2 * linux/fs/binfmt_aout.c
4 * Copyright (C) 1991, 1992, 1996 Linus Torvalds
7 #include <linux/module.h>
9 #include <linux/time.h>
10 #include <linux/kernel.h>
12 #include <linux/mman.h>
13 #include <linux/a.out.h>
14 #include <linux/errno.h>
15 #include <linux/signal.h>
16 #include <linux/string.h>
18 #include <linux/file.h>
19 #include <linux/stat.h>
20 #include <linux/fcntl.h>
21 #include <linux/ptrace.h>
22 #include <linux/user.h>
23 #include <linux/binfmts.h>
24 #include <linux/personality.h>
25 #include <linux/init.h>
26 #include <linux/coredump.h>
27 #include <linux/slab.h>
28 #include <linux/sched/task_stack.h>
30 #include <linux/uaccess.h>
31 #include <asm/cacheflush.h>
32 #include <asm/a.out-core.h>
34 static int load_aout_binary(struct linux_binprm *);
35 static int load_aout_library(struct file*);
37 #ifdef CONFIG_COREDUMP
39 * Routine writes a core dump image in the current directory.
40 * Currently only a stub-function.
42 * Note that setuid/setgid files won't make a core-dump if the uid/gid
43 * changed due to the set[u|g]id. It's enforced by the "current->mm->dumpable"
44 * field, which also makes sure the core-dumps won't be recursive if the
45 * dumping of the process results in another error..
47 static int aout_core_dump(struct coredump_params *cprm)
51 void __user *dump_start;
55 # define START_DATA(u) ((void __user *)u.start_data)
57 # define START_DATA(u) ((void __user *)((u.u_tsize << PAGE_SHIFT) + \
60 # define START_STACK(u) ((void __user *)u.start_stack)
65 strncpy(dump.u_comm, current->comm, sizeof(dump.u_comm));
66 dump.u_ar0 = offsetof(struct user, regs);
67 dump.signal = cprm->siginfo->si_signo;
68 aout_dump_thread(cprm->regs, &dump);
70 /* If the size of the dump file exceeds the rlimit, then see what would happen
71 if we wrote the stack, but not the data area. */
72 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
75 /* Make sure we have enough room to write the stack and data areas. */
76 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
79 /* make sure we actually have a data and stack area to dump */
81 if (!access_ok(VERIFY_READ, START_DATA(dump), dump.u_dsize << PAGE_SHIFT))
83 if (!access_ok(VERIFY_READ, START_STACK(dump), dump.u_ssize << PAGE_SHIFT))
88 if (!dump_emit(cprm, &dump, sizeof(dump)))
90 /* Now dump all of the user data. Include malloced stuff as well */
91 if (!dump_skip(cprm, PAGE_SIZE - sizeof(dump)))
93 /* now we start writing out the user space info */
95 /* Dump the data area */
96 if (dump.u_dsize != 0) {
97 dump_start = START_DATA(dump);
98 dump_size = dump.u_dsize << PAGE_SHIFT;
99 if (!dump_emit(cprm, dump_start, dump_size))
102 /* Now prepare to dump the stack area */
103 if (dump.u_ssize != 0) {
104 dump_start = START_STACK(dump);
105 dump_size = dump.u_ssize << PAGE_SHIFT;
106 if (!dump_emit(cprm, dump_start, dump_size))
114 #define aout_core_dump NULL
117 static struct linux_binfmt aout_format = {
118 .module = THIS_MODULE,
119 .load_binary = load_aout_binary,
120 .load_shlib = load_aout_library,
121 .core_dump = aout_core_dump,
122 .min_coredump = PAGE_SIZE
125 #define BAD_ADDR(x) ((unsigned long)(x) >= TASK_SIZE)
127 static int set_brk(unsigned long start, unsigned long end)
129 start = PAGE_ALIGN(start);
130 end = PAGE_ALIGN(end);
132 return vm_brk(start, end - start);
137 * create_aout_tables() parses the env- and arg-strings in new user
138 * memory and creates the pointer tables from them, and puts their
139 * addresses on the "stack", returning the new stack pointer value.
141 static unsigned long __user *create_aout_tables(char __user *p, struct linux_binprm * bprm)
143 char __user * __user *argv;
144 char __user * __user *envp;
145 unsigned long __user *sp;
146 int argc = bprm->argc;
147 int envc = bprm->envc;
149 sp = (void __user *)((-(unsigned long)sizeof(char *)) & (unsigned long) p);
151 /* whee.. test-programs are so much fun. */
156 put_user(1003, --sp);
157 put_user(bprm->loader, --sp);
158 put_user(1002, --sp);
160 put_user(bprm->exec, --sp);
161 put_user(1001, --sp);
164 envp = (char __user * __user *) sp;
166 argv = (char __user * __user *) sp;
168 put_user((unsigned long) envp,--sp);
169 put_user((unsigned long) argv,--sp);
172 current->mm->arg_start = (unsigned long) p;
181 current->mm->arg_end = current->mm->env_start = (unsigned long) p;
190 current->mm->env_end = (unsigned long) p;
195 * These are the functions used to load a.out style executables and shared
196 * libraries. There is no binary dependent code anywhere else.
199 static int load_aout_binary(struct linux_binprm * bprm)
201 struct pt_regs *regs = current_pt_regs();
204 unsigned long fd_offset;
208 ex = *((struct exec *) bprm->buf); /* exec-header */
209 if ((N_MAGIC(ex) != ZMAGIC && N_MAGIC(ex) != OMAGIC &&
210 N_MAGIC(ex) != QMAGIC && N_MAGIC(ex) != NMAGIC) ||
211 N_TRSIZE(ex) || N_DRSIZE(ex) ||
212 i_size_read(file_inode(bprm->file)) < ex.a_text+ex.a_data+N_SYMSIZE(ex)+N_TXTOFF(ex)) {
217 * Requires a mmap handler. This prevents people from using a.out
218 * as part of an exploit attack against /proc-related vulnerabilities.
220 if (!bprm->file->f_op->mmap)
223 fd_offset = N_TXTOFF(ex);
225 /* Check initial limits. This avoids letting people circumvent
226 * size limits imposed on them by creating programs with large
227 * arrays in the data or bss.
229 rlim = rlimit(RLIMIT_DATA);
230 if (rlim >= RLIM_INFINITY)
232 if (ex.a_data + ex.a_bss > rlim)
235 /* Flush all traces of the currently running executable */
236 retval = flush_old_exec(bprm);
240 /* OK, This is the point of no return */
242 SET_AOUT_PERSONALITY(bprm, ex);
244 set_personality(PER_LINUX);
246 setup_new_exec(bprm);
248 current->mm->end_code = ex.a_text +
249 (current->mm->start_code = N_TXTADDR(ex));
250 current->mm->end_data = ex.a_data +
251 (current->mm->start_data = N_DATADDR(ex));
252 current->mm->brk = ex.a_bss +
253 (current->mm->start_brk = N_BSSADDR(ex));
255 retval = setup_arg_pages(bprm, STACK_TOP, EXSTACK_DEFAULT);
259 install_exec_creds(bprm);
261 if (N_MAGIC(ex) == OMAGIC) {
262 unsigned long text_addr, map_size;
265 text_addr = N_TXTADDR(ex);
269 map_size = ex.a_text+ex.a_data + PAGE_SIZE - 1;
272 map_size = ex.a_text+ex.a_data;
274 error = vm_brk(text_addr & PAGE_MASK, map_size);
278 error = read_code(bprm->file, text_addr, pos,
279 ex.a_text+ex.a_data);
280 if ((signed long)error < 0)
283 if ((ex.a_text & 0xfff || ex.a_data & 0xfff) &&
284 (N_MAGIC(ex) != NMAGIC) && printk_ratelimit())
286 printk(KERN_NOTICE "executable not page aligned\n");
289 if ((fd_offset & ~PAGE_MASK) != 0 && printk_ratelimit())
292 "fd_offset is not page aligned. Please convert program: %pD\n",
296 if (!bprm->file->f_op->mmap||((fd_offset & ~PAGE_MASK) != 0)) {
297 error = vm_brk(N_TXTADDR(ex), ex.a_text+ex.a_data);
301 read_code(bprm->file, N_TXTADDR(ex), fd_offset,
302 ex.a_text + ex.a_data);
306 error = vm_mmap(bprm->file, N_TXTADDR(ex), ex.a_text,
307 PROT_READ | PROT_EXEC,
308 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
311 if (error != N_TXTADDR(ex))
314 error = vm_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
315 PROT_READ | PROT_WRITE | PROT_EXEC,
316 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
317 fd_offset + ex.a_text);
318 if (error != N_DATADDR(ex))
322 set_binfmt(&aout_format);
324 retval = set_brk(current->mm->start_brk, current->mm->brk);
328 current->mm->start_stack =
329 (unsigned long) create_aout_tables((char __user *) bprm->p, bprm);
331 regs->gp = ex.a_gpvalue;
334 start_thread(regs, ex.a_entry, current->mm->start_stack);
338 static int load_aout_library(struct file *file)
340 struct inode * inode;
341 unsigned long bss, start_addr, len;
347 inode = file_inode(file);
350 error = kernel_read(file, &ex, sizeof(ex), &pos);
351 if (error != sizeof(ex))
354 /* We come in here for the regular a.out style of shared libraries */
355 if ((N_MAGIC(ex) != ZMAGIC && N_MAGIC(ex) != QMAGIC) || N_TRSIZE(ex) ||
356 N_DRSIZE(ex) || ((ex.a_entry & 0xfff) && N_MAGIC(ex) == ZMAGIC) ||
357 i_size_read(inode) < ex.a_text+ex.a_data+N_SYMSIZE(ex)+N_TXTOFF(ex)) {
362 * Requires a mmap handler. This prevents people from using a.out
363 * as part of an exploit attack against /proc-related vulnerabilities.
365 if (!file->f_op->mmap)
371 /* For QMAGIC, the starting address is 0x20 into the page. We mask
372 this off to get the starting address for the page */
374 start_addr = ex.a_entry & 0xfffff000;
376 if ((N_TXTOFF(ex) & ~PAGE_MASK) != 0) {
377 if (printk_ratelimit())
380 "N_TXTOFF is not page aligned. Please convert library: %pD\n",
383 retval = vm_brk(start_addr, ex.a_text + ex.a_data + ex.a_bss);
387 read_code(file, start_addr, N_TXTOFF(ex),
388 ex.a_text + ex.a_data);
392 /* Now use mmap to map the library into memory. */
393 error = vm_mmap(file, start_addr, ex.a_text + ex.a_data,
394 PROT_READ | PROT_WRITE | PROT_EXEC,
395 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE,
398 if (error != start_addr)
401 len = PAGE_ALIGN(ex.a_text + ex.a_data);
402 bss = ex.a_text + ex.a_data + ex.a_bss;
404 retval = vm_brk(start_addr + len, bss - len);
413 static int __init init_aout_binfmt(void)
415 register_binfmt(&aout_format);
419 static void __exit exit_aout_binfmt(void)
421 unregister_binfmt(&aout_format);
424 core_initcall(init_aout_binfmt);
425 module_exit(exit_aout_binfmt);
426 MODULE_LICENSE("GPL");