtype_t;
103
104 static const char *shstrtab_data[] = {
105 ".SUNW_ctf",
106 ".symtab",
107 ".dynsym",
108 ".strtab",
109 ".dynstr",
110 ".shstrtab"
111 };
112
113 typedef struct shstrtab {
114 int sst_ndx[STR_NUM];
115 int sst_cur;
116 } shstrtab_t;
117
118 static void
119 shstrtab_init(shstrtab_t *s)
120 {
121 bzero(&s->sst_ndx, sizeof (s->sst_ndx));
122 s->sst_cur = 1;
123 }
124
125 static int
126 shstrtab_ndx(shstrtab_t *s, shstrtype_t type)
127 {
128 int ret;
129
130 if ((ret = s->sst_ndx[type]) != 0)
131 return (ret);
132
133 ret = s->sst_ndx[type] = s->sst_cur;
134 s->sst_cur += strlen(shstrtab_data[type]) + 1;
135
136 return (ret);
137 }
138
139 static size_t
140 shstrtab_size(const shstrtab_t *s)
141 {
142 return (s->sst_cur);
143 }
144
145 static void
146 shstrtab_dump(const shstrtab_t *s, char *buf)
147 {
148 int i, ndx;
149
150 *buf = '\0';
151 for (i = 0; i < STR_NUM; i++) {
152 if ((ndx = s->sst_ndx[i]) != 0)
153 (void) strcpy(buf + ndx, shstrtab_data[i]);
154 }
155 }
156
157 static int
158 dtrace_safe_phdr(Phdr *phdrp, struct uarg *args, uintptr_t base)
159 {
160 ASSERT(phdrp->p_type == PT_SUNWDTRACE);
161
162 /*
163 * See the comment in fasttrap.h for information on how to safely
164 * update this program header.
165 */
166 if (phdrp->p_memsz < PT_SUNWDTRACE_SIZE ||
167 (phdrp->p_flags & (PF_R | PF_W | PF_X)) != (PF_R | PF_W | PF_X))
168 return (-1);
169
170 args->thrptr = phdrp->p_vaddr + base;
171
172 return (0);
173 }
174
175 static int
176 handle_secflag_dt(proc_t *p, uint_t dt, uint_t val)
177 {
178 uint_t flag;
179
180 switch (dt) {
181 case DT_SUNW_ASLR:
182 flag = PROC_SEC_ASLR;
183 break;
184 default:
185 return (EINVAL);
186 }
187
188 if (val == 0) {
189 if (secflag_isset(p->p_secflags.psf_lower, flag))
190 return (EPERM);
191 if ((secpolicy_psecflags(CRED(), p, p) != 0) &&
192 secflag_isset(p->p_secflags.psf_inherit, flag))
193 return (EPERM);
194
195 secflag_clear(&p->p_secflags.psf_effective, flag);
196 } else {
197 if (!secflag_isset(p->p_secflags.psf_upper, flag))
198 return (EPERM);
199
200 if ((secpolicy_psecflags(CRED(), p, p) != 0) &&
201 !secflag_isset(p->p_secflags.psf_inherit, flag))
202 return (EPERM);
203
204 secflag_set(&p->p_secflags.psf_effective, flag);
205 }
206
207 return (0);
208 }
209
210 /*
211 * Map in the executable pointed to by vp. Returns 0 on success.
212 */
213 int
214 mapexec_brand(vnode_t *vp, uarg_t *args, Ehdr *ehdr, Addr *uphdr_vaddr,
215 intptr_t *voffset, caddr_t exec_file, int *interp, caddr_t *bssbase,
216 caddr_t *brkbase, size_t *brksize, uintptr_t *lddatap)
217 {
218 size_t len;
219 struct vattr vat;
220 caddr_t phdrbase = NULL;
221 ssize_t phdrsize;
222 int nshdrs, shstrndx, nphdrs;
223 int error = 0;
224 Phdr *uphdr = NULL;
225 Phdr *junk = NULL;
226 Phdr *dynphdr = NULL;
227 Phdr *dtrphdr = NULL;
228 uintptr_t lddata;
229 long execsz;
230 intptr_t minaddr;
231
232 if (lddatap != NULL)
233 *lddatap = (uintptr_t)NULL;
234
235 if (error = execpermissions(vp, &vat, args)) {
236 uprintf("%s: Cannot execute %s\n", exec_file, args->pathname);
237 return (error);
238 }
239
240 if ((error = getelfhead(vp, CRED(), ehdr, &nshdrs, &shstrndx,
241 &nphdrs)) != 0 ||
242 (error = getelfphdr(vp, CRED(), ehdr, nphdrs, &phdrbase,
243 &phdrsize)) != 0) {
244 uprintf("%s: Cannot read %s\n", exec_file, args->pathname);
245 return (error);
246 }
247
248 if ((len = elfsize(ehdr, nphdrs, phdrbase, &lddata)) == 0) {
249 uprintf("%s: Nothing to load in %s", exec_file, args->pathname);
250 kmem_free(phdrbase, phdrsize);
251 return (ENOEXEC);
252 }
253 if (lddatap != NULL)
254 *lddatap = lddata;
255
256 if (error = mapelfexec(vp, ehdr, nphdrs, phdrbase, &uphdr, &dynphdr,
257 &junk, &dtrphdr, NULL, bssbase, brkbase, voffset, &minaddr,
258 len, &execsz, brksize, B_TRUE)) {
259 uprintf("%s: Cannot map %s\n", exec_file, args->pathname);
260 kmem_free(phdrbase, phdrsize);
261 return (error);
262 }
263
264 /*
265 * Inform our caller if the executable needs an interpreter.
266 */
267 *interp = (dynphdr == NULL) ? 0 : 1;
268
269 /*
270 * If this is a statically linked executable, voffset should indicate
271 * the address of the executable itself (it normally holds the address
272 * of the interpreter).
273 */
274 if (ehdr->e_type == ET_EXEC && *interp == 0)
275 *voffset = minaddr;
276
277 if (uphdr != NULL) {
278 *uphdr_vaddr = uphdr->p_vaddr;
279 } else {
280 *uphdr_vaddr = (Addr)-1;
281 }
282
283 kmem_free(phdrbase, phdrsize);
284 return (error);
285 }
286
287 /*ARGSUSED*/
288 int
289 elfexec(vnode_t *vp, execa_t *uap, uarg_t *args, intpdata_t *idatap,
290 int level, long *execsz, int setid, caddr_t exec_file, cred_t *cred,
291 int brand_action)
292 {
293 caddr_t phdrbase = NULL;
294 caddr_t bssbase = 0;
295 caddr_t brkbase = 0;
296 size_t brksize = 0;
297 ssize_t dlnsize;
298 aux_entry_t *aux;
299 int error;
300 ssize_t resid;
301 int fd = -1;
302 intptr_t voffset;
303 Phdr *intphdr = NULL;
304 Phdr *dynamicphdr = NULL;
305 Phdr *stphdr = NULL;
306 Phdr *uphdr = NULL;
307 Phdr *junk = NULL;
308 size_t len;
309 ssize_t phdrsize;
310 int postfixsize = 0;
311 int i, hsize;
312 Phdr *phdrp;
313 Phdr *dataphdrp = NULL;
314 Phdr *dtrphdr;
315 Phdr *capphdr = NULL;
316 Cap *cap = NULL;
317 ssize_t capsize;
318 Dyn *dyn = NULL;
319 int hasu = 0;
320 int hasauxv = 0;
321 int hasintp = 0;
322 int branded = 0;
323
324 struct proc *p = ttoproc(curthread);
325 struct user *up = PTOU(p);
326 struct bigwad {
327 Ehdr ehdr;
328 aux_entry_t elfargs[__KERN_NAUXV_IMPL];
329 char dl_name[MAXPATHLEN];
330 char pathbuf[MAXPATHLEN];
331 struct vattr vattr;
332 struct execenv exenv;
333 } *bigwad; /* kmem_alloc this behemoth so we don't blow stack */
334 Ehdr *ehdrp;
335 int nshdrs, shstrndx, nphdrs;
336 char *dlnp;
337 char *pathbufp;
338 rlim_t limit;
339 rlim_t roundlimit;
340
341 ASSERT(p->p_model == DATAMODEL_ILP32 || p->p_model == DATAMODEL_LP64);
342
343 bigwad = kmem_alloc(sizeof (struct bigwad), KM_SLEEP);
344 ehdrp = &bigwad->ehdr;
345 dlnp = bigwad->dl_name;
346 pathbufp = bigwad->pathbuf;
347
348 /*
349 * Obtain ELF and program header information.
350 */
351 if ((error = getelfhead(vp, CRED(), ehdrp, &nshdrs, &shstrndx,
352 &nphdrs)) != 0 ||
353 (error = getelfphdr(vp, CRED(), ehdrp, nphdrs, &phdrbase,
354 &phdrsize)) != 0)
355 goto out;
356
357 /*
358 * Prevent executing an ELF file that has no entry point.
359 */
360 if (ehdrp->e_entry == 0) {
361 uprintf("%s: Bad entry point\n", exec_file);
362 goto bad;
363 }
364
365 /*
366 * Put data model that we're exec-ing to into the args passed to
367 * exec_args(), so it will know what it is copying to on new stack.
368 * Now that we know whether we are exec-ing a 32-bit or 64-bit
369 * executable, we can set execsz with the appropriate NCARGS.
370 */
371 #ifdef _LP64
372 if (ehdrp->e_ident[EI_CLASS] == ELFCLASS32) {
373 args->to_model = DATAMODEL_ILP32;
374 *execsz = btopr(SINCR) + btopr(SSIZE) + btopr(NCARGS32-1);
375 } else {
376 args->to_model = DATAMODEL_LP64;
377 args->stk_prot &= ~PROT_EXEC;
378 #if defined(__i386) || defined(__amd64)
379 args->dat_prot &= ~PROT_EXEC;
380 #endif
381 *execsz = btopr(SINCR) + btopr(SSIZE) + btopr(NCARGS64-1);
382 }
383 #else /* _LP64 */
384 args->to_model = DATAMODEL_ILP32;
385 *execsz = btopr(SINCR) + btopr(SSIZE) + btopr(NCARGS-1);
386 #endif /* _LP64 */
387
388 /*
389 * We delay invoking the brand callback until we've figured out
390 * what kind of elf binary we're trying to run, 32-bit or 64-bit.
391 * We do this because now the brand library can just check
392 * args->to_model to see if the target is 32-bit or 64-bit without
393 * having do duplicate all the code above.
394 *
395 * The level checks associated with brand handling below are used to
396 * prevent a loop since the brand elfexec function typically comes back
397 * through this function. We must check <= here since the nested
398 * handling in the #! interpreter code will increment the level before
399 * calling gexec to run the final elfexec interpreter.
400 */
401 if ((level <= INTP_MAXDEPTH) &&
402 (brand_action != EBA_NATIVE) && (PROC_IS_BRANDED(p))) {
403 error = BROP(p)->b_elfexec(vp, uap, args,
404 idatap, level + 1, execsz, setid, exec_file, cred,
405 brand_action);
406 goto out;
407 }
408
409 /*
410 * Determine aux size now so that stack can be built
411 * in one shot (except actual copyout of aux image),
412 * determine any non-default stack protections,
413 * and still have this code be machine independent.
414 */
415 hsize = ehdrp->e_phentsize;
416 phdrp = (Phdr *)phdrbase;
417 for (i = nphdrs; i > 0; i--) {
418 switch (phdrp->p_type) {
419 case PT_INTERP:
420 hasauxv = hasintp = 1;
421 break;
422 case PT_PHDR:
423 hasu = 1;
424 break;
425 case PT_SUNWSTACK:
426 args->stk_prot = PROT_USER;
427 if (phdrp->p_flags & PF_R)
428 args->stk_prot |= PROT_READ;
429 if (phdrp->p_flags & PF_W)
430 args->stk_prot |= PROT_WRITE;
431 if (phdrp->p_flags & PF_X)
432 args->stk_prot |= PROT_EXEC;
433 break;
434 case PT_LOAD:
435 dataphdrp = phdrp;
436 break;
437 case PT_SUNWCAP:
438 capphdr = phdrp;
439 break;
440 case PT_DYNAMIC:
441 dynamicphdr = phdrp;
442 break;
443 }
444 phdrp = (Phdr *)((caddr_t)phdrp + hsize);
445 }
446
447 if (ehdrp->e_type != ET_EXEC) {
448 dataphdrp = NULL;
449 hasauxv = 1;
450 }
451
452 /* Copy BSS permissions to args->dat_prot */
453 if (dataphdrp != NULL) {
454 args->dat_prot = PROT_USER;
455 if (dataphdrp->p_flags & PF_R)
456 args->dat_prot |= PROT_READ;
457 if (dataphdrp->p_flags & PF_W)
458 args->dat_prot |= PROT_WRITE;
459 if (dataphdrp->p_flags & PF_X)
460 args->dat_prot |= PROT_EXEC;
461 }
462
463 /*
464 * If a auxvector will be required - reserve the space for
465 * it now. This may be increased by exec_args if there are
466 * ISA-specific types (included in __KERN_NAUXV_IMPL).
467 */
468 if (hasauxv) {
469 /*
470 * If a AUX vector is being built - the base AUX
471 * entries are:
472 *
473 * AT_BASE
474 * AT_FLAGS
475 * AT_PAGESZ
476 * AT_SUN_AUXFLAGS
477 * AT_SUN_HWCAP
478 * AT_SUN_HWCAP2
479 * AT_SUN_PLATFORM (added in stk_copyout)
480 * AT_SUN_EXECNAME (added in stk_copyout)
481 * AT_NULL
482 *
483 * total == 9
484 */
485 if (hasintp && hasu) {
486 /*
487 * Has PT_INTERP & PT_PHDR - the auxvectors that
488 * will be built are:
489 *
490 * AT_PHDR
491 * AT_PHENT
492 * AT_PHNUM
493 * AT_ENTRY
494 * AT_LDDATA
495 *
496 * total = 5
497 */
498 args->auxsize = (9 + 5) * sizeof (aux_entry_t);
499 } else if (hasintp) {
500 /*
501 * Has PT_INTERP but no PT_PHDR
502 *
503 * AT_EXECFD
504 * AT_LDDATA
505 *
506 * total = 2
507 */
508 args->auxsize = (9 + 2) * sizeof (aux_entry_t);
509 } else {
510 args->auxsize = 9 * sizeof (aux_entry_t);
511 }
512 } else {
513 args->auxsize = 0;
514 }
515
516 /*
517 * If this binary is using an emulator, we need to add an
518 * AT_SUN_EMULATOR aux entry.
519 */
520 if (args->emulator != NULL)
521 args->auxsize += sizeof (aux_entry_t);
522
523 /*
524 * On supported kernels (x86_64) make room in the auxv for the
525 * AT_SUN_COMMPAGE entry. This will go unpopulated on i86xpv systems
526 * which do not provide such functionality.
527 *
528 * Additionally cover the floating point information AT_SUN_FPSIZE and
529 * AT_SUN_FPTYPE.
530 */
531 #if defined(__amd64)
532 args->auxsize += 3 * sizeof (aux_entry_t);
533 #endif /* defined(__amd64) */
534
535 if ((brand_action != EBA_NATIVE) && (PROC_IS_BRANDED(p))) {
536 branded = 1;
537 /*
538 * We will be adding 4 entries to the aux vectors. One for
539 * the the brandname and 3 for the brand specific aux vectors.
540 */
541 args->auxsize += 4 * sizeof (aux_entry_t);
542 }
543
544 /* If the binary has an explicit ASLR flag, it must be honoured */
545 if ((dynamicphdr != NULL) &&
546 (dynamicphdr->p_filesz > 0)) {
547 Dyn *dp;
548 off_t i = 0;
549
550 #define DYN_STRIDE 100
551 for (i = 0; i < dynamicphdr->p_filesz;
552 i += sizeof (*dyn) * DYN_STRIDE) {
553 int ndyns = (dynamicphdr->p_filesz - i) / sizeof (*dyn);
554 size_t dynsize;
555
556 ndyns = MIN(DYN_STRIDE, ndyns);
557 dynsize = ndyns * sizeof (*dyn);
558
559 dyn = kmem_alloc(dynsize, KM_SLEEP);
560
561 if ((error = vn_rdwr(UIO_READ, vp, (caddr_t)dyn,
562 dynsize, (offset_t)(dynamicphdr->p_offset + i),
563 UIO_SYSSPACE, 0, 0,
564 CRED(), &resid)) != 0) {
565 uprintf("%s: cannot read .dynamic section\n",
566 exec_file);
567 goto out;
568 }
569
570 for (dp = dyn; dp < (dyn + ndyns); dp++) {
571 if (dp->d_tag == DT_SUNW_ASLR) {
572 if ((error = handle_secflag_dt(p,
573 DT_SUNW_ASLR,
574 dp->d_un.d_val)) != 0) {
575 uprintf("%s: error setting "
576 "security-flag from "
577 "DT_SUNW_ASLR: %d\n",
578 exec_file, error);
579 goto out;
580 }
581 }
582 }
583
584 kmem_free(dyn, dynsize);
585 }
586 }
587
588 /* Hardware/Software capabilities */
589 if (capphdr != NULL &&
590 (capsize = capphdr->p_filesz) > 0 &&
591 capsize <= 16 * sizeof (*cap)) {
592 int ncaps = capsize / sizeof (*cap);
593 Cap *cp;
594
595 cap = kmem_alloc(capsize, KM_SLEEP);
596 if ((error = vn_rdwr(UIO_READ, vp, (caddr_t)cap,
597 capsize, (offset_t)capphdr->p_offset,
598 UIO_SYSSPACE, 0, 0, CRED(), &resid)) != 0) {
599 uprintf("%s: Cannot read capabilities section\n",
600 exec_file);
601 goto out;
602 }
603 for (cp = cap; cp < cap + ncaps; cp++) {
604 if (cp->c_tag == CA_SUNW_SF_1 &&
605 (cp->c_un.c_val & SF1_SUNW_ADDR32)) {
606 if (args->to_model == DATAMODEL_LP64)
607 args->addr32 = 1;
608 break;
609 }
610 }
611 }
612
613 aux = bigwad->elfargs;
614 /*
615 * Move args to the user's stack.
616 * This can fill in the AT_SUN_PLATFORM and AT_SUN_EXECNAME aux entries.
617 */
618 if ((error = exec_args(uap, args, idatap, (void **)&aux)) != 0) {
619 if (error == -1) {
620 error = ENOEXEC;
621 goto bad;
622 }
623 goto out;
624 }
625 /* we're single threaded after this point */
626
627 /*
628 * If this is an ET_DYN executable (shared object),
629 * determine its memory size so that mapelfexec() can load it.
630 */
631 if (ehdrp->e_type == ET_DYN)
632 len = elfsize(ehdrp, nphdrs, phdrbase, NULL);
633 else
634 len = 0;
635
636 dtrphdr = NULL;
637
638 if ((error = mapelfexec(vp, ehdrp, nphdrs, phdrbase, &uphdr, &intphdr,
639 &stphdr, &dtrphdr, dataphdrp, &bssbase, &brkbase, &voffset, NULL,
640 len, execsz, &brksize, B_TRUE)) != 0)
641 goto bad;
642
643 if (uphdr != NULL && intphdr == NULL)
644 goto bad;
645
646 if (dtrphdr != NULL && dtrace_safe_phdr(dtrphdr, args, voffset) != 0) {
647 uprintf("%s: Bad DTrace phdr in %s\n", exec_file, exec_file);
648 goto bad;
649 }
650
651 if (intphdr != NULL) {
652 size_t len;
653 uintptr_t lddata;
654 char *p;
655 struct vnode *nvp;
656
657 dlnsize = intphdr->p_filesz;
658
659 if (dlnsize > MAXPATHLEN || dlnsize <= 0)
660 goto bad;
661
662 /*
663 * Read in "interpreter" pathname.
664 */
665 if ((error = vn_rdwr(UIO_READ, vp, dlnp, intphdr->p_filesz,
666 (offset_t)intphdr->p_offset, UIO_SYSSPACE, 0, 0,
667 CRED(), &resid)) != 0) {
668 uprintf("%s: Cannot obtain interpreter pathname\n",
669 exec_file);
670 goto bad;
671 }
672
673 if (resid != 0 || dlnp[dlnsize - 1] != '\0')
674 goto bad;
675
676 /*
677 * Search for '$ORIGIN' token in interpreter path.
678 * If found, expand it.
679 */
680 for (p = dlnp; p = strchr(p, '$'); ) {
681 uint_t len, curlen;
682 char *_ptr;
683
684 if (strncmp(++p, ORIGIN_STR, ORIGIN_STR_SIZE))
685 continue;
686
687 /*
688 * We don't support $ORIGIN on setid programs to close
689 * a potential attack vector.
690 */
691 if ((setid & EXECSETID_SETID) != 0) {
692 error = ENOEXEC;
693 goto bad;
694 }
695
696 curlen = 0;
697 len = p - dlnp - 1;
698 if (len) {
699 bcopy(dlnp, pathbufp, len);
700 curlen += len;
701 }
702 if (_ptr = strrchr(args->pathname, '/')) {
703 len = _ptr - args->pathname;
704 if ((curlen + len) > MAXPATHLEN)
705 break;
706
707 bcopy(args->pathname, &pathbufp[curlen], len);
708 curlen += len;
709 } else {
710 /*
711 * executable is a basename found in the
712 * current directory. So - just substitue
713 * '.' for ORIGIN.
714 */
715 pathbufp[curlen] = '.';
716 curlen++;
717 }
718 p += ORIGIN_STR_SIZE;
719 len = strlen(p);
720
721 if ((curlen + len) > MAXPATHLEN)
722 break;
723 bcopy(p, &pathbufp[curlen], len);
724 curlen += len;
725 pathbufp[curlen++] = '\0';
726 bcopy(pathbufp, dlnp, curlen);
727 }
728
729 /*
730 * /usr/lib/ld.so.1 is known to be a symlink to /lib/ld.so.1
731 * (and /usr/lib/64/ld.so.1 is a symlink to /lib/64/ld.so.1).
732 * Just in case /usr is not mounted, change it now.
733 */
734 if (strcmp(dlnp, USR_LIB_RTLD) == 0)
735 dlnp += 4;
736 error = lookupname(dlnp, UIO_SYSSPACE, FOLLOW, NULLVPP, &nvp);
737 if (error && dlnp != bigwad->dl_name) {
738 /* new kernel, old user-level */
739 error = lookupname(dlnp -= 4, UIO_SYSSPACE, FOLLOW,
740 NULLVPP, &nvp);
741 }
742 if (error) {
743 uprintf("%s: Cannot find %s\n", exec_file, dlnp);
744 goto bad;
745 }
746
747 /*
748 * Setup the "aux" vector.
749 */
750 if (uphdr) {
751 if ((ehdrp->e_type == ET_DYN) &&
752 (ehdrp->e_entry == 0)) {
753 /* don't use the first page */
754 bigwad->exenv.ex_brkbase = (caddr_t)PAGESIZE;
755 bigwad->exenv.ex_bssbase = (caddr_t)PAGESIZE;
756 } else {
757 bigwad->exenv.ex_bssbase = bssbase;
758 bigwad->exenv.ex_brkbase = brkbase;
759 }
760 bigwad->exenv.ex_brksize = brksize;
761 bigwad->exenv.ex_magic = elfmagic;
762 bigwad->exenv.ex_vp = vp;
763 setexecenv(&bigwad->exenv);
764
765 ADDAUX(aux, AT_PHDR, uphdr->p_vaddr + voffset)
766 ADDAUX(aux, AT_PHENT, ehdrp->e_phentsize)
767 ADDAUX(aux, AT_PHNUM, nphdrs)
768 ADDAUX(aux, AT_ENTRY, ehdrp->e_entry + voffset)
769 } else {
770 if ((error = execopen(&vp, &fd)) != 0) {
771 VN_RELE(nvp);
772 goto bad;
773 }
774
775 ADDAUX(aux, AT_EXECFD, fd)
776 }
777
778 if ((error = execpermissions(nvp, &bigwad->vattr, args)) != 0) {
779 VN_RELE(nvp);
780 uprintf("%s: Cannot execute %s\n", exec_file, dlnp);
781 goto bad;
782 }
783
784 /*
785 * Now obtain the ELF header along with the entire program
786 * header contained in "nvp".
787 */
788 kmem_free(phdrbase, phdrsize);
789 phdrbase = NULL;
790 if ((error = getelfhead(nvp, CRED(), ehdrp, &nshdrs,
791 &shstrndx, &nphdrs)) != 0 ||
792 (error = getelfphdr(nvp, CRED(), ehdrp, nphdrs, &phdrbase,
793 &phdrsize)) != 0) {
794 VN_RELE(nvp);
795 uprintf("%s: Cannot read %s\n", exec_file, dlnp);
796 goto bad;
797 }
798
799 /*
800 * Determine memory size of the "interpreter's" loadable
801 * sections. This size is then used to obtain the virtual
802 * address of a hole, in the user's address space, large
803 * enough to map the "interpreter".
804 */
805 if ((len = elfsize(ehdrp, nphdrs, phdrbase, &lddata)) == 0) {
806 VN_RELE(nvp);
807 uprintf("%s: Nothing to load in %s\n", exec_file, dlnp);
808 goto bad;
809 }
810
811 dtrphdr = NULL;
812
813 error = mapelfexec(nvp, ehdrp, nphdrs, phdrbase, &junk, &junk,
814 &junk, &dtrphdr, NULL, NULL, NULL, &voffset, NULL, len,
815 execsz, NULL, B_FALSE);
816 if (error || junk != NULL) {
817 VN_RELE(nvp);
818 uprintf("%s: Cannot map %s\n", exec_file, dlnp);
819 goto bad;
820 }
821
822 /*
823 * We use the DTrace program header to initialize the
824 * architecture-specific user per-LWP location. The dtrace
825 * fasttrap provider requires ready access to per-LWP scratch
826 * space. We assume that there is only one such program header
827 * in the interpreter.
828 */
829 if (dtrphdr != NULL &&
830 dtrace_safe_phdr(dtrphdr, args, voffset) != 0) {
831 VN_RELE(nvp);
832 uprintf("%s: Bad DTrace phdr in %s\n", exec_file, dlnp);
833 goto bad;
834 }
835
836 VN_RELE(nvp);
837 ADDAUX(aux, AT_SUN_LDDATA, voffset + lddata)
838 }
839
840 if (hasauxv) {
841 int auxf = AF_SUN_HWCAPVERIFY;
842 size_t fpsize;
843 int fptype;
844
845 /*
846 * Note: AT_SUN_PLATFORM and AT_SUN_EXECNAME were filled in via
847 * exec_args()
848 */
849 ADDAUX(aux, AT_BASE, voffset)
850 ADDAUX(aux, AT_FLAGS, at_flags)
851 ADDAUX(aux, AT_PAGESZ, PAGESIZE)
852 /*
853 * Linker flags. (security)
854 * p_flag not yet set at this time.
855 * We rely on gexec() to provide us with the information.
856 * If the application is set-uid but this is not reflected
857 * in a mismatch between real/effective uids/gids, then
858 * don't treat this as a set-uid exec. So we care about
859 * the EXECSETID_UGIDS flag but not the ...SETID flag.
860 */
861 if ((setid &= ~EXECSETID_SETID) != 0)
862 auxf |= AF_SUN_SETUGID;
863
864 /*
865 * If we're running a native process from within a branded
866 * zone under pfexec then we clear the AF_SUN_SETUGID flag so
867 * that the native ld.so.1 is able to link with the native
868 * libraries instead of using the brand libraries that are
869 * installed in the zone. We only do this for processes
870 * which we trust because we see they are already running
871 * under pfexec (where uid != euid). This prevents a
872 * malicious user within the zone from crafting a wrapper to
873 * run native suid commands with unsecure libraries interposed.
874 */
875 if ((brand_action == EBA_NATIVE) && (PROC_IS_BRANDED(p) &&
876 (setid &= ~EXECSETID_SETID) != 0))
877 auxf &= ~AF_SUN_SETUGID;
878
879 /*
880 * Record the user addr of the auxflags aux vector entry
881 * since brands may optionally want to manipulate this field.
882 */
883 args->auxp_auxflags =
884 (char *)((char *)args->stackend +
885 ((char *)&aux->a_type -
886 (char *)bigwad->elfargs));
887 ADDAUX(aux, AT_SUN_AUXFLAGS, auxf);
888
889 /*
890 * Hardware capability flag word (performance hints)
891 * Used for choosing faster library routines.
892 * (Potentially different between 32-bit and 64-bit ABIs)
893 */
894 #if defined(_LP64)
895 if (args->to_model == DATAMODEL_NATIVE) {
896 ADDAUX(aux, AT_SUN_HWCAP, auxv_hwcap)
897 ADDAUX(aux, AT_SUN_HWCAP2, auxv_hwcap_2)
898 } else {
899 ADDAUX(aux, AT_SUN_HWCAP, auxv_hwcap32)
900 ADDAUX(aux, AT_SUN_HWCAP2, auxv_hwcap32_2)
901 }
902 #else
903 ADDAUX(aux, AT_SUN_HWCAP, auxv_hwcap)
904 ADDAUX(aux, AT_SUN_HWCAP2, auxv_hwcap_2)
905 #endif
906 if (branded) {
907 /*
908 * Reserve space for the brand-private aux vectors,
909 * and record the user addr of that space.
910 */
911 args->auxp_brand =
912 (char *)((char *)args->stackend +
913 ((char *)&aux->a_type -
914 (char *)bigwad->elfargs));
915 ADDAUX(aux, AT_SUN_BRAND_AUX1, 0)
916 ADDAUX(aux, AT_SUN_BRAND_AUX2, 0)
917 ADDAUX(aux, AT_SUN_BRAND_AUX3, 0)
918 }
919
920 /*
921 * Add the comm page auxv entry, mapping it in if needed. Also
922 * take care of the FPU entries.
923 */
924 #if defined(__amd64)
925 if (args->commpage != 0 ||
926 (args->commpage = (uintptr_t)comm_page_mapin()) != 0) {
927 ADDAUX(aux, AT_SUN_COMMPAGE, args->commpage)
928 } else {
929 /*
930 * If the comm page cannot be mapped, pad out the auxv
931 * to satisfy later size checks.
932 */
933 ADDAUX(aux, AT_NULL, 0)
934 }
935
936 fptype = AT_386_FPINFO_NONE;
937 fpu_auxv_info(&fptype, &fpsize);
938 if (fptype != AT_386_FPINFO_NONE) {
939 ADDAUX(aux, AT_SUN_FPTYPE, fptype)
940 ADDAUX(aux, AT_SUN_FPSIZE, fpsize)
941 } else {
942 ADDAUX(aux, AT_NULL, 0)
943 ADDAUX(aux, AT_NULL, 0)
944 }
945 #endif /* defined(__amd64) */
946
947 ADDAUX(aux, AT_NULL, 0)
948 postfixsize = (char *)aux - (char *)bigwad->elfargs;
949
950 /*
951 * We make assumptions above when we determine how many aux
952 * vector entries we will be adding. However, if we have an
953 * invalid elf file, it is possible that mapelfexec might
954 * behave differently (but not return an error), in which case
955 * the number of aux entries we actually add will be different.
956 * We detect that now and error out.
957 */
958 if (postfixsize != args->auxsize) {
959 DTRACE_PROBE2(elfexec_badaux, int, postfixsize,
960 int, args->auxsize);
961 goto bad;
962 }
963 ASSERT(postfixsize <= __KERN_NAUXV_IMPL * sizeof (aux_entry_t));
964 }
965
966 /*
967 * For the 64-bit kernel, the limit is big enough that rounding it up
968 * to a page can overflow the 64-bit limit, so we check for btopr()
969 * overflowing here by comparing it with the unrounded limit in pages.
970 * If it hasn't overflowed, compare the exec size with the rounded up
971 * limit in pages. Otherwise, just compare with the unrounded limit.
972 */
973 limit = btop(p->p_vmem_ctl);
974 roundlimit = btopr(p->p_vmem_ctl);
975 if ((roundlimit > limit && *execsz > roundlimit) ||
976 (roundlimit < limit && *execsz > limit)) {
977 mutex_enter(&p->p_lock);
978 (void) rctl_action(rctlproc_legacy[RLIMIT_VMEM], p->p_rctls, p,
979 RCA_SAFE);
980 mutex_exit(&p->p_lock);
981 error = ENOMEM;
982 goto bad;
983 }
984
985 bzero(up->u_auxv, sizeof (up->u_auxv));
986 up->u_commpagep = args->commpage;
987 if (postfixsize) {
988 int num_auxv;
989
990 /*
991 * Copy the aux vector to the user stack.
992 */
993 error = execpoststack(args, bigwad->elfargs, postfixsize);
994 if (error)
995 goto bad;
996
997 /*
998 * Copy auxv to the process's user structure for use by /proc.
999 * If this is a branded process, the brand's exec routine will
1000 * copy it's private entries to the user structure later. It
1001 * relies on the fact that the blank entries are at the end.
1002 */
1003 num_auxv = postfixsize / sizeof (aux_entry_t);
1004 ASSERT(num_auxv <= sizeof (up->u_auxv) / sizeof (auxv_t));
1005 aux = bigwad->elfargs;
1006 for (i = 0; i < num_auxv; i++) {
1007 up->u_auxv[i].a_type = aux[i].a_type;
1008 up->u_auxv[i].a_un.a_val = (aux_val_t)aux[i].a_un.a_val;
1009 }
1010 }
1011
1012 /*
1013 * Pass back the starting address so we can set the program counter.
1014 */
1015 args->entry = (uintptr_t)(ehdrp->e_entry + voffset);
1016
1017 if (!uphdr) {
1018 if (ehdrp->e_type == ET_DYN) {
1019 /*
1020 * If we are executing a shared library which doesn't
1021 * have a interpreter (probably ld.so.1) then
1022 * we don't set the brkbase now. Instead we
1023 * delay it's setting until the first call
1024 * via grow.c::brk(). This permits ld.so.1 to
1025 * initialize brkbase to the tail of the executable it
1026 * loads (which is where it needs to be).
1027 */
1028 bigwad->exenv.ex_brkbase = (caddr_t)0;
1029 bigwad->exenv.ex_bssbase = (caddr_t)0;
1030 bigwad->exenv.ex_brksize = 0;
1031 } else {
1032 bigwad->exenv.ex_brkbase = brkbase;
1033 bigwad->exenv.ex_bssbase = bssbase;
1034 bigwad->exenv.ex_brksize = brksize;
1035 }
1036 bigwad->exenv.ex_magic = elfmagic;
1037 bigwad->exenv.ex_vp = vp;
1038 setexecenv(&bigwad->exenv);
1039 }
1040
1041 ASSERT(error == 0);
1042 goto out;
1043
1044 bad:
1045 if (fd != -1) /* did we open the a.out yet */
1046 (void) execclose(fd);
1047
1048 psignal(p, SIGKILL);
1049
1050 if (error == 0)
1051 error = ENOEXEC;
1052 out:
1053 if (phdrbase != NULL)
1054 kmem_free(phdrbase, phdrsize);
1055 if (cap != NULL)
1056 kmem_free(cap, capsize);
1057 kmem_free(bigwad, sizeof (struct bigwad));
1058 return (error);
1059 }
1060
1061 /*
1062 * Compute the memory size requirement for the ELF file.
1063 */
1064 static size_t
1065 elfsize(Ehdr *ehdrp, int nphdrs, caddr_t phdrbase, uintptr_t *lddata)
1066 {
1067 size_t len;
1068 Phdr *phdrp = (Phdr *)phdrbase;
1069 int hsize = ehdrp->e_phentsize;
1070 int first = 1;
1071 int dfirst = 1; /* first data segment */
1072 uintptr_t loaddr = 0;
1073 uintptr_t hiaddr = 0;
1074 uintptr_t lo, hi;
1075 int i;
1076
1077 for (i = nphdrs; i > 0; i--) {
1078 if (phdrp->p_type == PT_LOAD) {
1079 lo = phdrp->p_vaddr;
1080 hi = lo + phdrp->p_memsz;
1081 if (first) {
1082 loaddr = lo;
1083 hiaddr = hi;
1084 first = 0;
1085 } else {
1086 if (loaddr > lo)
1087 loaddr = lo;
1088 if (hiaddr < hi)
1089 hiaddr = hi;
1090 }
1091
1092 /*
1093 * save the address of the first data segment
1094 * of a object - used for the AT_SUNW_LDDATA
1095 * aux entry.
1096 */
1097 if ((lddata != NULL) && dfirst &&
1098 (phdrp->p_flags & PF_W)) {
1099 *lddata = lo;
1100 dfirst = 0;
1101 }
1102 }
1103 phdrp = (Phdr *)((caddr_t)phdrp + hsize);
1104 }
1105
1106 len = hiaddr - (loaddr & PAGEMASK);
1107 len = roundup(len, PAGESIZE);
1108
1109 return (len);
1110 }
1111
1112 /*
1113 * Read in the ELF header and program header table.
1114 * SUSV3 requires:
1115 * ENOEXEC File format is not recognized
1116 * EINVAL Format recognized but execution not supported
1117 */
1118 static int
1119 getelfhead(vnode_t *vp, cred_t *credp, Ehdr *ehdr, int *nshdrs, int *shstrndx,
1120 int *nphdrs)
1121 {
1122 int error;
1123 ssize_t resid;
1124
1125 /*
1126 * We got here by the first two bytes in ident,
1127 * now read the entire ELF header.
1128 */
1129 if ((error = vn_rdwr(UIO_READ, vp, (caddr_t)ehdr,
1130 sizeof (Ehdr), 0, UIO_SYSSPACE, 0,
1131 0, credp, &resid)) != 0)
1132 return (error);
1133
1134 /*
1135 * Since a separate version is compiled for handling 32-bit and
1136 * 64-bit ELF executables on a 64-bit kernel, the 64-bit version
1137 * doesn't need to be able to deal with 32-bit ELF files.
1138 */
1139 if (resid != 0 ||
1140 ehdr->e_ident[EI_MAG2] != ELFMAG2 ||
1141 ehdr->e_ident[EI_MAG3] != ELFMAG3)
1142 return (ENOEXEC);
1143
1144 if ((ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN) ||
1145 #if defined(_ILP32) || defined(_ELF32_COMPAT)
1146 ehdr->e_ident[EI_CLASS] != ELFCLASS32 ||
1147 #else
1148 ehdr->e_ident[EI_CLASS] != ELFCLASS64 ||
1149 #endif
1150 !elfheadcheck(ehdr->e_ident[EI_DATA], ehdr->e_machine,
1151 ehdr->e_flags))
1152 return (EINVAL);
1153
1154 *nshdrs = ehdr->e_shnum;
1155 *shstrndx = ehdr->e_shstrndx;
1156 *nphdrs = ehdr->e_phnum;
1157
1158 /*
1159 * If e_shnum, e_shstrndx, or e_phnum is its sentinel value, we need
1160 * to read in the section header at index zero to acces the true
1161 * values for those fields.
1162 */
1163 if ((*nshdrs == 0 && ehdr->e_shoff != 0) ||
1164 *shstrndx == SHN_XINDEX || *nphdrs == PN_XNUM) {
1165 Shdr shdr;
1166
1167 if (ehdr->e_shoff == 0)
1168 return (EINVAL);
1169
1170 if ((error = vn_rdwr(UIO_READ, vp, (caddr_t)&shdr,
1171 sizeof (shdr), (offset_t)ehdr->e_shoff, UIO_SYSSPACE, 0,
1172 0, credp, &resid)) != 0)
1173 return (error);
1174
1175 if (*nshdrs == 0)
1176 *nshdrs = shdr.sh_size;
1177 if (*shstrndx == SHN_XINDEX)
1178 *shstrndx = shdr.sh_link;
1179 if (*nphdrs == PN_XNUM && shdr.sh_info != 0)
1180 *nphdrs = shdr.sh_info;
1181 }
1182
1183 return (0);
1184 }
1185
1186 #ifdef _ELF32_COMPAT
1187 extern size_t elf_nphdr_max;
1188 #else
1189 size_t elf_nphdr_max = 1000;
1190 #endif
1191
1192 static int
1193 getelfphdr(vnode_t *vp, cred_t *credp, const Ehdr *ehdr, int nphdrs,
1194 caddr_t *phbasep, ssize_t *phsizep)
1195 {
1196 ssize_t resid, minsize;
1197 int err;
1198
1199 /*
1200 * Since we're going to be using e_phentsize to iterate down the
1201 * array of program headers, it must be 8-byte aligned or else
1202 * a we might cause a misaligned access. We use all members through
1203 * p_flags on 32-bit ELF files and p_memsz on 64-bit ELF files so
1204 * e_phentsize must be at least large enough to include those
1205 * members.
1206 */
1207 #if !defined(_LP64) || defined(_ELF32_COMPAT)
1208 minsize = offsetof(Phdr, p_flags) + sizeof (((Phdr *)NULL)->p_flags);
1209 #else
1210 minsize = offsetof(Phdr, p_memsz) + sizeof (((Phdr *)NULL)->p_memsz);
1211 #endif
1212 if (ehdr->e_phentsize < minsize || (ehdr->e_phentsize & 3))
1213 return (EINVAL);
1214
1215 *phsizep = nphdrs * ehdr->e_phentsize;
1216
1217 if (*phsizep > sizeof (Phdr) * elf_nphdr_max) {
1218 if ((*phbasep = kmem_alloc(*phsizep, KM_NOSLEEP)) == NULL)
1219 return (ENOMEM);
1220 } else {
1221 *phbasep = kmem_alloc(*phsizep, KM_SLEEP);
1222 }
1223
1224 if ((err = vn_rdwr(UIO_READ, vp, *phbasep, *phsizep,
1225 (offset_t)ehdr->e_phoff, UIO_SYSSPACE, 0, 0,
1226 credp, &resid)) != 0) {
1227 kmem_free(*phbasep, *phsizep);
1228 *phbasep = NULL;
1229 return (err);
1230 }
1231
1232 return (0);
1233 }
1234
1235 #ifdef _ELF32_COMPAT
1236 extern size_t elf_nshdr_max;
1237 extern size_t elf_shstrtab_max;
1238 #else
1239 size_t elf_nshdr_max = 10000;
1240 size_t elf_shstrtab_max = 100 * 1024;
1241 #endif
1242
1243
1244 static int
1245 getelfshdr(vnode_t *vp, cred_t *credp, const Ehdr *ehdr,
1246 int nshdrs, int shstrndx, caddr_t *shbasep, ssize_t *shsizep,
1247 char **shstrbasep, ssize_t *shstrsizep)
1248 {
1249 ssize_t resid, minsize;
1250 int err;
1251 Shdr *shdr;
1252
1253 /*
1254 * Since we're going to be using e_shentsize to iterate down the
1255 * array of section headers, it must be 8-byte aligned or else
1256 * a we might cause a misaligned access. We use all members through
1257 * sh_entsize (on both 32- and 64-bit ELF files) so e_shentsize
1258 * must be at least large enough to include that member. The index
1259 * of the string table section must also be valid.
1260 */
1261 minsize = offsetof(Shdr, sh_entsize) + sizeof (shdr->sh_entsize);
1262 if (ehdr->e_shentsize < minsize || (ehdr->e_shentsize & 3) ||
1263 shstrndx >= nshdrs)
1264 return (EINVAL);
1265
1266 *shsizep = nshdrs * ehdr->e_shentsize;
1267
1268 if (*shsizep > sizeof (Shdr) * elf_nshdr_max) {
1269 if ((*shbasep = kmem_alloc(*shsizep, KM_NOSLEEP)) == NULL)
1270 return (ENOMEM);
1271 } else {
1272 *shbasep = kmem_alloc(*shsizep, KM_SLEEP);
1273 }
1274
1275 if ((err = vn_rdwr(UIO_READ, vp, *shbasep, *shsizep,
1276 (offset_t)ehdr->e_shoff, UIO_SYSSPACE, 0, 0,
1277 credp, &resid)) != 0) {
1278 kmem_free(*shbasep, *shsizep);
1279 return (err);
1280 }
1281
1282 /*
1283 * Pull the section string table out of the vnode; fail if the size
1284 * is zero.
1285 */
1286 shdr = (Shdr *)(*shbasep + shstrndx * ehdr->e_shentsize);
1287 if ((*shstrsizep = shdr->sh_size) == 0) {
1288 kmem_free(*shbasep, *shsizep);
1289 return (EINVAL);
1290 }
1291
1292 if (*shstrsizep > elf_shstrtab_max) {
1293 if ((*shstrbasep = kmem_alloc(*shstrsizep,
1294 KM_NOSLEEP)) == NULL) {
1295 kmem_free(*shbasep, *shsizep);
1296 return (ENOMEM);
1297 }
1298 } else {
1299 *shstrbasep = kmem_alloc(*shstrsizep, KM_SLEEP);
1300 }
1301
1302 if ((err = vn_rdwr(UIO_READ, vp, *shstrbasep, *shstrsizep,
1303 (offset_t)shdr->sh_offset, UIO_SYSSPACE, 0, 0,
1304 credp, &resid)) != 0) {
1305 kmem_free(*shbasep, *shsizep);
1306 kmem_free(*shstrbasep, *shstrsizep);
1307 return (err);
1308 }
1309
1310 /*
1311 * Make sure the strtab is null-terminated to make sure we
1312 * don't run off the end of the table.
1313 */
1314 (*shstrbasep)[*shstrsizep - 1] = '\0';
1315
1316 return (0);
1317 }
1318
1319 static int
1320 mapelfexec(
1321 vnode_t *vp,
1322 Ehdr *ehdr,
1323 int nphdrs,
1324 caddr_t phdrbase,
1325 Phdr **uphdr,
1326 Phdr **intphdr,
1327 Phdr **stphdr,
1328 Phdr **dtphdr,
1329 Phdr *dataphdrp,
1330 caddr_t *bssbase,
1331 caddr_t *brkbase,
1332 intptr_t *voffset,
1333 intptr_t *minaddr,
1334 size_t len,
1335 long *execsz,
1336 size_t *brksize,
1337 boolean_t primary)
1338 {
1339 Phdr *phdr;
1340 int i, prot, error;
1341 caddr_t addr = NULL;
1342 size_t zfodsz;
1343 int ptload = 0;
1344 int page;
1345 off_t offset;
1346 int hsize = ehdr->e_phentsize;
1347 caddr_t mintmp = (caddr_t)-1;
1348 extern int use_brk_lpg;
1349
1350 if (ehdr->e_type == ET_DYN) {
1351 secflagset_t flags = 0;
1352 /*
1353 * Obtain the virtual address of a hole in the
1354 * address space to map the "interpreter".
1355 */
1356 if (secflag_enabled(curproc, PROC_SEC_ASLR))
1357 flags |= _MAP_RANDOMIZE;
1358
1359 if (primary)
1360 flags |= _MAP_STARTLOW;
1361
1362 map_addr(&addr, len, 0, 1, flags);
1363 if (addr == NULL)
1364 return (ENOMEM);
1365 *voffset = (intptr_t)addr;
1366
1367 /*
1368 * Calculate the minimum vaddr so it can be subtracted out.
1369 * According to the ELF specification, since PT_LOAD sections
1370 * must be sorted by increasing p_vaddr values, this is
1371 * guaranteed to be the first PT_LOAD section.
1372 */
1373 phdr = (Phdr *)phdrbase;
1374 for (i = nphdrs; i > 0; i--) {
1375 if (phdr->p_type == PT_LOAD) {
1376 *voffset -= (uintptr_t)phdr->p_vaddr;
1377 break;
1378 }
1379 phdr = (Phdr *)((caddr_t)phdr + hsize);
1380 }
1381
1382 } else {
1383 *voffset = 0;
1384 }
1385 phdr = (Phdr *)phdrbase;
1386 for (i = nphdrs; i > 0; i--) {
1387 switch (phdr->p_type) {
1388 case PT_LOAD:
1389 if ((*intphdr != NULL) && (*uphdr == NULL))
1390 return (0);
1391
1392 ptload = 1;
1393 prot = PROT_USER;
1394 if (phdr->p_flags & PF_R)
1395 prot |= PROT_READ;
1396 if (phdr->p_flags & PF_W)
1397 prot |= PROT_WRITE;
1398 if (phdr->p_flags & PF_X)
1399 prot |= PROT_EXEC;
1400
1401 addr = (caddr_t)((uintptr_t)phdr->p_vaddr + *voffset);
1402
1403 /*
1404 * Keep track of the segment with the lowest starting
1405 * address.
1406 */
1407 if (addr < mintmp)
1408 mintmp = addr;
1409
1410 zfodsz = (size_t)phdr->p_memsz - phdr->p_filesz;
1411
1412 offset = phdr->p_offset;
1413 if (((uintptr_t)offset & PAGEOFFSET) ==
1414 ((uintptr_t)addr & PAGEOFFSET) &&
1415 (!(vp->v_flag & VNOMAP))) {
1416 page = 1;
1417 } else {
1418 page = 0;
1419 }
1420
1421 /*
1422 * Set the heap pagesize for OOB when the bss size
1423 * is known and use_brk_lpg is not 0.
1424 */
1425 if (brksize != NULL && use_brk_lpg &&
1426 zfodsz != 0 && phdr == dataphdrp &&
1427 (prot & PROT_WRITE)) {
1428 size_t tlen = P2NPHASE((uintptr_t)addr +
1429 phdr->p_filesz, PAGESIZE);
1430
1431 if (zfodsz > tlen) {
1432 curproc->p_brkpageszc =
1433 page_szc(map_pgsz(MAPPGSZ_HEAP,
1434 curproc, addr + phdr->p_filesz +
1435 tlen, zfodsz - tlen, 0));
1436 }
1437 }
1438
1439 if (curproc->p_brkpageszc != 0 && phdr == dataphdrp &&
1440 (prot & PROT_WRITE)) {
1441 uint_t szc = curproc->p_brkpageszc;
1442 size_t pgsz = page_get_pagesize(szc);
1443 caddr_t ebss = addr + phdr->p_memsz;
1444 /*
1445 * If we need extra space to keep the BSS an
1446 * integral number of pages in size, some of
1447 * that space may fall beyond p_brkbase, so we
1448 * need to set p_brksize to account for it
1449 * being (logically) part of the brk.
1450 */
1451 size_t extra_zfodsz;
1452
1453 ASSERT(pgsz > PAGESIZE);
1454
1455 extra_zfodsz = P2NPHASE((uintptr_t)ebss, pgsz);
1456
1457 if (error = execmap(vp, addr, phdr->p_filesz,
1458 zfodsz + extra_zfodsz, phdr->p_offset,
1459 prot, page, szc))
1460 goto bad;
1461 if (brksize != NULL)
1462 *brksize = extra_zfodsz;
1463 } else {
1464 if (error = execmap(vp, addr, phdr->p_filesz,
1465 zfodsz, phdr->p_offset, prot, page, 0))
1466 goto bad;
1467 }
1468
1469 if (bssbase != NULL && addr >= *bssbase &&
1470 phdr == dataphdrp) {
1471 *bssbase = addr + phdr->p_filesz;
1472 }
1473 if (brkbase != NULL && addr >= *brkbase) {
1474 *brkbase = addr + phdr->p_memsz;
1475 }
1476
1477 *execsz += btopr(phdr->p_memsz);
1478 break;
1479
1480 case PT_INTERP:
1481 if (ptload)
1482 goto bad;
1483 *intphdr = phdr;
1484 break;
1485
1486 case PT_SHLIB:
1487 *stphdr = phdr;
1488 break;
1489
1490 case PT_PHDR:
1491 if (ptload)
1492 goto bad;
1493 *uphdr = phdr;
1494 break;
1495
1496 case PT_NULL:
1497 case PT_DYNAMIC:
1498 case PT_NOTE:
1499 break;
1500
1501 case PT_SUNWDTRACE:
1502 if (dtphdr != NULL)
1503 *dtphdr = phdr;
1504 break;
1505
1506 default:
1507 break;
1508 }
1509 phdr = (Phdr *)((caddr_t)phdr + hsize);
1510 }
1511
1512 if (minaddr != NULL) {
1513 ASSERT(mintmp != (caddr_t)-1);
1514 *minaddr = (intptr_t)mintmp;
1515 }
1516
1517 if (brkbase != NULL && secflag_enabled(curproc, PROC_SEC_ASLR)) {
1518 size_t off;
1519 uintptr_t base = (uintptr_t)*brkbase;
1520 uintptr_t oend = base + *brksize;
1521
1522 ASSERT(ISP2(aslr_max_brk_skew));
1523
1524 (void) random_get_pseudo_bytes((uint8_t *)&off, sizeof (off));
1525 base += P2PHASE(off, aslr_max_brk_skew);
1526 base = P2ROUNDUP(base, PAGESIZE);
1527 *brkbase = (caddr_t)base;
1528 /*
1529 * Above, we set *brksize to account for the possibility we
1530 * had to grow the 'brk' in padding out the BSS to a page
1531 * boundary.
1532 *
1533 * We now need to adjust that based on where we now are
1534 * actually putting the brk.
1535 */
1536 if (oend > base)
1537 *brksize = oend - base;
1538 else
1539 *brksize = 0;
1540 }
1541
1542 return (0);
1543 bad:
1544 if (error == 0)
1545 error = EINVAL;
1546 return (error);
1547 }
1548
1549 int
1550 elfnote(vnode_t *vp, offset_t *offsetp, int type, int descsz, void *desc,
1551 rlim_t rlimit, cred_t *credp)
1552 {
1553 Note note;
1554 int error;
1555
1556 bzero(&note, sizeof (note));
1557 bcopy("CORE", note.name, 4);
1558 note.nhdr.n_type = type;
1559 /*
1560 * The System V ABI states that n_namesz must be the length of the
1561 * string that follows the Nhdr structure including the terminating
1562 * null. The ABI also specifies that sufficient padding should be
1563 * included so that the description that follows the name string
1564 * begins on a 4- or 8-byte boundary for 32- and 64-bit binaries
1565 * respectively. However, since this change was not made correctly
1566 * at the time of the 64-bit port, both 32- and 64-bit binaries
1567 * descriptions are only guaranteed to begin on a 4-byte boundary.
1568 */
1569 note.nhdr.n_namesz = 5;
1570 note.nhdr.n_descsz = roundup(descsz, sizeof (Word));
1571
1572 if (error = core_write(vp, UIO_SYSSPACE, *offsetp, &note,
1573 sizeof (note), rlimit, credp))
1574 return (error);
1575
1576 *offsetp += sizeof (note);
1577
1578 if (error = core_write(vp, UIO_SYSSPACE, *offsetp, desc,
1579 note.nhdr.n_descsz, rlimit, credp))
1580 return (error);
1581
1582 *offsetp += note.nhdr.n_descsz;
1583 return (0);
1584 }
1585
1586 /*
1587 * Copy the section data from one vnode to the section of another vnode.
1588 */
1589 static void
1590 copy_scn(Shdr *src, vnode_t *src_vp, Shdr *dst, vnode_t *dst_vp, Off *doffset,
1591 void *buf, size_t size, cred_t *credp, rlim_t rlimit)
1592 {
1593 ssize_t resid;
1594 size_t len, n = src->sh_size;
1595 offset_t off = 0;
1596
1597 while (n != 0) {
1598 len = MIN(size, n);
1599 if (vn_rdwr(UIO_READ, src_vp, buf, len, src->sh_offset + off,
1600 UIO_SYSSPACE, 0, 0, credp, &resid) != 0 ||
1601 resid >= len ||
1602 core_write(dst_vp, UIO_SYSSPACE, *doffset + off,
1603 buf, len - resid, rlimit, credp) != 0) {
1604 dst->sh_size = 0;
1605 dst->sh_offset = 0;
1606 return;
1607 }
1608
1609 ASSERT(n >= len - resid);
1610
1611 n -= len - resid;
1612 off += len - resid;
1613 }
1614
1615 *doffset += src->sh_size;
1616 }
1617
1618 #ifdef _ELF32_COMPAT
1619 extern size_t elf_datasz_max;
1620 #else
1621 size_t elf_datasz_max = 1 * 1024 * 1024;
1622 #endif
1623
1624 /*
1625 * This function processes mappings that correspond to load objects to
1626 * examine their respective sections for elfcore(). It's called once with
1627 * v set to NULL to count the number of sections that we're going to need
1628 * and then again with v set to some allocated buffer that we fill in with
1629 * all the section data.
1630 */
1631 static int
1632 process_scns(core_content_t content, proc_t *p, cred_t *credp, vnode_t *vp,
1633 Shdr *v, int nv, rlim_t rlimit, Off *doffsetp, int *nshdrsp)
1634 {
1635 vnode_t *lastvp = NULL;
1636 struct seg *seg;
1637 int i, j;
1638 void *data = NULL;
1639 size_t datasz = 0;
1640 shstrtab_t shstrtab;
1641 struct as *as = p->p_as;
1642 int error = 0;
1643
1644 if (v != NULL)
1645 shstrtab_init(&shstrtab);
1646
1647 i = 1;
1648 for (seg = AS_SEGFIRST(as); seg != NULL; seg = AS_SEGNEXT(as, seg)) {
1649 uint_t prot;
1650 vnode_t *mvp;
1651 void *tmp = NULL;
1652 caddr_t saddr = seg->s_base;
1653 caddr_t naddr;
1654 caddr_t eaddr;
1655 size_t segsize;
1656
1657 Ehdr ehdr;
1658 int nshdrs, shstrndx, nphdrs;
1659 caddr_t shbase;
1660 ssize_t shsize;
1661 char *shstrbase;
1662 ssize_t shstrsize;
1663
1664 Shdr *shdr;
1665 const char *name;
1666 size_t sz;
1667 uintptr_t off;
1668
1669 int ctf_ndx = 0;
1670 int symtab_ndx = 0;
1671
1672 /*
1673 * Since we're just looking for text segments of load
1674 * objects, we only care about the protection bits; we don't
1675 * care about the actual size of the segment so we use the
1676 * reserved size. If the segment's size is zero, there's
1677 * something fishy going on so we ignore this segment.
1678 */
1679 if (seg->s_ops != &segvn_ops ||
1680 segop_getvp(seg, seg->s_base, &mvp) != 0 ||
1681 mvp == lastvp || mvp == NULL || mvp->v_type != VREG ||
1682 (segsize = pr_getsegsize(seg, 1)) == 0)
1683 continue;
1684
1685 eaddr = saddr + segsize;
1686 prot = pr_getprot(seg, 1, &tmp, &saddr, &naddr, eaddr);
1687 pr_getprot_done(&tmp);
1688
1689 /*
1690 * Skip this segment unless the protection bits look like
1691 * what we'd expect for a text segment.
1692 */
1693 if ((prot & (PROT_WRITE | PROT_EXEC)) != PROT_EXEC)
1694 continue;
1695
1696 if (getelfhead(mvp, credp, &ehdr, &nshdrs, &shstrndx,
1697 &nphdrs) != 0 ||
1698 getelfshdr(mvp, credp, &ehdr, nshdrs, shstrndx,
1699 &shbase, &shsize, &shstrbase, &shstrsize) != 0)
1700 continue;
1701
1702 off = ehdr.e_shentsize;
1703 for (j = 1; j < nshdrs; j++, off += ehdr.e_shentsize) {
1704 Shdr *symtab = NULL, *strtab;
1705
1706 shdr = (Shdr *)(shbase + off);
1707
1708 if (shdr->sh_name >= shstrsize)
1709 continue;
1710
1711 name = shstrbase + shdr->sh_name;
1712
1713 if (strcmp(name, shstrtab_data[STR_CTF]) == 0) {
1714 if ((content & CC_CONTENT_CTF) == 0 ||
1715 ctf_ndx != 0)
1716 continue;
1717
1718 if (shdr->sh_link > 0 &&
1719 shdr->sh_link < nshdrs) {
1720 symtab = (Shdr *)(shbase +
1721 shdr->sh_link * ehdr.e_shentsize);
1722 }
1723
1724 if (v != NULL && i < nv - 1) {
1725 if (shdr->sh_size > datasz &&
1726 shdr->sh_size <= elf_datasz_max) {
1727 if (data != NULL)
1728 kmem_free(data, datasz);
1729
1730 datasz = shdr->sh_size;
1731 data = kmem_alloc(datasz,
1732 KM_SLEEP);
1733 }
1734
1735 v[i].sh_name = shstrtab_ndx(&shstrtab,
1736 STR_CTF);
1737 v[i].sh_addr = (Addr)(uintptr_t)saddr;
1738 v[i].sh_type = SHT_PROGBITS;
1739 v[i].sh_addralign = 4;
1740 *doffsetp = roundup(*doffsetp,
1741 v[i].sh_addralign);
1742 v[i].sh_offset = *doffsetp;
1743 v[i].sh_size = shdr->sh_size;
1744 if (symtab == NULL) {
1745 v[i].sh_link = 0;
1746 } else if (symtab->sh_type ==
1747 SHT_SYMTAB &&
1748 symtab_ndx != 0) {
1749 v[i].sh_link =
1750 symtab_ndx;
1751 } else {
1752 v[i].sh_link = i + 1;
1753 }
1754
1755 copy_scn(shdr, mvp, &v[i], vp,
1756 doffsetp, data, datasz, credp,
1757 rlimit);
1758 }
1759
1760 ctf_ndx = i++;
1761
1762 /*
1763 * We've already dumped the symtab.
1764 */
1765 if (symtab != NULL &&
1766 symtab->sh_type == SHT_SYMTAB &&
1767 symtab_ndx != 0)
1768 continue;
1769
1770 } else if (strcmp(name,
1771 shstrtab_data[STR_SYMTAB]) == 0) {
1772 if ((content & CC_CONTENT_SYMTAB) == 0 ||
1773 symtab != 0)
1774 continue;
1775
1776 symtab = shdr;
1777 }
1778
1779 if (symtab != NULL) {
1780 if ((symtab->sh_type != SHT_DYNSYM &&
1781 symtab->sh_type != SHT_SYMTAB) ||
1782 symtab->sh_link == 0 ||
1783 symtab->sh_link >= nshdrs)
1784 continue;
1785
1786 strtab = (Shdr *)(shbase +
1787 symtab->sh_link * ehdr.e_shentsize);
1788
1789 if (strtab->sh_type != SHT_STRTAB)
1790 continue;
1791
1792 if (v != NULL && i < nv - 2) {
1793 sz = MAX(symtab->sh_size,
1794 strtab->sh_size);
1795 if (sz > datasz &&
1796 sz <= elf_datasz_max) {
1797 if (data != NULL)
1798 kmem_free(data, datasz);
1799
1800 datasz = sz;
1801 data = kmem_alloc(datasz,
1802 KM_SLEEP);
1803 }
1804
1805 if (symtab->sh_type == SHT_DYNSYM) {
1806 v[i].sh_name = shstrtab_ndx(
1807 &shstrtab, STR_DYNSYM);
1808 v[i + 1].sh_name = shstrtab_ndx(
1809 &shstrtab, STR_DYNSTR);
1810 } else {
1811 v[i].sh_name = shstrtab_ndx(
1812 &shstrtab, STR_SYMTAB);
1813 v[i + 1].sh_name = shstrtab_ndx(
1814 &shstrtab, STR_STRTAB);
1815 }
1816
1817 v[i].sh_type = symtab->sh_type;
1818 v[i].sh_addr = symtab->sh_addr;
1819 if (ehdr.e_type == ET_DYN ||
1820 v[i].sh_addr == 0)
1821 v[i].sh_addr +=
1822 (Addr)(uintptr_t)saddr;
1823 v[i].sh_addralign =
1824 symtab->sh_addralign;
1825 *doffsetp = roundup(*doffsetp,
1826 v[i].sh_addralign);
1827 v[i].sh_offset = *doffsetp;
1828 v[i].sh_size = symtab->sh_size;
1829 v[i].sh_link = i + 1;
1830 v[i].sh_entsize = symtab->sh_entsize;
1831 v[i].sh_info = symtab->sh_info;
1832
1833 copy_scn(symtab, mvp, &v[i], vp,
1834 doffsetp, data, datasz, credp,
1835 rlimit);
1836
1837 v[i + 1].sh_type = SHT_STRTAB;
1838 v[i + 1].sh_flags = SHF_STRINGS;
1839 v[i + 1].sh_addr = symtab->sh_addr;
1840 if (ehdr.e_type == ET_DYN ||
1841 v[i + 1].sh_addr == 0)
1842 v[i + 1].sh_addr +=
1843 (Addr)(uintptr_t)saddr;
1844 v[i + 1].sh_addralign =
1845 strtab->sh_addralign;
1846 *doffsetp = roundup(*doffsetp,
1847 v[i + 1].sh_addralign);
1848 v[i + 1].sh_offset = *doffsetp;
1849 v[i + 1].sh_size = strtab->sh_size;
1850
1851 copy_scn(strtab, mvp, &v[i + 1], vp,
1852 doffsetp, data, datasz, credp,
1853 rlimit);
1854 }
1855
1856 if (symtab->sh_type == SHT_SYMTAB)
1857 symtab_ndx = i;
1858 i += 2;
1859 }
1860 }
1861
1862 kmem_free(shstrbase, shstrsize);
1863 kmem_free(shbase, shsize);
1864
1865 lastvp = mvp;
1866 }
1867
1868 if (v == NULL) {
1869 if (i == 1)
1870 *nshdrsp = 0;
1871 else
1872 *nshdrsp = i + 1;
1873 goto done;
1874 }
1875
1876 if (i != nv - 1) {
1877 cmn_err(CE_WARN, "elfcore: core dump failed for "
1878 "process %d; address space is changing", p->p_pid);
1879 error = EIO;
1880 goto done;
1881 }
1882
1883 v[i].sh_name = shstrtab_ndx(&shstrtab, STR_SHSTRTAB);
1884 v[i].sh_size = shstrtab_size(&shstrtab);
1885 v[i].sh_addralign = 1;
1886 *doffsetp = roundup(*doffsetp, v[i].sh_addralign);
1887 v[i].sh_offset = *doffsetp;
1888 v[i].sh_flags = SHF_STRINGS;
1889 v[i].sh_type = SHT_STRTAB;
1890
1891 if (v[i].sh_size > datasz) {
1892 if (data != NULL)
1893 kmem_free(data, datasz);
1894
1895 datasz = v[i].sh_size;
1896 data = kmem_alloc(datasz,
1897 KM_SLEEP);
1898 }
1899
1900 shstrtab_dump(&shstrtab, data);
1901
1902 if ((error = core_write(vp, UIO_SYSSPACE, *doffsetp,
1903 data, v[i].sh_size, rlimit, credp)) != 0)
1904 goto done;
1905
1906 *doffsetp += v[i].sh_size;
1907
1908 done:
1909 if (data != NULL)
1910 kmem_free(data, datasz);
1911
1912 return (error);
1913 }
1914
1915 int
1916 elfcore(vnode_t *vp, proc_t *p, cred_t *credp, rlim_t rlimit, int sig,
1917 core_content_t content)
1918 {
1919 offset_t poffset, soffset;
1920 Off doffset;
1921 int error, i, nphdrs, nshdrs;
1922 int overflow = 0;
1923 struct seg *seg;
1924 struct as *as = p->p_as;
1925 union {
1926 Ehdr ehdr;
1927 Phdr phdr[1];
1928 Shdr shdr[1];
1929 } *bigwad;
1930 size_t bigsize;
1931 size_t phdrsz, shdrsz;
1932 Ehdr *ehdr;
1933 Phdr *v;
1934 caddr_t brkbase;
1935 size_t brksize;
1936 caddr_t stkbase;
1937 size_t stksize;
1938 int ntries = 0;
1939 klwp_t *lwp = ttolwp(curthread);
1940
1941 top:
1942 /*
1943 * Make sure we have everything we need (registers, etc.).
1944 * All other lwps have already stopped and are in an orderly state.
1945 */
1946 ASSERT(p == ttoproc(curthread));
1947 prstop(0, 0);
1948
1949 AS_LOCK_ENTER(as, RW_WRITER);
1950 nphdrs = prnsegs(as, 0) + 2; /* two CORE note sections */
1951
1952 /*
1953 * Count the number of section headers we're going to need.
1954 */
1955 nshdrs = 0;
1956 if (content & (CC_CONTENT_CTF | CC_CONTENT_SYMTAB)) {
1957 (void) process_scns(content, p, credp, NULL, NULL, 0, 0,
1958 NULL, &nshdrs);
1959 }
1960 AS_LOCK_EXIT(as);
1961
1962 ASSERT(nshdrs == 0 || nshdrs > 1);
1963
1964 /*
1965 * The core file contents may required zero section headers, but if
1966 * we overflow the 16 bits allotted to the program header count in
1967 * the ELF header, we'll need that program header at index zero.
1968 */
1969 if (nshdrs == 0 && nphdrs >= PN_XNUM)
1970 nshdrs = 1;
1971
1972 phdrsz = nphdrs * sizeof (Phdr);
1973 shdrsz = nshdrs * sizeof (Shdr);
1974
1975 bigsize = MAX(sizeof (*bigwad), MAX(phdrsz, shdrsz));
1976 bigwad = kmem_alloc(bigsize, KM_SLEEP);
1977
1978 ehdr = &bigwad->ehdr;
1979 bzero(ehdr, sizeof (*ehdr));
1980
1981 ehdr->e_ident[EI_MAG0] = ELFMAG0;
1982 ehdr->e_ident[EI_MAG1] = ELFMAG1;
1983 ehdr->e_ident[EI_MAG2] = ELFMAG2;
1984 ehdr->e_ident[EI_MAG3] = ELFMAG3;
1985 ehdr->e_ident[EI_CLASS] = ELFCLASS;
1986 ehdr->e_type = ET_CORE;
1987
1988 #if !defined(_LP64) || defined(_ELF32_COMPAT)
1989
1990 #if defined(__sparc)
1991 ehdr->e_ident[EI_DATA] = ELFDATA2MSB;
1992 ehdr->e_machine = EM_SPARC;
1993 #elif defined(__i386) || defined(__i386_COMPAT)
1994 ehdr->e_ident[EI_DATA] = ELFDATA2LSB;
1995 ehdr->e_machine = EM_386;
1996 #else
1997 #error "no recognized machine type is defined"
1998 #endif
1999
2000 #else /* !defined(_LP64) || defined(_ELF32_COMPAT) */
2001
2002 #if defined(__sparc)
2003 ehdr->e_ident[EI_DATA] = ELFDATA2MSB;
2004 ehdr->e_machine = EM_SPARCV9;
2005 #elif defined(__amd64)
2006 ehdr->e_ident[EI_DATA] = ELFDATA2LSB;
2007 ehdr->e_machine = EM_AMD64;
2008 #else
2009 #error "no recognized 64-bit machine type is defined"
2010 #endif
2011
2012 #endif /* !defined(_LP64) || defined(_ELF32_COMPAT) */
2013
2014 /*
2015 * If the count of program headers or section headers or the index
2016 * of the section string table can't fit in the mere 16 bits
2017 * shortsightedly allotted to them in the ELF header, we use the
2018 * extended formats and put the real values in the section header
2019 * as index 0.
2020 */
2021 ehdr->e_version = EV_CURRENT;
2022 ehdr->e_ehsize = sizeof (Ehdr);
2023
2024 if (nphdrs >= PN_XNUM)
2025 ehdr->e_phnum = PN_XNUM;
2026 else
2027 ehdr->e_phnum = (unsigned short)nphdrs;
2028
2029 ehdr->e_phoff = sizeof (Ehdr);
2030 ehdr->e_phentsize = sizeof (Phdr);
2031
2032 if (nshdrs > 0) {
2033 if (nshdrs >= SHN_LORESERVE)
2034 ehdr->e_shnum = 0;
2035 else
2036 ehdr->e_shnum = (unsigned short)nshdrs;
2037
2038 if (nshdrs - 1 >= SHN_LORESERVE)
2039 ehdr->e_shstrndx = SHN_XINDEX;
2040 else
2041 ehdr->e_shstrndx = (unsigned short)(nshdrs - 1);
2042
2043 ehdr->e_shoff = ehdr->e_phoff + ehdr->e_phentsize * nphdrs;
2044 ehdr->e_shentsize = sizeof (Shdr);
2045 }
2046
2047 if (error = core_write(vp, UIO_SYSSPACE, 0, ehdr,
2048 sizeof (Ehdr), rlimit, credp))
2049 goto done;
2050
2051 poffset = sizeof (Ehdr);
2052 soffset = sizeof (Ehdr) + phdrsz;
2053 doffset = sizeof (Ehdr) + phdrsz + shdrsz;
2054
2055 v = &bigwad->phdr[0];
2056 bzero(v, phdrsz);
2057
2058 setup_old_note_header(&v[0], p);
2059 v[0].p_offset = doffset = roundup(doffset, sizeof (Word));
2060 doffset += v[0].p_filesz;
2061
2062 setup_note_header(&v[1], p);
2063 v[1].p_offset = doffset = roundup(doffset, sizeof (Word));
2064 doffset += v[1].p_filesz;
2065
2066 mutex_enter(&p->p_lock);
2067
2068 brkbase = p->p_brkbase;
2069 brksize = p->p_brksize;
2070
2071 stkbase = p->p_usrstack - p->p_stksize;
2072 stksize = p->p_stksize;
2073
2074 mutex_exit(&p->p_lock);
2075
2076 AS_LOCK_ENTER(as, RW_WRITER);
2077 i = 2;
2078 for (seg = AS_SEGFIRST(as); seg != NULL; seg = AS_SEGNEXT(as, seg)) {
2079 caddr_t eaddr = seg->s_base + pr_getsegsize(seg, 0);
2080 caddr_t saddr, naddr;
2081 void *tmp = NULL;
2082 extern const struct seg_ops segspt_shmops;
2083
2084 if ((seg->s_flags & S_HOLE) != 0) {
2085 continue;
2086 }
2087
2088 for (saddr = seg->s_base; saddr < eaddr; saddr = naddr) {
2089 uint_t prot;
2090 size_t size;
2091 int type;
2092 vnode_t *mvp;
2093
2094 prot = pr_getprot(seg, 0, &tmp, &saddr, &naddr, eaddr);
2095 prot &= PROT_READ | PROT_WRITE | PROT_EXEC;
2096 if ((size = (size_t)(naddr - saddr)) == 0)
2097 continue;
2098 if (i == nphdrs) {
2099 overflow++;
2100 continue;
2101 }
2102 v[i].p_type = PT_LOAD;
2103 v[i].p_vaddr = (Addr)(uintptr_t)saddr;
2104 v[i].p_memsz = size;
2105 if (prot & PROT_READ)
2106 v[i].p_flags |= PF_R;
2107 if (prot & PROT_WRITE)
2108 v[i].p_flags |= PF_W;
2109 if (prot & PROT_EXEC)
2110 v[i].p_flags |= PF_X;
2111
2112 /*
2113 * Figure out which mappings to include in the core.
2114 */
2115 type = segop_gettype(seg, saddr);
2116
2117 if (saddr == stkbase && size == stksize) {
2118 if (!(content & CC_CONTENT_STACK))
2119 goto exclude;
2120
2121 } else if (saddr == brkbase && size == brksize) {
2122 if (!(content & CC_CONTENT_HEAP))
2123 goto exclude;
2124
2125 } else if (seg->s_ops == &segspt_shmops) {
2126 if (type & MAP_NORESERVE) {
2127 if (!(content & CC_CONTENT_DISM))
2128 goto exclude;
2129 } else {
2130 if (!(content & CC_CONTENT_ISM))
2131 goto exclude;
2132 }
2133
2134 } else if (seg->s_ops != &segvn_ops) {
2135 goto exclude;
2136
2137 } else if (type & MAP_SHARED) {
2138 if (shmgetid(p, saddr) != SHMID_NONE) {
2139 if (!(content & CC_CONTENT_SHM))
2140 goto exclude;
2141
2142 } else if (segop_getvp(seg, seg->s_base,
2143 &mvp) != 0 || mvp == NULL ||
2144 mvp->v_type != VREG) {
2145 if (!(content & CC_CONTENT_SHANON))
2146 goto exclude;
2147
2148 } else {
2149 if (!(content & CC_CONTENT_SHFILE))
2150 goto exclude;
2151 }
2152
2153 } else if (segop_getvp(seg, seg->s_base, &mvp) != 0 ||
2154 mvp == NULL || mvp->v_type != VREG) {
2155 if (!(content & CC_CONTENT_ANON))
2156 goto exclude;
2157
2158 } else if (prot == (PROT_READ | PROT_EXEC)) {
2159 if (!(content & CC_CONTENT_TEXT))
2160 goto exclude;
2161
2162 } else if (prot == PROT_READ) {
2163 if (!(content & CC_CONTENT_RODATA))
2164 goto exclude;
2165
2166 } else {
2167 if (!(content & CC_CONTENT_DATA))
2168 goto exclude;
2169 }
2170
2171 doffset = roundup(doffset, sizeof (Word));
2172 v[i].p_offset = doffset;
2173 v[i].p_filesz = size;
2174 doffset += size;
2175 exclude:
2176 i++;
2177 }
2178 ASSERT(tmp == NULL);
2179 }
2180 AS_LOCK_EXIT(as);
2181
2182 if (overflow || i != nphdrs) {
2183 if (ntries++ == 0) {
2184 kmem_free(bigwad, bigsize);
2185 overflow = 0;
2186 goto top;
2187 }
2188 cmn_err(CE_WARN, "elfcore: core dump failed for "
2189 "process %d; address space is changing", p->p_pid);
2190 error = EIO;
2191 goto done;
2192 }
2193
2194 if ((error = core_write(vp, UIO_SYSSPACE, poffset,
2195 v, phdrsz, rlimit, credp)) != 0)
2196 goto done;
2197
2198 if ((error = write_old_elfnotes(p, sig, vp, v[0].p_offset, rlimit,
2199 credp)) != 0)
2200 goto done;
2201
2202 if ((error = write_elfnotes(p, sig, vp, v[1].p_offset, rlimit,
2203 credp, content)) != 0)
2204 goto done;
2205
2206 for (i = 2; i < nphdrs; i++) {
2207 prkillinfo_t killinfo;
2208 sigqueue_t *sq;
2209 int sig, j;
2210
2211 if (v[i].p_filesz == 0)
2212 continue;
2213
2214 /*
2215 * If dumping out this segment fails, rather than failing
2216 * the core dump entirely, we reset the size of the mapping
2217 * to zero to indicate that the data is absent from the core
2218 * file and or in the PF_SUNW_FAILURE flag to differentiate
2219 * this from mappings that were excluded due to the core file
2220 * content settings.
2221 */
2222 if ((error = core_seg(p, vp, v[i].p_offset,
2223 (caddr_t)(uintptr_t)v[i].p_vaddr, v[i].p_filesz,
2224 rlimit, credp)) == 0) {
2225 continue;
2226 }
2227
2228 if ((sig = lwp->lwp_cursig) == 0) {
2229 /*
2230 * We failed due to something other than a signal.
2231 * Since the space reserved for the segment is now
2232 * unused, we stash the errno in the first four
2233 * bytes. This undocumented interface will let us
2234 * understand the nature of the failure.
2235 */
2236 (void) core_write(vp, UIO_SYSSPACE, v[i].p_offset,
2237 &error, sizeof (error), rlimit, credp);
2238
2239 v[i].p_filesz = 0;
2240 v[i].p_flags |= PF_SUNW_FAILURE;
2241 if ((error = core_write(vp, UIO_SYSSPACE,
2242 poffset + sizeof (v[i]) * i, &v[i], sizeof (v[i]),
2243 rlimit, credp)) != 0)
2244 goto done;
2245
2246 continue;
2247 }
2248
2249 /*
2250 * We took a signal. We want to abort the dump entirely, but
2251 * we also want to indicate what failed and why. We therefore
2252 * use the space reserved for the first failing segment to
2253 * write our error (which, for purposes of compatability with
2254 * older core dump readers, we set to EINTR) followed by any
2255 * siginfo associated with the signal.
2256 */
2257 bzero(&killinfo, sizeof (killinfo));
2258 killinfo.prk_error = EINTR;
2259
2260 sq = sig == SIGKILL ? curproc->p_killsqp : lwp->lwp_curinfo;
2261
2262 if (sq != NULL) {
2263 bcopy(&sq->sq_info, &killinfo.prk_info,
2264 sizeof (sq->sq_info));
2265 } else {
2266 killinfo.prk_info.si_signo = lwp->lwp_cursig;
2267 killinfo.prk_info.si_code = SI_NOINFO;
2268 }
2269
2270 #if (defined(_SYSCALL32_IMPL) || defined(_LP64))
2271 /*
2272 * If this is a 32-bit process, we need to translate from the
2273 * native siginfo to the 32-bit variant. (Core readers must
2274 * always have the same data model as their target or must
2275 * be aware of -- and compensate for -- data model differences.)
2276 */
2277 if (curproc->p_model == DATAMODEL_ILP32) {
2278 siginfo32_t si32;
2279
2280 siginfo_kto32((k_siginfo_t *)&killinfo.prk_info, &si32);
2281 bcopy(&si32, &killinfo.prk_info, sizeof (si32));
2282 }
2283 #endif
2284
2285 (void) core_write(vp, UIO_SYSSPACE, v[i].p_offset,
2286 &killinfo, sizeof (killinfo), rlimit, credp);
2287
2288 /*
2289 * For the segment on which we took the signal, indicate that
2290 * its data now refers to a siginfo.
2291 */
2292 v[i].p_filesz = 0;
2293 v[i].p_flags |= PF_SUNW_FAILURE | PF_SUNW_KILLED |
2294 PF_SUNW_SIGINFO;
2295
2296 /*
2297 * And for every other segment, indicate that its absence
2298 * is due to a signal.
2299 */
2300 for (j = i + 1; j < nphdrs; j++) {
2301 v[j].p_filesz = 0;
2302 v[j].p_flags |= PF_SUNW_FAILURE | PF_SUNW_KILLED;
2303 }
2304
2305 /*
2306 * Finally, write out our modified program headers.
2307 */
2308 if ((error = core_write(vp, UIO_SYSSPACE,
2309 poffset + sizeof (v[i]) * i, &v[i],
2310 sizeof (v[i]) * (nphdrs - i), rlimit, credp)) != 0)
2311 goto done;
2312
2313 break;
2314 }
2315
2316 if (nshdrs > 0) {
2317 bzero(&bigwad->shdr[0], shdrsz);
2318
2319 if (nshdrs >= SHN_LORESERVE)
2320 bigwad->shdr[0].sh_size = nshdrs;
2321
2322 if (nshdrs - 1 >= SHN_LORESERVE)
2323 bigwad->shdr[0].sh_link = nshdrs - 1;
2324
2325 if (nphdrs >= PN_XNUM)
2326 bigwad->shdr[0].sh_info = nphdrs;
2327
2328 if (nshdrs > 1) {
2329 AS_LOCK_ENTER(as, RW_WRITER);
2330 if ((error = process_scns(content, p, credp, vp,
2331 &bigwad->shdr[0], nshdrs, rlimit, &doffset,
2332 NULL)) != 0) {
2333 AS_LOCK_EXIT(as);
2334 goto done;
2335 }
2336 AS_LOCK_EXIT(as);
2337 }
2338
2339 if ((error = core_write(vp, UIO_SYSSPACE, soffset,
2340 &bigwad->shdr[0], shdrsz, rlimit, credp)) != 0)
2341 goto done;
2342 }
2343
2344 done:
2345 kmem_free(bigwad, bigsize);
2346 return (error);
2347 }
2348
2349 #ifndef _ELF32_COMPAT
2350
2351 static struct execsw esw = {
2352 #ifdef _LP64
2353 elf64magicstr,
2354 #else /* _LP64 */
2355 elf32magicstr,
2356 #endif /* _LP64 */
2357 0,
2358 5,
2359 elfexec,
2360 elfcore
2361 };
2362
2363 static struct modlexec modlexec = {
2364 &mod_execops, "exec module for elf", &esw
2365 };
2366
2367 #ifdef _LP64
2368 extern int elf32exec(vnode_t *vp, execa_t *uap, uarg_t *args,
2369 intpdata_t *idatap, int level, long *execsz,
2370 int setid, caddr_t exec_file, cred_t *cred,
2371 int brand_action);
2372 extern int elf32core(vnode_t *vp, proc_t *p, cred_t *credp,
2373 rlim_t rlimit, int sig, core_content_t content);
2374
2375 static struct execsw esw32 = {
2376 elf32magicstr,
2377 0,
2378 5,
2379 elf32exec,
2380 elf32core
2381 };
2382
2383 static struct modlexec modlexec32 = {
2384 &mod_execops, "32-bit exec module for elf", &esw32
2385 };
2386 #endif /* _LP64 */
2387
2388 static struct modlinkage modlinkage = {
2389 MODREV_1,
2390 (void *)&modlexec,
2391 #ifdef _LP64
2392 (void *)&modlexec32,
2393 #endif /* _LP64 */
2394 NULL
2395 };
2396
2397 int
2398 _init(void)
2399 {
2400 return (mod_install(&modlinkage));
2401 }
2402
2403 int
2404 _fini(void)
2405 {
2406 return (mod_remove(&modlinkage));
2407 }
2408
2409 int
2410 _info(struct modinfo *modinfop)
2411 {
2412 return (mod_info(&modlinkage, modinfop));
2413 }
2414
2415 #endif /* !_ELF32_COMPAT */