2019-05-19 15:08:20 +03:00
// SPDX-License-Identifier: GPL-2.0-only
2005-04-17 02:20:36 +04:00
/*
2014-12-11 02:52:10 +03:00
* binfmt_misc . c
2005-04-17 02:20:36 +04:00
*
2014-12-11 02:52:10 +03:00
* Copyright ( C ) 1997 Richard Günther
2005-04-17 02:20:36 +04:00
*
2014-12-11 02:52:10 +03:00
* binfmt_misc detects binaries via a magic or filename extension and invokes
2018-05-08 21:14:57 +03:00
* a specified wrapper . See Documentation / admin - guide / binfmt - misc . rst for more details .
2005-04-17 02:20:36 +04:00
*/
2014-12-11 02:52:08 +03:00
# define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
2015-04-16 22:44:56 +03:00
# include <linux/kernel.h>
2005-04-17 02:20:36 +04:00
# include <linux/module.h>
# include <linux/init.h>
2017-02-04 02:16:44 +03:00
# include <linux/sched/mm.h>
2012-03-24 02:01:50 +04:00
# include <linux/magic.h>
2005-04-17 02:20:36 +04:00
# include <linux/binfmts.h>
# include <linux/slab.h>
# include <linux/ctype.h>
2013-05-01 02:27:33 +04:00
# include <linux/string_helpers.h>
2005-04-17 02:20:36 +04:00
# include <linux/file.h>
# include <linux/pagemap.h>
# include <linux/namei.h>
# include <linux/mount.h>
2019-03-25 19:38:28 +03:00
# include <linux/fs_context.h>
2005-04-17 02:20:36 +04:00
# include <linux/syscalls.h>
2008-07-24 08:29:15 +04:00
# include <linux/fs.h>
2014-12-11 02:52:08 +03:00
# include <linux/uaccess.h>
2005-04-17 02:20:36 +04:00
2016-02-18 03:51:16 +03:00
# include "internal.h"
2014-12-11 02:52:08 +03:00
# ifdef DEBUG
# define USE_DEBUG 1
# else
# define USE_DEBUG 0
# endif
2005-04-17 02:20:36 +04:00
enum {
VERBOSE_STATUS = 1 /* make it zero to save 400 bytes kernel memory */
} ;
static LIST_HEAD ( entries ) ;
static int enabled = 1 ;
enum { Enabled , Magic } ;
2014-12-11 02:52:10 +03:00
# define MISC_FMT_PRESERVE_ARGV0 (1 << 31)
# define MISC_FMT_OPEN_BINARY (1 << 30)
# define MISC_FMT_CREDENTIALS (1 << 29)
2016-02-18 03:51:16 +03:00
# define MISC_FMT_OPEN_FILE (1 << 28)
2005-04-17 02:20:36 +04:00
typedef struct {
struct list_head list ;
unsigned long flags ; /* type, status, etc. */
int offset ; /* offset of magic */
int size ; /* size of magic/mask */
char * magic ; /* magic or filename extension */
char * mask ; /* mask, NULL for exact match */
2017-10-04 02:15:58 +03:00
const char * interpreter ; /* filename of interpreter */
2005-04-17 02:20:36 +04:00
char * name ;
struct dentry * dentry ;
2016-02-18 03:51:16 +03:00
struct file * interp_file ;
2005-04-17 02:20:36 +04:00
} Node ;
static DEFINE_RWLOCK ( entries_lock ) ;
2006-06-09 17:34:16 +04:00
static struct file_system_type bm_fs_type ;
2005-04-17 02:20:36 +04:00
static struct vfsmount * bm_mnt ;
static int entry_count ;
binfmt_misc: expand the register format limit to 1920 bytes
The current code places a 256 byte limit on the registration format.
This ends up being fairly limited when you try to do matching against a
binary format like ELF:
- the magic & mask formats cannot have any embedded NUL chars
(string_unescape_inplace halts at the first NUL)
- each escape sequence quadruples the size: \x00 is needed for NUL
- trying to match bytes at the start of the file as well as further
on leads to a lot of \x00 sequences in the mask
- magic & mask have to be the same length (when decoded)
- still need bytes for the other fields
- impossible!
Let's look at a concrete (and common) example: using QEMU to run MIPS
ELFs. The name field uses 11 bytes "qemu-mipsel". The interp uses 20
bytes "/usr/bin/qemu-mipsel". The type & flags takes up 4 bytes. We
need 7 bytes for the delimiter (usually ":"). We can skip offset. So
already we're down to 107 bytes to use with the magic/mask instead of
the real limit of 128 (BINPRM_BUF_SIZE). If people use shell code to
register (which they do the majority of the time), they're down to ~26
possible bytes since the escape sequence must be \x##.
The ELF format looks like (both 32 & 64 bit):
e_ident: 16 bytes
e_type: 2 bytes
e_machine: 2 bytes
Those 20 bytes are enough for most architectures because they have so few
formats in the first place, thus they can be uniquely identified. That
also means for shell users, since 20 is smaller than 26, they can sanely
register a handler.
But for some targets (like MIPS), we need to poke further. The ELF fields
continue on:
e_entry: 4 or 8 bytes
e_phoff: 4 or 8 bytes
e_shoff: 4 or 8 bytes
e_flags: 4 bytes
We only care about e_flags here as that includes the bits to identify
whether the ELF is O32/N32/N64. But now we have to consume another 16
bytes (for 32 bit ELFs) or 28 bytes (for 64 bit ELFs) just to match the
flags. If every byte is escaped, we send 288 more bytes to the kernel
((20 {e_ident,e_type,e_machine} + 12 {e_entry,e_phoff,e_shoff} + 4
{e_flags}) * 2 {mask,magic} * 4 {escape}) and we've clearly blown our
budget.
Even if we try to be clever and do the decoding ourselves (rather than
relying on the kernel to process \x##), we still can't hit the mark --
string_unescape_inplace treats mask & magic as C strings so NUL cannot
be embedded. That leaves us with having to pass \x00 for the 12/24
entry/phoff/shoff bytes (as those will be completely random addresses),
and that is a minimum requirement of 48/96 bytes for the mask alone.
Add up the rest and we blow through it (this is for 64 bit ELFs):
magic: 20 {e_ident,e_type,e_machine} + 24 {e_entry,e_phoff,e_shoff} +
4 {e_flags} = 48 # ^^ See note below.
mask: 20 {e_ident,e_type,e_machine} + 96 {e_entry,e_phoff,e_shoff} +
4 {e_flags} = 120
Remember above we had 107 left over, and now we're at 168. This is of
course the *best* case scenario -- you'll also want to have NUL bytes
in the magic & mask too to match literal zeros.
Note: the reason we can use 24 in the magic is that we can work off of the
fact that for bytes the mask would clobber, we can stuff any value into
magic that we want. So when mask is \x00, we don't need the magic to also
be \x00, it can be an unescaped raw byte like '!'. This lets us handle
more formats (barely) under the current 256 limit, but that's a pretty
tall hoop to force people to jump through.
With all that said, let's bump the limit from 256 bytes to 1920. This way
we support escaping every byte of the mask & magic field (which is 1024
bytes by themselves -- 128 * 4 * 2), and we leave plenty of room for other
fields. Like long paths to the interpreter (when you have source in your
/really/long/homedir/qemu/foo). Since the current code stuffs more than
one structure into the same buffer, we leave a bit of space to easily
round up to 2k. 1920 is just as arbitrary as 256 ;).
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-10-14 02:52:03 +04:00
/*
* Max length of the register string . Determined by :
* - 7 delimiters
* - name : ~ 50 bytes
* - type : 1 byte
* - offset : 3 bytes ( has to be smaller than BINPRM_BUF_SIZE )
* - magic : 128 bytes ( 512 in escaped form )
* - mask : 128 bytes ( 512 in escaped form )
* - interp : ~ 50 bytes
* - flags : 5 bytes
* Round that up a bit , and then back off to hold the internal data
* ( like struct Node ) .
*/
# define MAX_REGISTER_LENGTH 1920
/*
2005-04-17 02:20:36 +04:00
* Check if we support the binfmt
* if we do , return the node , else NULL
* locking is done in load_misc_binary
*/
static Node * check_file ( struct linux_binprm * bprm )
{
char * p = strrchr ( bprm - > interp , ' . ' ) ;
struct list_head * l ;
2014-12-11 02:52:08 +03:00
/* Walk all the registered handlers. */
2005-04-17 02:20:36 +04:00
list_for_each ( l , & entries ) {
Node * e = list_entry ( l , Node , list ) ;
char * s ;
int j ;
2014-12-11 02:52:08 +03:00
/* Make sure this one is currently enabled. */
2005-04-17 02:20:36 +04:00
if ( ! test_bit ( Enabled , & e - > flags ) )
continue ;
2014-12-11 02:52:08 +03:00
/* Do matching based on extension if applicable. */
2005-04-17 02:20:36 +04:00
if ( ! test_bit ( Magic , & e - > flags ) ) {
if ( p & & ! strcmp ( e - > magic , p + 1 ) )
return e ;
continue ;
}
2014-12-11 02:52:08 +03:00
/* Do matching based on magic & mask. */
2005-04-17 02:20:36 +04:00
s = bprm - > buf + e - > offset ;
if ( e - > mask ) {
for ( j = 0 ; j < e - > size ; j + + )
if ( ( * s + + ^ e - > magic [ j ] ) & e - > mask [ j ] )
break ;
} else {
for ( j = 0 ; j < e - > size ; j + + )
if ( ( * s + + ^ e - > magic [ j ] ) )
break ;
}
if ( j = = e - > size )
return e ;
}
return NULL ;
}
/*
* the loader itself
*/
2012-10-21 06:00:48 +04:00
static int load_misc_binary ( struct linux_binprm * bprm )
2005-04-17 02:20:36 +04:00
{
Node * fmt ;
2014-12-11 02:52:10 +03:00
struct file * interp_file = NULL ;
2005-04-17 02:20:36 +04:00
int retval ;
retval = - ENOEXEC ;
if ( ! enabled )
2017-10-04 02:15:55 +03:00
return retval ;
2005-04-17 02:20:36 +04:00
/* to keep locking time low, we copy the interpreter string */
read_lock ( & entries_lock ) ;
fmt = check_file ( bprm ) ;
2017-10-04 02:15:58 +03:00
if ( fmt )
2017-10-04 02:15:55 +03:00
dget ( fmt - > dentry ) ;
2005-04-17 02:20:36 +04:00
read_unlock ( & entries_lock ) ;
if ( ! fmt )
2017-10-04 02:15:55 +03:00
return retval ;
2005-04-17 02:20:36 +04:00
syscalls: implement execveat() system call
This patchset adds execveat(2) for x86, and is derived from Meredydd
Luff's patch from Sept 2012 (https://lkml.org/lkml/2012/9/11/528).
The primary aim of adding an execveat syscall is to allow an
implementation of fexecve(3) that does not rely on the /proc filesystem,
at least for executables (rather than scripts). The current glibc version
of fexecve(3) is implemented via /proc, which causes problems in sandboxed
or otherwise restricted environments.
Given the desire for a /proc-free fexecve() implementation, HPA suggested
(https://lkml.org/lkml/2006/7/11/556) that an execveat(2) syscall would be
an appropriate generalization.
Also, having a new syscall means that it can take a flags argument without
back-compatibility concerns. The current implementation just defines the
AT_EMPTY_PATH and AT_SYMLINK_NOFOLLOW flags, but other flags could be
added in future -- for example, flags for new namespaces (as suggested at
https://lkml.org/lkml/2006/7/11/474).
Related history:
- https://lkml.org/lkml/2006/12/27/123 is an example of someone
realizing that fexecve() is likely to fail in a chroot environment.
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514043 covered
documenting the /proc requirement of fexecve(3) in its manpage, to
"prevent other people from wasting their time".
- https://bugzilla.redhat.com/show_bug.cgi?id=241609 described a
problem where a process that did setuid() could not fexecve()
because it no longer had access to /proc/self/fd; this has since
been fixed.
This patch (of 4):
Add a new execveat(2) system call. execveat() is to execve() as openat()
is to open(): it takes a file descriptor that refers to a directory, and
resolves the filename relative to that.
In addition, if the filename is empty and AT_EMPTY_PATH is specified,
execveat() executes the file to which the file descriptor refers. This
replicates the functionality of fexecve(), which is a system call in other
UNIXen, but in Linux glibc it depends on opening "/proc/self/fd/<fd>" (and
so relies on /proc being mounted).
The filename fed to the executed program as argv[0] (or the name of the
script fed to a script interpreter) will be of the form "/dev/fd/<fd>"
(for an empty filename) or "/dev/fd/<fd>/<filename>", effectively
reflecting how the executable was found. This does however mean that
execution of a script in a /proc-less environment won't work; also, script
execution via an O_CLOEXEC file descriptor fails (as the file will not be
accessible after exec).
Based on patches by Meredydd Luff.
Signed-off-by: David Drysdale <drysdale@google.com>
Cc: Meredydd Luff <meredydd@senatehouse.org>
Cc: Shuah Khan <shuah.kh@samsung.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Rich Felker <dalias@aerifal.cx>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-12-13 03:57:29 +03:00
/* Need to be able to load the file after exec */
2017-10-04 02:15:55 +03:00
retval = - ENOENT ;
syscalls: implement execveat() system call
This patchset adds execveat(2) for x86, and is derived from Meredydd
Luff's patch from Sept 2012 (https://lkml.org/lkml/2012/9/11/528).
The primary aim of adding an execveat syscall is to allow an
implementation of fexecve(3) that does not rely on the /proc filesystem,
at least for executables (rather than scripts). The current glibc version
of fexecve(3) is implemented via /proc, which causes problems in sandboxed
or otherwise restricted environments.
Given the desire for a /proc-free fexecve() implementation, HPA suggested
(https://lkml.org/lkml/2006/7/11/556) that an execveat(2) syscall would be
an appropriate generalization.
Also, having a new syscall means that it can take a flags argument without
back-compatibility concerns. The current implementation just defines the
AT_EMPTY_PATH and AT_SYMLINK_NOFOLLOW flags, but other flags could be
added in future -- for example, flags for new namespaces (as suggested at
https://lkml.org/lkml/2006/7/11/474).
Related history:
- https://lkml.org/lkml/2006/12/27/123 is an example of someone
realizing that fexecve() is likely to fail in a chroot environment.
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514043 covered
documenting the /proc requirement of fexecve(3) in its manpage, to
"prevent other people from wasting their time".
- https://bugzilla.redhat.com/show_bug.cgi?id=241609 described a
problem where a process that did setuid() could not fexecve()
because it no longer had access to /proc/self/fd; this has since
been fixed.
This patch (of 4):
Add a new execveat(2) system call. execveat() is to execve() as openat()
is to open(): it takes a file descriptor that refers to a directory, and
resolves the filename relative to that.
In addition, if the filename is empty and AT_EMPTY_PATH is specified,
execveat() executes the file to which the file descriptor refers. This
replicates the functionality of fexecve(), which is a system call in other
UNIXen, but in Linux glibc it depends on opening "/proc/self/fd/<fd>" (and
so relies on /proc being mounted).
The filename fed to the executed program as argv[0] (or the name of the
script fed to a script interpreter) will be of the form "/dev/fd/<fd>"
(for an empty filename) or "/dev/fd/<fd>/<filename>", effectively
reflecting how the executable was found. This does however mean that
execution of a script in a /proc-less environment won't work; also, script
execution via an O_CLOEXEC file descriptor fails (as the file will not be
accessible after exec).
Based on patches by Meredydd Luff.
Signed-off-by: David Drysdale <drysdale@google.com>
Cc: Meredydd Luff <meredydd@senatehouse.org>
Cc: Shuah Khan <shuah.kh@samsung.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Rich Felker <dalias@aerifal.cx>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-12-13 03:57:29 +03:00
if ( bprm - > interp_flags & BINPRM_FLAGS_PATH_INACCESSIBLE )
2017-10-04 02:15:55 +03:00
goto ret ;
syscalls: implement execveat() system call
This patchset adds execveat(2) for x86, and is derived from Meredydd
Luff's patch from Sept 2012 (https://lkml.org/lkml/2012/9/11/528).
The primary aim of adding an execveat syscall is to allow an
implementation of fexecve(3) that does not rely on the /proc filesystem,
at least for executables (rather than scripts). The current glibc version
of fexecve(3) is implemented via /proc, which causes problems in sandboxed
or otherwise restricted environments.
Given the desire for a /proc-free fexecve() implementation, HPA suggested
(https://lkml.org/lkml/2006/7/11/556) that an execveat(2) syscall would be
an appropriate generalization.
Also, having a new syscall means that it can take a flags argument without
back-compatibility concerns. The current implementation just defines the
AT_EMPTY_PATH and AT_SYMLINK_NOFOLLOW flags, but other flags could be
added in future -- for example, flags for new namespaces (as suggested at
https://lkml.org/lkml/2006/7/11/474).
Related history:
- https://lkml.org/lkml/2006/12/27/123 is an example of someone
realizing that fexecve() is likely to fail in a chroot environment.
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514043 covered
documenting the /proc requirement of fexecve(3) in its manpage, to
"prevent other people from wasting their time".
- https://bugzilla.redhat.com/show_bug.cgi?id=241609 described a
problem where a process that did setuid() could not fexecve()
because it no longer had access to /proc/self/fd; this has since
been fixed.
This patch (of 4):
Add a new execveat(2) system call. execveat() is to execve() as openat()
is to open(): it takes a file descriptor that refers to a directory, and
resolves the filename relative to that.
In addition, if the filename is empty and AT_EMPTY_PATH is specified,
execveat() executes the file to which the file descriptor refers. This
replicates the functionality of fexecve(), which is a system call in other
UNIXen, but in Linux glibc it depends on opening "/proc/self/fd/<fd>" (and
so relies on /proc being mounted).
The filename fed to the executed program as argv[0] (or the name of the
script fed to a script interpreter) will be of the form "/dev/fd/<fd>"
(for an empty filename) or "/dev/fd/<fd>/<filename>", effectively
reflecting how the executable was found. This does however mean that
execution of a script in a /proc-less environment won't work; also, script
execution via an O_CLOEXEC file descriptor fails (as the file will not be
accessible after exec).
Based on patches by Meredydd Luff.
Signed-off-by: David Drysdale <drysdale@google.com>
Cc: Meredydd Luff <meredydd@senatehouse.org>
Cc: Shuah Khan <shuah.kh@samsung.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Rich Felker <dalias@aerifal.cx>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-12-13 03:57:29 +03:00
2020-01-28 16:25:39 +03:00
if ( fmt - > flags & MISC_FMT_PRESERVE_ARGV0 ) {
bprm - > interp_flags | = BINPRM_FLAGS_PRESERVE_ARGV0 ;
} else {
2007-07-19 12:48:16 +04:00
retval = remove_arg_zero ( bprm ) ;
if ( retval )
2014-12-11 02:52:10 +03:00
goto ret ;
2005-04-17 02:20:36 +04:00
}
2020-05-19 02:43:20 +03:00
if ( fmt - > flags & MISC_FMT_OPEN_BINARY )
2020-05-14 23:17:40 +03:00
bprm - > have_execfd = 1 ;
2005-04-17 02:20:36 +04:00
/* make argv[1] be the path to the binary */
2020-06-05 02:51:14 +03:00
retval = copy_string_kernel ( bprm - > interp , bprm ) ;
2005-04-17 02:20:36 +04:00
if ( retval < 0 )
2020-05-14 23:17:40 +03:00
goto ret ;
2005-04-17 02:20:36 +04:00
bprm - > argc + + ;
/* add the interp as argv[0] */
2020-06-05 02:51:14 +03:00
retval = copy_string_kernel ( fmt - > interpreter , bprm ) ;
2005-04-17 02:20:36 +04:00
if ( retval < 0 )
2020-05-14 23:17:40 +03:00
goto ret ;
2014-12-11 02:52:10 +03:00
bprm - > argc + + ;
2005-04-17 02:20:36 +04:00
exec: do not leave bprm->interp on stack
If a series of scripts are executed, each triggering module loading via
unprintable bytes in the script header, kernel stack contents can leak
into the command line.
Normally execution of binfmt_script and binfmt_misc happens recursively.
However, when modules are enabled, and unprintable bytes exist in the
bprm->buf, execution will restart after attempting to load matching
binfmt modules. Unfortunately, the logic in binfmt_script and
binfmt_misc does not expect to get restarted. They leave bprm->interp
pointing to their local stack. This means on restart bprm->interp is
left pointing into unused stack memory which can then be copied into the
userspace argv areas.
After additional study, it seems that both recursion and restart remains
the desirable way to handle exec with scripts, misc, and modules. As
such, we need to protect the changes to interp.
This changes the logic to require allocation for any changes to the
bprm->interp. To avoid adding a new kmalloc to every exec, the default
value is left as-is. Only when passing through binfmt_script or
binfmt_misc does an allocation take place.
For a proof of concept, see DoTest.sh from:
http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: halfdog <me@halfdog.net>
Cc: P J P <ppandit@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-12-21 03:05:16 +04:00
/* Update interp in case binfmt_script needs it. */
2017-10-04 02:15:58 +03:00
retval = bprm_change_interp ( fmt - > interpreter , bprm ) ;
exec: do not leave bprm->interp on stack
If a series of scripts are executed, each triggering module loading via
unprintable bytes in the script header, kernel stack contents can leak
into the command line.
Normally execution of binfmt_script and binfmt_misc happens recursively.
However, when modules are enabled, and unprintable bytes exist in the
bprm->buf, execution will restart after attempting to load matching
binfmt modules. Unfortunately, the logic in binfmt_script and
binfmt_misc does not expect to get restarted. They leave bprm->interp
pointing to their local stack. This means on restart bprm->interp is
left pointing into unused stack memory which can then be copied into the
userspace argv areas.
After additional study, it seems that both recursion and restart remains
the desirable way to handle exec with scripts, misc, and modules. As
such, we need to protect the changes to interp.
This changes the logic to require allocation for any changes to the
bprm->interp. To avoid adding a new kmalloc to every exec, the default
value is left as-is. Only when passing through binfmt_script or
binfmt_misc does an allocation take place.
For a proof of concept, see DoTest.sh from:
http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: halfdog <me@halfdog.net>
Cc: P J P <ppandit@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-12-21 03:05:16 +04:00
if ( retval < 0 )
2020-05-14 23:17:40 +03:00
goto ret ;
2005-04-17 02:20:36 +04:00
2017-10-04 02:15:51 +03:00
if ( fmt - > flags & MISC_FMT_OPEN_FILE ) {
2018-06-08 18:19:32 +03:00
interp_file = file_clone_open ( fmt - > interp_file ) ;
2016-02-18 03:51:16 +03:00
if ( ! IS_ERR ( interp_file ) )
deny_write_access ( interp_file ) ;
} else {
2017-10-04 02:15:58 +03:00
interp_file = open_exec ( fmt - > interpreter ) ;
2016-02-18 03:51:16 +03:00
}
2014-12-11 02:52:10 +03:00
retval = PTR_ERR ( interp_file ) ;
if ( IS_ERR ( interp_file ) )
2020-05-14 23:17:40 +03:00
goto ret ;
2005-04-17 02:20:36 +04:00
2020-05-19 02:43:20 +03:00
bprm - > interpreter = interp_file ;
2020-05-16 14:02:54 +03:00
if ( fmt - > flags & MISC_FMT_CREDENTIALS )
2020-05-30 06:00:54 +03:00
bprm - > execfd_creds = 1 ;
2005-04-17 02:20:36 +04:00
2020-05-19 02:43:20 +03:00
retval = 0 ;
2014-12-11 02:52:10 +03:00
ret :
2017-10-04 02:15:55 +03:00
dput ( fmt - > dentry ) ;
2005-04-17 02:20:36 +04:00
return retval ;
}
/* Command parsers */
/*
* parses and copies one argument enclosed in del from * sp to * dp ,
* recognising the \ x special .
* returns pointer to the copied argument or NULL in case of an
* error ( and sets err ) or null argument length .
*/
static char * scanarg ( char * s , char del )
{
char c ;
while ( ( c = * s + + ) ! = del ) {
if ( c = = ' \\ ' & & * s = = ' x ' ) {
s + + ;
if ( ! isxdigit ( * s + + ) )
return NULL ;
if ( ! isxdigit ( * s + + ) )
return NULL ;
}
}
2014-12-17 13:29:16 +03:00
s [ - 1 ] = ' \0 ' ;
2005-04-17 02:20:36 +04:00
return s ;
}
2014-12-11 02:52:10 +03:00
static char * check_special_flags ( char * sfs , Node * e )
2005-04-17 02:20:36 +04:00
{
2014-12-11 02:52:10 +03:00
char * p = sfs ;
2005-04-17 02:20:36 +04:00
int cont = 1 ;
/* special flags */
while ( cont ) {
switch ( * p ) {
2014-12-11 02:52:10 +03:00
case ' P ' :
pr_debug ( " register: flag: P (preserve argv0) \n " ) ;
p + + ;
e - > flags | = MISC_FMT_PRESERVE_ARGV0 ;
break ;
case ' O ' :
pr_debug ( " register: flag: O (open binary) \n " ) ;
p + + ;
e - > flags | = MISC_FMT_OPEN_BINARY ;
break ;
case ' C ' :
pr_debug ( " register: flag: C (preserve creds) \n " ) ;
p + + ;
/* this flags also implies the
open - binary flag */
e - > flags | = ( MISC_FMT_CREDENTIALS |
MISC_FMT_OPEN_BINARY ) ;
break ;
2016-02-18 03:51:16 +03:00
case ' F ' :
pr_debug ( " register: flag: F: open interpreter file now \n " ) ;
p + + ;
e - > flags | = MISC_FMT_OPEN_FILE ;
break ;
2014-12-11 02:52:10 +03:00
default :
cont = 0 ;
2005-04-17 02:20:36 +04:00
}
}
return p ;
}
2014-12-11 02:52:10 +03:00
2005-04-17 02:20:36 +04:00
/*
* This registers a new binary format , it recognises the syntax
* ' : name : type : offset : magic : mask : interpreter : flags '
* where the ' : ' is the IFS , that can be chosen with the first char
*/
static Node * create_entry ( const char __user * buffer , size_t count )
{
Node * e ;
int memsize , err ;
char * buf , * p ;
char del ;
2014-12-11 02:52:08 +03:00
pr_debug ( " register: received %zu bytes \n " , count ) ;
2005-04-17 02:20:36 +04:00
/* some sanity checks */
err = - EINVAL ;
binfmt_misc: expand the register format limit to 1920 bytes
The current code places a 256 byte limit on the registration format.
This ends up being fairly limited when you try to do matching against a
binary format like ELF:
- the magic & mask formats cannot have any embedded NUL chars
(string_unescape_inplace halts at the first NUL)
- each escape sequence quadruples the size: \x00 is needed for NUL
- trying to match bytes at the start of the file as well as further
on leads to a lot of \x00 sequences in the mask
- magic & mask have to be the same length (when decoded)
- still need bytes for the other fields
- impossible!
Let's look at a concrete (and common) example: using QEMU to run MIPS
ELFs. The name field uses 11 bytes "qemu-mipsel". The interp uses 20
bytes "/usr/bin/qemu-mipsel". The type & flags takes up 4 bytes. We
need 7 bytes for the delimiter (usually ":"). We can skip offset. So
already we're down to 107 bytes to use with the magic/mask instead of
the real limit of 128 (BINPRM_BUF_SIZE). If people use shell code to
register (which they do the majority of the time), they're down to ~26
possible bytes since the escape sequence must be \x##.
The ELF format looks like (both 32 & 64 bit):
e_ident: 16 bytes
e_type: 2 bytes
e_machine: 2 bytes
Those 20 bytes are enough for most architectures because they have so few
formats in the first place, thus they can be uniquely identified. That
also means for shell users, since 20 is smaller than 26, they can sanely
register a handler.
But for some targets (like MIPS), we need to poke further. The ELF fields
continue on:
e_entry: 4 or 8 bytes
e_phoff: 4 or 8 bytes
e_shoff: 4 or 8 bytes
e_flags: 4 bytes
We only care about e_flags here as that includes the bits to identify
whether the ELF is O32/N32/N64. But now we have to consume another 16
bytes (for 32 bit ELFs) or 28 bytes (for 64 bit ELFs) just to match the
flags. If every byte is escaped, we send 288 more bytes to the kernel
((20 {e_ident,e_type,e_machine} + 12 {e_entry,e_phoff,e_shoff} + 4
{e_flags}) * 2 {mask,magic} * 4 {escape}) and we've clearly blown our
budget.
Even if we try to be clever and do the decoding ourselves (rather than
relying on the kernel to process \x##), we still can't hit the mark --
string_unescape_inplace treats mask & magic as C strings so NUL cannot
be embedded. That leaves us with having to pass \x00 for the 12/24
entry/phoff/shoff bytes (as those will be completely random addresses),
and that is a minimum requirement of 48/96 bytes for the mask alone.
Add up the rest and we blow through it (this is for 64 bit ELFs):
magic: 20 {e_ident,e_type,e_machine} + 24 {e_entry,e_phoff,e_shoff} +
4 {e_flags} = 48 # ^^ See note below.
mask: 20 {e_ident,e_type,e_machine} + 96 {e_entry,e_phoff,e_shoff} +
4 {e_flags} = 120
Remember above we had 107 left over, and now we're at 168. This is of
course the *best* case scenario -- you'll also want to have NUL bytes
in the magic & mask too to match literal zeros.
Note: the reason we can use 24 in the magic is that we can work off of the
fact that for bytes the mask would clobber, we can stuff any value into
magic that we want. So when mask is \x00, we don't need the magic to also
be \x00, it can be an unescaped raw byte like '!'. This lets us handle
more formats (barely) under the current 256 limit, but that's a pretty
tall hoop to force people to jump through.
With all that said, let's bump the limit from 256 bytes to 1920. This way
we support escaping every byte of the mask & magic field (which is 1024
bytes by themselves -- 128 * 4 * 2), and we leave plenty of room for other
fields. Like long paths to the interpreter (when you have source in your
/really/long/homedir/qemu/foo). Since the current code stuffs more than
one structure into the same buffer, we leave a bit of space to easily
round up to 2k. 1920 is just as arbitrary as 256 ;).
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-10-14 02:52:03 +04:00
if ( ( count < 11 ) | | ( count > MAX_REGISTER_LENGTH ) )
2005-04-17 02:20:36 +04:00
goto out ;
err = - ENOMEM ;
memsize = sizeof ( Node ) + count + 8 ;
2014-12-11 02:52:13 +03:00
e = kmalloc ( memsize , GFP_KERNEL ) ;
2005-04-17 02:20:36 +04:00
if ( ! e )
goto out ;
p = buf = ( char * ) e + sizeof ( Node ) ;
memset ( e , 0 , sizeof ( Node ) ) ;
if ( copy_from_user ( buf , buffer , count ) )
2014-12-11 02:52:10 +03:00
goto efault ;
2005-04-17 02:20:36 +04:00
del = * p + + ; /* delimeter */
2014-12-11 02:52:08 +03:00
pr_debug ( " register: delim: %#x {%c} \n " , del , del ) ;
/* Pad the buffer with the delim to simplify parsing below. */
2014-12-11 02:52:10 +03:00
memset ( buf + count , del , 8 ) ;
2005-04-17 02:20:36 +04:00
2014-12-11 02:52:08 +03:00
/* Parse the 'name' field. */
2005-04-17 02:20:36 +04:00
e - > name = p ;
p = strchr ( p , del ) ;
if ( ! p )
2014-12-11 02:52:10 +03:00
goto einval ;
2005-04-17 02:20:36 +04:00
* p + + = ' \0 ' ;
if ( ! e - > name [ 0 ] | |
! strcmp ( e - > name , " . " ) | |
! strcmp ( e - > name , " .. " ) | |
strchr ( e - > name , ' / ' ) )
2014-12-11 02:52:10 +03:00
goto einval ;
2014-12-11 02:52:08 +03:00
pr_debug ( " register: name: {%s} \n " , e - > name ) ;
/* Parse the 'type' field. */
2005-04-17 02:20:36 +04:00
switch ( * p + + ) {
2014-12-11 02:52:08 +03:00
case ' E ' :
pr_debug ( " register: type: E (extension) \n " ) ;
e - > flags = 1 < < Enabled ;
break ;
case ' M ' :
pr_debug ( " register: type: M (magic) \n " ) ;
e - > flags = ( 1 < < Enabled ) | ( 1 < < Magic ) ;
break ;
default :
2014-12-11 02:52:10 +03:00
goto einval ;
2005-04-17 02:20:36 +04:00
}
if ( * p + + ! = del )
2014-12-11 02:52:10 +03:00
goto einval ;
2014-12-11 02:52:08 +03:00
2005-04-17 02:20:36 +04:00
if ( test_bit ( Magic , & e - > flags ) ) {
2014-12-11 02:52:08 +03:00
/* Handle the 'M' (magic) format. */
char * s ;
/* Parse the 'offset' field. */
s = strchr ( p , del ) ;
2005-04-17 02:20:36 +04:00
if ( ! s )
2014-12-11 02:52:10 +03:00
goto einval ;
2018-06-08 03:11:01 +03:00
* s = ' \0 ' ;
if ( p ! = s ) {
int r = kstrtoint ( p , 10 , & e - > offset ) ;
if ( r ! = 0 | | e - > offset < 0 )
goto einval ;
}
p = s ;
2005-04-17 02:20:36 +04:00
if ( * p + + )
2014-12-11 02:52:10 +03:00
goto einval ;
2014-12-11 02:52:08 +03:00
pr_debug ( " register: offset: %#x \n " , e - > offset ) ;
/* Parse the 'magic' field. */
2005-04-17 02:20:36 +04:00
e - > magic = p ;
p = scanarg ( p , del ) ;
if ( ! p )
2014-12-11 02:52:10 +03:00
goto einval ;
2014-12-17 13:29:16 +03:00
if ( ! e - > magic [ 0 ] )
2014-12-11 02:52:10 +03:00
goto einval ;
2014-12-11 02:52:08 +03:00
if ( USE_DEBUG )
print_hex_dump_bytes (
KBUILD_MODNAME " : register: magic[raw]: " ,
DUMP_PREFIX_NONE , e - > magic , p - e - > magic ) ;
/* Parse the 'mask' field. */
2005-04-17 02:20:36 +04:00
e - > mask = p ;
p = scanarg ( p , del ) ;
if ( ! p )
2014-12-11 02:52:10 +03:00
goto einval ;
2014-12-17 13:29:16 +03:00
if ( ! e - > mask [ 0 ] ) {
2005-04-17 02:20:36 +04:00
e - > mask = NULL ;
2014-12-11 02:52:08 +03:00
pr_debug ( " register: mask[raw]: none \n " ) ;
} else if ( USE_DEBUG )
print_hex_dump_bytes (
KBUILD_MODNAME " : register: mask[raw]: " ,
DUMP_PREFIX_NONE , e - > mask , p - e - > mask ) ;
/*
* Decode the magic & mask fields .
* Note : while we might have accepted embedded NUL bytes from
* above , the unescape helpers here will stop at the first one
* it encounters .
*/
2013-05-01 02:27:33 +04:00
e - > size = string_unescape_inplace ( e - > magic , UNESCAPE_HEX ) ;
if ( e - > mask & &
string_unescape_inplace ( e - > mask , UNESCAPE_HEX ) ! = e - > size )
2014-12-11 02:52:10 +03:00
goto einval ;
2018-06-08 03:11:01 +03:00
if ( e - > size > BINPRM_BUF_SIZE | |
BINPRM_BUF_SIZE - e - > size < e - > offset )
2014-12-11 02:52:10 +03:00
goto einval ;
2014-12-11 02:52:08 +03:00
pr_debug ( " register: magic/mask length: %i \n " , e - > size ) ;
if ( USE_DEBUG ) {
print_hex_dump_bytes (
KBUILD_MODNAME " : register: magic[decoded]: " ,
DUMP_PREFIX_NONE , e - > magic , e - > size ) ;
if ( e - > mask ) {
int i ;
2014-12-11 02:52:13 +03:00
char * masked = kmalloc ( e - > size , GFP_KERNEL ) ;
2014-12-11 02:52:08 +03:00
print_hex_dump_bytes (
KBUILD_MODNAME " : register: mask[decoded]: " ,
DUMP_PREFIX_NONE , e - > mask , e - > size ) ;
if ( masked ) {
for ( i = 0 ; i < e - > size ; + + i )
masked [ i ] = e - > magic [ i ] & e - > mask [ i ] ;
print_hex_dump_bytes (
KBUILD_MODNAME " : register: magic[masked]: " ,
DUMP_PREFIX_NONE , masked , e - > size ) ;
kfree ( masked ) ;
}
}
}
2005-04-17 02:20:36 +04:00
} else {
2014-12-11 02:52:08 +03:00
/* Handle the 'E' (extension) format. */
/* Skip the 'offset' field. */
2005-04-17 02:20:36 +04:00
p = strchr ( p , del ) ;
if ( ! p )
2014-12-11 02:52:10 +03:00
goto einval ;
2005-04-17 02:20:36 +04:00
* p + + = ' \0 ' ;
2014-12-11 02:52:08 +03:00
/* Parse the 'magic' field. */
2005-04-17 02:20:36 +04:00
e - > magic = p ;
p = strchr ( p , del ) ;
if ( ! p )
2014-12-11 02:52:10 +03:00
goto einval ;
2005-04-17 02:20:36 +04:00
* p + + = ' \0 ' ;
if ( ! e - > magic [ 0 ] | | strchr ( e - > magic , ' / ' ) )
2014-12-11 02:52:10 +03:00
goto einval ;
2014-12-11 02:52:08 +03:00
pr_debug ( " register: extension: {%s} \n " , e - > magic ) ;
/* Skip the 'mask' field. */
2005-04-17 02:20:36 +04:00
p = strchr ( p , del ) ;
if ( ! p )
2014-12-11 02:52:10 +03:00
goto einval ;
2005-04-17 02:20:36 +04:00
* p + + = ' \0 ' ;
}
2014-12-11 02:52:08 +03:00
/* Parse the 'interpreter' field. */
2005-04-17 02:20:36 +04:00
e - > interpreter = p ;
p = strchr ( p , del ) ;
if ( ! p )
2014-12-11 02:52:10 +03:00
goto einval ;
2005-04-17 02:20:36 +04:00
* p + + = ' \0 ' ;
if ( ! e - > interpreter [ 0 ] )
2014-12-11 02:52:10 +03:00
goto einval ;
2014-12-11 02:52:08 +03:00
pr_debug ( " register: interpreter: {%s} \n " , e - > interpreter ) ;
2005-04-17 02:20:36 +04:00
2014-12-11 02:52:08 +03:00
/* Parse the 'flags' field. */
2014-12-11 02:52:10 +03:00
p = check_special_flags ( p , e ) ;
2005-04-17 02:20:36 +04:00
if ( * p = = ' \n ' )
p + + ;
if ( p ! = buf + count )
2014-12-11 02:52:10 +03:00
goto einval ;
2005-04-17 02:20:36 +04:00
return e ;
out :
return ERR_PTR ( err ) ;
2014-12-11 02:52:10 +03:00
efault :
2005-04-17 02:20:36 +04:00
kfree ( e ) ;
return ERR_PTR ( - EFAULT ) ;
2014-12-11 02:52:10 +03:00
einval :
2005-04-17 02:20:36 +04:00
kfree ( e ) ;
return ERR_PTR ( - EINVAL ) ;
}
/*
* Set status of entry / binfmt_misc :
* ' 1 ' enables , ' 0 ' disables and ' - 1 ' clears entry / binfmt_misc
*/
static int parse_command ( const char __user * buffer , size_t count )
{
char s [ 4 ] ;
if ( count > 3 )
return - EINVAL ;
if ( copy_from_user ( s , buffer , count ) )
return - EFAULT ;
binfmt_misc: work around gcc-4.9 warning
gcc-4.9 on ARM gives us a mysterious warning about the binfmt_misc
parse_command function:
fs/binfmt_misc.c: In function 'parse_command.part.3':
fs/binfmt_misc.c:405:7: warning: array subscript is above array bounds [-Warray-bounds]
I've managed to trace this back to the ARM implementation of memset,
which is called from copy_from_user in case of a fault and which does
#define memset(p,v,n) \
({ \
void *__p = (p); size_t __n = n; \
if ((__n) != 0) { \
if (__builtin_constant_p((v)) && (v) == 0) \
__memzero((__p),(__n)); \
else \
memset((__p),(v),(__n)); \
} \
(__p); \
})
Apparently gcc gets confused by the check for "size != 0" and believes
that the size might be zero when it gets to the line that does "if
(s[count-1] == '\n')", so it would access data outside of the array.
gcc is clearly wrong here, since this condition was already checked
earlier in the function and the 'size' value can not change in the
meantime.
Fortunately, we can work around it and get rid of the warning by
rearranging the function to check for zero size after doing the
copy_from_user. It is still safe to pass a zero size into
copy_from_user, so it does not cause any side effects.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-10-14 02:52:08 +04:00
if ( ! count )
return 0 ;
2014-12-11 02:52:10 +03:00
if ( s [ count - 1 ] = = ' \n ' )
2005-04-17 02:20:36 +04:00
count - - ;
if ( count = = 1 & & s [ 0 ] = = ' 0 ' )
return 1 ;
if ( count = = 1 & & s [ 0 ] = = ' 1 ' )
return 2 ;
if ( count = = 2 & & s [ 0 ] = = ' - ' & & s [ 1 ] = = ' 1 ' )
return 3 ;
return - EINVAL ;
}
/* generic stuff */
static void entry_status ( Node * e , char * page )
{
2015-04-16 22:44:56 +03:00
char * dp = page ;
const char * status = " disabled " ;
2005-04-17 02:20:36 +04:00
if ( test_bit ( Enabled , & e - > flags ) )
status = " enabled " ;
if ( ! VERBOSE_STATUS ) {
sprintf ( page , " %s \n " , status ) ;
return ;
}
2015-04-16 22:44:56 +03:00
dp + = sprintf ( dp , " %s \n interpreter %s \n " , status , e - > interpreter ) ;
2005-04-17 02:20:36 +04:00
/* print the special flags */
2015-04-16 22:44:56 +03:00
dp + = sprintf ( dp , " flags: " ) ;
2014-12-11 02:52:10 +03:00
if ( e - > flags & MISC_FMT_PRESERVE_ARGV0 )
* dp + + = ' P ' ;
if ( e - > flags & MISC_FMT_OPEN_BINARY )
* dp + + = ' O ' ;
if ( e - > flags & MISC_FMT_CREDENTIALS )
* dp + + = ' C ' ;
2016-02-18 03:51:16 +03:00
if ( e - > flags & MISC_FMT_OPEN_FILE )
* dp + + = ' F ' ;
2014-12-11 02:52:10 +03:00
* dp + + = ' \n ' ;
2005-04-17 02:20:36 +04:00
if ( ! test_bit ( Magic , & e - > flags ) ) {
sprintf ( dp , " extension .%s \n " , e - > magic ) ;
} else {
2015-04-16 22:44:56 +03:00
dp + = sprintf ( dp , " offset %i \n magic " , e - > offset ) ;
dp = bin2hex ( dp , e - > magic , e - > size ) ;
2005-04-17 02:20:36 +04:00
if ( e - > mask ) {
2015-04-16 22:44:56 +03:00
dp + = sprintf ( dp , " \n mask " ) ;
dp = bin2hex ( dp , e - > mask , e - > size ) ;
2005-04-17 02:20:36 +04:00
}
* dp + + = ' \n ' ;
* dp = ' \0 ' ;
}
}
static struct inode * bm_get_inode ( struct super_block * sb , int mode )
{
2014-12-11 02:52:10 +03:00
struct inode * inode = new_inode ( sb ) ;
2005-04-17 02:20:36 +04:00
if ( inode ) {
2010-10-23 19:19:54 +04:00
inode - > i_ino = get_next_ino ( ) ;
2005-04-17 02:20:36 +04:00
inode - > i_mode = mode ;
inode - > i_atime = inode - > i_mtime = inode - > i_ctime =
2016-09-14 17:48:06 +03:00
current_time ( inode ) ;
2005-04-17 02:20:36 +04:00
}
return inode ;
}
2010-06-07 22:34:48 +04:00
static void bm_evict_inode ( struct inode * inode )
2005-04-17 02:20:36 +04:00
{
2017-10-04 02:15:48 +03:00
Node * e = inode - > i_private ;
2017-10-14 01:58:18 +03:00
if ( e & & e - > flags & MISC_FMT_OPEN_FILE )
2017-10-04 02:15:48 +03:00
filp_close ( e - > interp_file , NULL ) ;
2012-05-03 16:48:02 +04:00
clear_inode ( inode ) ;
2017-10-04 02:15:48 +03:00
kfree ( e ) ;
2005-04-17 02:20:36 +04:00
}
static void kill_node ( Node * e )
{
struct dentry * dentry ;
write_lock ( & entries_lock ) ;
2017-10-04 02:15:45 +03:00
list_del_init ( & e - > list ) ;
2005-04-17 02:20:36 +04:00
write_unlock ( & entries_lock ) ;
2017-10-04 02:15:45 +03:00
dentry = e - > dentry ;
drop_nlink ( d_inode ( dentry ) ) ;
d_drop ( dentry ) ;
dput ( dentry ) ;
simple_release_fs ( & bm_mnt , & entry_count ) ;
2005-04-17 02:20:36 +04:00
}
/* /<entry> */
static ssize_t
2014-12-11 02:52:10 +03:00
bm_entry_read ( struct file * file , char __user * buf , size_t nbytes , loff_t * ppos )
2005-04-17 02:20:36 +04:00
{
2013-01-24 02:07:38 +04:00
Node * e = file_inode ( file ) - > i_private ;
2005-04-17 02:20:36 +04:00
ssize_t res ;
char * page ;
2014-12-11 02:52:10 +03:00
page = ( char * ) __get_free_page ( GFP_KERNEL ) ;
if ( ! page )
2005-04-17 02:20:36 +04:00
return - ENOMEM ;
entry_status ( e , page ) ;
2008-07-24 08:29:15 +04:00
res = simple_read_from_buffer ( buf , nbytes , ppos , page , strlen ( page ) ) ;
2005-04-17 02:20:36 +04:00
free_page ( ( unsigned long ) page ) ;
return res ;
}
static ssize_t bm_entry_write ( struct file * file , const char __user * buffer ,
size_t count , loff_t * ppos )
{
struct dentry * root ;
2013-01-24 02:07:38 +04:00
Node * e = file_inode ( file ) - > i_private ;
2005-04-17 02:20:36 +04:00
int res = parse_command ( buffer , count ) ;
switch ( res ) {
2014-12-11 02:52:10 +03:00
case 1 :
/* Disable this handler. */
clear_bit ( Enabled , & e - > flags ) ;
break ;
case 2 :
/* Enable this handler. */
set_bit ( Enabled , & e - > flags ) ;
break ;
case 3 :
/* Delete this handler. */
2016-05-30 02:14:03 +03:00
root = file_inode ( file ) - > i_sb - > s_root ;
2016-01-22 23:40:57 +03:00
inode_lock ( d_inode ( root ) ) ;
2005-04-17 02:20:36 +04:00
2017-10-04 02:15:45 +03:00
if ( ! list_empty ( & e - > list ) )
kill_node ( e ) ;
2005-04-17 02:20:36 +04:00
2016-01-22 23:40:57 +03:00
inode_unlock ( d_inode ( root ) ) ;
2014-12-11 02:52:10 +03:00
break ;
default :
return res ;
2005-04-17 02:20:36 +04:00
}
2014-12-11 02:52:10 +03:00
2005-04-17 02:20:36 +04:00
return count ;
}
2006-03-28 13:56:42 +04:00
static const struct file_operations bm_entry_operations = {
2005-04-17 02:20:36 +04:00
. read = bm_entry_read ,
. write = bm_entry_write ,
llseek: automatically add .llseek fop
All file_operations should get a .llseek operation so we can make
nonseekable_open the default for future file operations without a
.llseek pointer.
The three cases that we can automatically detect are no_llseek, seq_lseek
and default_llseek. For cases where we can we can automatically prove that
the file offset is always ignored, we use noop_llseek, which maintains
the current behavior of not returning an error from a seek.
New drivers should normally not use noop_llseek but instead use no_llseek
and call nonseekable_open at open time. Existing drivers can be converted
to do the same when the maintainer knows for certain that no user code
relies on calling seek on the device file.
The generated code is often incorrectly indented and right now contains
comments that clarify for each added line why a specific variant was
chosen. In the version that gets submitted upstream, the comments will
be gone and I will manually fix the indentation, because there does not
seem to be a way to do that using coccinelle.
Some amount of new code is currently sitting in linux-next that should get
the same modifications, which I will do at the end of the merge window.
Many thanks to Julia Lawall for helping me learn to write a semantic
patch that does all this.
===== begin semantic patch =====
// This adds an llseek= method to all file operations,
// as a preparation for making no_llseek the default.
//
// The rules are
// - use no_llseek explicitly if we do nonseekable_open
// - use seq_lseek for sequential files
// - use default_llseek if we know we access f_pos
// - use noop_llseek if we know we don't access f_pos,
// but we still want to allow users to call lseek
//
@ open1 exists @
identifier nested_open;
@@
nested_open(...)
{
<+...
nonseekable_open(...)
...+>
}
@ open exists@
identifier open_f;
identifier i, f;
identifier open1.nested_open;
@@
int open_f(struct inode *i, struct file *f)
{
<+...
(
nonseekable_open(...)
|
nested_open(...)
)
...+>
}
@ read disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ read_no_fpos disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
... when != off
}
@ write @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ write_no_fpos @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
... when != off
}
@ fops0 @
identifier fops;
@@
struct file_operations fops = {
...
};
@ has_llseek depends on fops0 @
identifier fops0.fops;
identifier llseek_f;
@@
struct file_operations fops = {
...
.llseek = llseek_f,
...
};
@ has_read depends on fops0 @
identifier fops0.fops;
identifier read_f;
@@
struct file_operations fops = {
...
.read = read_f,
...
};
@ has_write depends on fops0 @
identifier fops0.fops;
identifier write_f;
@@
struct file_operations fops = {
...
.write = write_f,
...
};
@ has_open depends on fops0 @
identifier fops0.fops;
identifier open_f;
@@
struct file_operations fops = {
...
.open = open_f,
...
};
// use no_llseek if we call nonseekable_open
////////////////////////////////////////////
@ nonseekable1 depends on !has_llseek && has_open @
identifier fops0.fops;
identifier nso ~= "nonseekable_open";
@@
struct file_operations fops = {
... .open = nso, ...
+.llseek = no_llseek, /* nonseekable */
};
@ nonseekable2 depends on !has_llseek @
identifier fops0.fops;
identifier open.open_f;
@@
struct file_operations fops = {
... .open = open_f, ...
+.llseek = no_llseek, /* open uses nonseekable */
};
// use seq_lseek for sequential files
/////////////////////////////////////
@ seq depends on !has_llseek @
identifier fops0.fops;
identifier sr ~= "seq_read";
@@
struct file_operations fops = {
... .read = sr, ...
+.llseek = seq_lseek, /* we have seq_read */
};
// use default_llseek if there is a readdir
///////////////////////////////////////////
@ fops1 depends on !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier readdir_e;
@@
// any other fop is used that changes pos
struct file_operations fops = {
... .readdir = readdir_e, ...
+.llseek = default_llseek, /* readdir is present */
};
// use default_llseek if at least one of read/write touches f_pos
/////////////////////////////////////////////////////////////////
@ fops2 depends on !fops1 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read.read_f;
@@
// read fops use offset
struct file_operations fops = {
... .read = read_f, ...
+.llseek = default_llseek, /* read accesses f_pos */
};
@ fops3 depends on !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write.write_f;
@@
// write fops use offset
struct file_operations fops = {
... .write = write_f, ...
+ .llseek = default_llseek, /* write accesses f_pos */
};
// Use noop_llseek if neither read nor write accesses f_pos
///////////////////////////////////////////////////////////
@ fops4 depends on !fops1 && !fops2 && !fops3 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
identifier write_no_fpos.write_f;
@@
// write fops use offset
struct file_operations fops = {
...
.write = write_f,
.read = read_f,
...
+.llseek = noop_llseek, /* read and write both use no f_pos */
};
@ depends on has_write && !has_read && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write_no_fpos.write_f;
@@
struct file_operations fops = {
... .write = write_f, ...
+.llseek = noop_llseek, /* write uses no f_pos */
};
@ depends on has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
@@
struct file_operations fops = {
... .read = read_f, ...
+.llseek = noop_llseek, /* read uses no f_pos */
};
@ depends on !has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
@@
struct file_operations fops = {
...
+.llseek = noop_llseek, /* no read or write fn */
};
===== End semantic patch =====
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Julia Lawall <julia@diku.dk>
Cc: Christoph Hellwig <hch@infradead.org>
2010-08-15 20:52:59 +04:00
. llseek = default_llseek ,
2005-04-17 02:20:36 +04:00
} ;
/* /register */
static ssize_t bm_register_write ( struct file * file , const char __user * buffer ,
size_t count , loff_t * ppos )
{
Node * e ;
struct inode * inode ;
2016-05-30 02:14:03 +03:00
struct super_block * sb = file_inode ( file ) - > i_sb ;
struct dentry * root = sb - > s_root , * dentry ;
2005-04-17 02:20:36 +04:00
int err = 0 ;
binfmt_misc: fix possible deadlock in bm_register_write
There is a deadlock in bm_register_write:
First, in the begining of the function, a lock is taken on the binfmt_misc
root inode with inode_lock(d_inode(root)).
Then, if the user used the MISC_FMT_OPEN_FILE flag, the function will call
open_exec on the user-provided interpreter.
open_exec will call a path lookup, and if the path lookup process includes
the root of binfmt_misc, it will try to take a shared lock on its inode
again, but it is already locked, and the code will get stuck in a deadlock
To reproduce the bug:
$ echo ":iiiii:E::ii::/proc/sys/fs/binfmt_misc/bla:F" > /proc/sys/fs/binfmt_misc/register
backtrace of where the lock occurs (#5):
0 schedule () at ./arch/x86/include/asm/current.h:15
1 0xffffffff81b51237 in rwsem_down_read_slowpath (sem=0xffff888003b202e0, count=<optimized out>, state=state@entry=2) at kernel/locking/rwsem.c:992
2 0xffffffff81b5150a in __down_read_common (state=2, sem=<optimized out>) at kernel/locking/rwsem.c:1213
3 __down_read (sem=<optimized out>) at kernel/locking/rwsem.c:1222
4 down_read (sem=<optimized out>) at kernel/locking/rwsem.c:1355
5 0xffffffff811ee22a in inode_lock_shared (inode=<optimized out>) at ./include/linux/fs.h:783
6 open_last_lookups (op=0xffffc9000022fe34, file=0xffff888004098600, nd=0xffffc9000022fd10) at fs/namei.c:3177
7 path_openat (nd=nd@entry=0xffffc9000022fd10, op=op@entry=0xffffc9000022fe34, flags=flags@entry=65) at fs/namei.c:3366
8 0xffffffff811efe1c in do_filp_open (dfd=<optimized out>, pathname=pathname@entry=0xffff8880031b9000, op=op@entry=0xffffc9000022fe34) at fs/namei.c:3396
9 0xffffffff811e493f in do_open_execat (fd=fd@entry=-100, name=name@entry=0xffff8880031b9000, flags=<optimized out>, flags@entry=0) at fs/exec.c:913
10 0xffffffff811e4a92 in open_exec (name=<optimized out>) at fs/exec.c:948
11 0xffffffff8124aa84 in bm_register_write (file=<optimized out>, buffer=<optimized out>, count=19, ppos=<optimized out>) at fs/binfmt_misc.c:682
12 0xffffffff811decd2 in vfs_write (file=file@entry=0xffff888004098500, buf=buf@entry=0xa758d0 ":iiiii:E::ii::i:CF
", count=count@entry=19, pos=pos@entry=0xffffc9000022ff10) at fs/read_write.c:603
13 0xffffffff811defda in ksys_write (fd=<optimized out>, buf=0xa758d0 ":iiiii:E::ii::i:CF
", count=19) at fs/read_write.c:658
14 0xffffffff81b49813 in do_syscall_64 (nr=<optimized out>, regs=0xffffc9000022ff58) at arch/x86/entry/common.c:46
15 0xffffffff81c0007c in entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:120
To solve the issue, the open_exec call is moved to before the write
lock is taken by bm_register_write
Link: https://lkml.kernel.org/r/20210228224414.95962-1-liorribak@gmail.com
Fixes: 948b701a607f1 ("binfmt_misc: add persistent opened binary handler for containers")
Signed-off-by: Lior Ribak <liorribak@gmail.com>
Acked-by: Helge Deller <deller@gmx.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2021-03-13 08:07:41 +03:00
struct file * f = NULL ;
2005-04-17 02:20:36 +04:00
e = create_entry ( buffer , count ) ;
if ( IS_ERR ( e ) )
return PTR_ERR ( e ) ;
binfmt_misc: fix possible deadlock in bm_register_write
There is a deadlock in bm_register_write:
First, in the begining of the function, a lock is taken on the binfmt_misc
root inode with inode_lock(d_inode(root)).
Then, if the user used the MISC_FMT_OPEN_FILE flag, the function will call
open_exec on the user-provided interpreter.
open_exec will call a path lookup, and if the path lookup process includes
the root of binfmt_misc, it will try to take a shared lock on its inode
again, but it is already locked, and the code will get stuck in a deadlock
To reproduce the bug:
$ echo ":iiiii:E::ii::/proc/sys/fs/binfmt_misc/bla:F" > /proc/sys/fs/binfmt_misc/register
backtrace of where the lock occurs (#5):
0 schedule () at ./arch/x86/include/asm/current.h:15
1 0xffffffff81b51237 in rwsem_down_read_slowpath (sem=0xffff888003b202e0, count=<optimized out>, state=state@entry=2) at kernel/locking/rwsem.c:992
2 0xffffffff81b5150a in __down_read_common (state=2, sem=<optimized out>) at kernel/locking/rwsem.c:1213
3 __down_read (sem=<optimized out>) at kernel/locking/rwsem.c:1222
4 down_read (sem=<optimized out>) at kernel/locking/rwsem.c:1355
5 0xffffffff811ee22a in inode_lock_shared (inode=<optimized out>) at ./include/linux/fs.h:783
6 open_last_lookups (op=0xffffc9000022fe34, file=0xffff888004098600, nd=0xffffc9000022fd10) at fs/namei.c:3177
7 path_openat (nd=nd@entry=0xffffc9000022fd10, op=op@entry=0xffffc9000022fe34, flags=flags@entry=65) at fs/namei.c:3366
8 0xffffffff811efe1c in do_filp_open (dfd=<optimized out>, pathname=pathname@entry=0xffff8880031b9000, op=op@entry=0xffffc9000022fe34) at fs/namei.c:3396
9 0xffffffff811e493f in do_open_execat (fd=fd@entry=-100, name=name@entry=0xffff8880031b9000, flags=<optimized out>, flags@entry=0) at fs/exec.c:913
10 0xffffffff811e4a92 in open_exec (name=<optimized out>) at fs/exec.c:948
11 0xffffffff8124aa84 in bm_register_write (file=<optimized out>, buffer=<optimized out>, count=19, ppos=<optimized out>) at fs/binfmt_misc.c:682
12 0xffffffff811decd2 in vfs_write (file=file@entry=0xffff888004098500, buf=buf@entry=0xa758d0 ":iiiii:E::ii::i:CF
", count=count@entry=19, pos=pos@entry=0xffffc9000022ff10) at fs/read_write.c:603
13 0xffffffff811defda in ksys_write (fd=<optimized out>, buf=0xa758d0 ":iiiii:E::ii::i:CF
", count=19) at fs/read_write.c:658
14 0xffffffff81b49813 in do_syscall_64 (nr=<optimized out>, regs=0xffffc9000022ff58) at arch/x86/entry/common.c:46
15 0xffffffff81c0007c in entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:120
To solve the issue, the open_exec call is moved to before the write
lock is taken by bm_register_write
Link: https://lkml.kernel.org/r/20210228224414.95962-1-liorribak@gmail.com
Fixes: 948b701a607f1 ("binfmt_misc: add persistent opened binary handler for containers")
Signed-off-by: Lior Ribak <liorribak@gmail.com>
Acked-by: Helge Deller <deller@gmx.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2021-03-13 08:07:41 +03:00
if ( e - > flags & MISC_FMT_OPEN_FILE ) {
f = open_exec ( e - > interpreter ) ;
if ( IS_ERR ( f ) ) {
pr_notice ( " register: failed to install interpreter file %s \n " ,
e - > interpreter ) ;
kfree ( e ) ;
return PTR_ERR ( f ) ;
}
e - > interp_file = f ;
}
2016-01-22 23:40:57 +03:00
inode_lock ( d_inode ( root ) ) ;
2005-04-17 02:20:36 +04:00
dentry = lookup_one_len ( e - > name , root , strlen ( e - > name ) ) ;
err = PTR_ERR ( dentry ) ;
if ( IS_ERR ( dentry ) )
goto out ;
err = - EEXIST ;
2015-03-18 01:26:12 +03:00
if ( d_really_is_positive ( dentry ) )
2005-04-17 02:20:36 +04:00
goto out2 ;
inode = bm_get_inode ( sb , S_IFREG | 0644 ) ;
err = - ENOMEM ;
if ( ! inode )
goto out2 ;
2006-06-09 17:34:16 +04:00
err = simple_pin_fs ( & bm_fs_type , & bm_mnt , & entry_count ) ;
2005-04-17 02:20:36 +04:00
if ( err ) {
iput ( inode ) ;
inode = NULL ;
goto out2 ;
}
e - > dentry = dget ( dentry ) ;
2006-09-27 12:50:46 +04:00
inode - > i_private = e ;
2005-04-17 02:20:36 +04:00
inode - > i_fop = & bm_entry_operations ;
d_instantiate ( dentry , inode ) ;
write_lock ( & entries_lock ) ;
list_add ( & e - > list , & entries ) ;
write_unlock ( & entries_lock ) ;
err = 0 ;
out2 :
dput ( dentry ) ;
out :
2016-01-22 23:40:57 +03:00
inode_unlock ( d_inode ( root ) ) ;
2005-04-17 02:20:36 +04:00
if ( err ) {
binfmt_misc: fix possible deadlock in bm_register_write
There is a deadlock in bm_register_write:
First, in the begining of the function, a lock is taken on the binfmt_misc
root inode with inode_lock(d_inode(root)).
Then, if the user used the MISC_FMT_OPEN_FILE flag, the function will call
open_exec on the user-provided interpreter.
open_exec will call a path lookup, and if the path lookup process includes
the root of binfmt_misc, it will try to take a shared lock on its inode
again, but it is already locked, and the code will get stuck in a deadlock
To reproduce the bug:
$ echo ":iiiii:E::ii::/proc/sys/fs/binfmt_misc/bla:F" > /proc/sys/fs/binfmt_misc/register
backtrace of where the lock occurs (#5):
0 schedule () at ./arch/x86/include/asm/current.h:15
1 0xffffffff81b51237 in rwsem_down_read_slowpath (sem=0xffff888003b202e0, count=<optimized out>, state=state@entry=2) at kernel/locking/rwsem.c:992
2 0xffffffff81b5150a in __down_read_common (state=2, sem=<optimized out>) at kernel/locking/rwsem.c:1213
3 __down_read (sem=<optimized out>) at kernel/locking/rwsem.c:1222
4 down_read (sem=<optimized out>) at kernel/locking/rwsem.c:1355
5 0xffffffff811ee22a in inode_lock_shared (inode=<optimized out>) at ./include/linux/fs.h:783
6 open_last_lookups (op=0xffffc9000022fe34, file=0xffff888004098600, nd=0xffffc9000022fd10) at fs/namei.c:3177
7 path_openat (nd=nd@entry=0xffffc9000022fd10, op=op@entry=0xffffc9000022fe34, flags=flags@entry=65) at fs/namei.c:3366
8 0xffffffff811efe1c in do_filp_open (dfd=<optimized out>, pathname=pathname@entry=0xffff8880031b9000, op=op@entry=0xffffc9000022fe34) at fs/namei.c:3396
9 0xffffffff811e493f in do_open_execat (fd=fd@entry=-100, name=name@entry=0xffff8880031b9000, flags=<optimized out>, flags@entry=0) at fs/exec.c:913
10 0xffffffff811e4a92 in open_exec (name=<optimized out>) at fs/exec.c:948
11 0xffffffff8124aa84 in bm_register_write (file=<optimized out>, buffer=<optimized out>, count=19, ppos=<optimized out>) at fs/binfmt_misc.c:682
12 0xffffffff811decd2 in vfs_write (file=file@entry=0xffff888004098500, buf=buf@entry=0xa758d0 ":iiiii:E::ii::i:CF
", count=count@entry=19, pos=pos@entry=0xffffc9000022ff10) at fs/read_write.c:603
13 0xffffffff811defda in ksys_write (fd=<optimized out>, buf=0xa758d0 ":iiiii:E::ii::i:CF
", count=19) at fs/read_write.c:658
14 0xffffffff81b49813 in do_syscall_64 (nr=<optimized out>, regs=0xffffc9000022ff58) at arch/x86/entry/common.c:46
15 0xffffffff81c0007c in entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:120
To solve the issue, the open_exec call is moved to before the write
lock is taken by bm_register_write
Link: https://lkml.kernel.org/r/20210228224414.95962-1-liorribak@gmail.com
Fixes: 948b701a607f1 ("binfmt_misc: add persistent opened binary handler for containers")
Signed-off-by: Lior Ribak <liorribak@gmail.com>
Acked-by: Helge Deller <deller@gmx.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2021-03-13 08:07:41 +03:00
if ( f )
filp_close ( f , NULL ) ;
2005-04-17 02:20:36 +04:00
kfree ( e ) ;
2016-02-18 03:51:16 +03:00
return err ;
2005-04-17 02:20:36 +04:00
}
return count ;
}
2006-03-28 13:56:42 +04:00
static const struct file_operations bm_register_operations = {
2005-04-17 02:20:36 +04:00
. write = bm_register_write ,
llseek: automatically add .llseek fop
All file_operations should get a .llseek operation so we can make
nonseekable_open the default for future file operations without a
.llseek pointer.
The three cases that we can automatically detect are no_llseek, seq_lseek
and default_llseek. For cases where we can we can automatically prove that
the file offset is always ignored, we use noop_llseek, which maintains
the current behavior of not returning an error from a seek.
New drivers should normally not use noop_llseek but instead use no_llseek
and call nonseekable_open at open time. Existing drivers can be converted
to do the same when the maintainer knows for certain that no user code
relies on calling seek on the device file.
The generated code is often incorrectly indented and right now contains
comments that clarify for each added line why a specific variant was
chosen. In the version that gets submitted upstream, the comments will
be gone and I will manually fix the indentation, because there does not
seem to be a way to do that using coccinelle.
Some amount of new code is currently sitting in linux-next that should get
the same modifications, which I will do at the end of the merge window.
Many thanks to Julia Lawall for helping me learn to write a semantic
patch that does all this.
===== begin semantic patch =====
// This adds an llseek= method to all file operations,
// as a preparation for making no_llseek the default.
//
// The rules are
// - use no_llseek explicitly if we do nonseekable_open
// - use seq_lseek for sequential files
// - use default_llseek if we know we access f_pos
// - use noop_llseek if we know we don't access f_pos,
// but we still want to allow users to call lseek
//
@ open1 exists @
identifier nested_open;
@@
nested_open(...)
{
<+...
nonseekable_open(...)
...+>
}
@ open exists@
identifier open_f;
identifier i, f;
identifier open1.nested_open;
@@
int open_f(struct inode *i, struct file *f)
{
<+...
(
nonseekable_open(...)
|
nested_open(...)
)
...+>
}
@ read disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ read_no_fpos disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
... when != off
}
@ write @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ write_no_fpos @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
... when != off
}
@ fops0 @
identifier fops;
@@
struct file_operations fops = {
...
};
@ has_llseek depends on fops0 @
identifier fops0.fops;
identifier llseek_f;
@@
struct file_operations fops = {
...
.llseek = llseek_f,
...
};
@ has_read depends on fops0 @
identifier fops0.fops;
identifier read_f;
@@
struct file_operations fops = {
...
.read = read_f,
...
};
@ has_write depends on fops0 @
identifier fops0.fops;
identifier write_f;
@@
struct file_operations fops = {
...
.write = write_f,
...
};
@ has_open depends on fops0 @
identifier fops0.fops;
identifier open_f;
@@
struct file_operations fops = {
...
.open = open_f,
...
};
// use no_llseek if we call nonseekable_open
////////////////////////////////////////////
@ nonseekable1 depends on !has_llseek && has_open @
identifier fops0.fops;
identifier nso ~= "nonseekable_open";
@@
struct file_operations fops = {
... .open = nso, ...
+.llseek = no_llseek, /* nonseekable */
};
@ nonseekable2 depends on !has_llseek @
identifier fops0.fops;
identifier open.open_f;
@@
struct file_operations fops = {
... .open = open_f, ...
+.llseek = no_llseek, /* open uses nonseekable */
};
// use seq_lseek for sequential files
/////////////////////////////////////
@ seq depends on !has_llseek @
identifier fops0.fops;
identifier sr ~= "seq_read";
@@
struct file_operations fops = {
... .read = sr, ...
+.llseek = seq_lseek, /* we have seq_read */
};
// use default_llseek if there is a readdir
///////////////////////////////////////////
@ fops1 depends on !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier readdir_e;
@@
// any other fop is used that changes pos
struct file_operations fops = {
... .readdir = readdir_e, ...
+.llseek = default_llseek, /* readdir is present */
};
// use default_llseek if at least one of read/write touches f_pos
/////////////////////////////////////////////////////////////////
@ fops2 depends on !fops1 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read.read_f;
@@
// read fops use offset
struct file_operations fops = {
... .read = read_f, ...
+.llseek = default_llseek, /* read accesses f_pos */
};
@ fops3 depends on !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write.write_f;
@@
// write fops use offset
struct file_operations fops = {
... .write = write_f, ...
+ .llseek = default_llseek, /* write accesses f_pos */
};
// Use noop_llseek if neither read nor write accesses f_pos
///////////////////////////////////////////////////////////
@ fops4 depends on !fops1 && !fops2 && !fops3 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
identifier write_no_fpos.write_f;
@@
// write fops use offset
struct file_operations fops = {
...
.write = write_f,
.read = read_f,
...
+.llseek = noop_llseek, /* read and write both use no f_pos */
};
@ depends on has_write && !has_read && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write_no_fpos.write_f;
@@
struct file_operations fops = {
... .write = write_f, ...
+.llseek = noop_llseek, /* write uses no f_pos */
};
@ depends on has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
@@
struct file_operations fops = {
... .read = read_f, ...
+.llseek = noop_llseek, /* read uses no f_pos */
};
@ depends on !has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
@@
struct file_operations fops = {
...
+.llseek = noop_llseek, /* no read or write fn */
};
===== End semantic patch =====
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Julia Lawall <julia@diku.dk>
Cc: Christoph Hellwig <hch@infradead.org>
2010-08-15 20:52:59 +04:00
. llseek = noop_llseek ,
2005-04-17 02:20:36 +04:00
} ;
/* /status */
static ssize_t
bm_status_read ( struct file * file , char __user * buf , size_t nbytes , loff_t * ppos )
{
2009-01-07 01:41:38 +03:00
char * s = enabled ? " enabled \n " : " disabled \n " ;
2005-04-17 02:20:36 +04:00
2007-05-09 13:33:32 +04:00
return simple_read_from_buffer ( buf , nbytes , ppos , s , strlen ( s ) ) ;
2005-04-17 02:20:36 +04:00
}
2014-12-11 02:52:10 +03:00
static ssize_t bm_status_write ( struct file * file , const char __user * buffer ,
2005-04-17 02:20:36 +04:00
size_t count , loff_t * ppos )
{
int res = parse_command ( buffer , count ) ;
struct dentry * root ;
switch ( res ) {
2014-12-11 02:52:10 +03:00
case 1 :
/* Disable all handlers. */
enabled = 0 ;
break ;
case 2 :
/* Enable all handlers. */
enabled = 1 ;
break ;
case 3 :
/* Delete all handlers. */
2016-05-30 02:14:03 +03:00
root = file_inode ( file ) - > i_sb - > s_root ;
2016-01-22 23:40:57 +03:00
inode_lock ( d_inode ( root ) ) ;
2005-04-17 02:20:36 +04:00
2014-12-11 02:52:10 +03:00
while ( ! list_empty ( & entries ) )
2017-10-04 02:15:45 +03:00
kill_node ( list_first_entry ( & entries , Node , list ) ) ;
2005-04-17 02:20:36 +04:00
2016-01-22 23:40:57 +03:00
inode_unlock ( d_inode ( root ) ) ;
2014-12-11 02:52:10 +03:00
break ;
default :
return res ;
2005-04-17 02:20:36 +04:00
}
2014-12-11 02:52:10 +03:00
2005-04-17 02:20:36 +04:00
return count ;
}
2006-03-28 13:56:42 +04:00
static const struct file_operations bm_status_operations = {
2005-04-17 02:20:36 +04:00
. read = bm_status_read ,
. write = bm_status_write ,
llseek: automatically add .llseek fop
All file_operations should get a .llseek operation so we can make
nonseekable_open the default for future file operations without a
.llseek pointer.
The three cases that we can automatically detect are no_llseek, seq_lseek
and default_llseek. For cases where we can we can automatically prove that
the file offset is always ignored, we use noop_llseek, which maintains
the current behavior of not returning an error from a seek.
New drivers should normally not use noop_llseek but instead use no_llseek
and call nonseekable_open at open time. Existing drivers can be converted
to do the same when the maintainer knows for certain that no user code
relies on calling seek on the device file.
The generated code is often incorrectly indented and right now contains
comments that clarify for each added line why a specific variant was
chosen. In the version that gets submitted upstream, the comments will
be gone and I will manually fix the indentation, because there does not
seem to be a way to do that using coccinelle.
Some amount of new code is currently sitting in linux-next that should get
the same modifications, which I will do at the end of the merge window.
Many thanks to Julia Lawall for helping me learn to write a semantic
patch that does all this.
===== begin semantic patch =====
// This adds an llseek= method to all file operations,
// as a preparation for making no_llseek the default.
//
// The rules are
// - use no_llseek explicitly if we do nonseekable_open
// - use seq_lseek for sequential files
// - use default_llseek if we know we access f_pos
// - use noop_llseek if we know we don't access f_pos,
// but we still want to allow users to call lseek
//
@ open1 exists @
identifier nested_open;
@@
nested_open(...)
{
<+...
nonseekable_open(...)
...+>
}
@ open exists@
identifier open_f;
identifier i, f;
identifier open1.nested_open;
@@
int open_f(struct inode *i, struct file *f)
{
<+...
(
nonseekable_open(...)
|
nested_open(...)
)
...+>
}
@ read disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ read_no_fpos disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
... when != off
}
@ write @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ write_no_fpos @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
... when != off
}
@ fops0 @
identifier fops;
@@
struct file_operations fops = {
...
};
@ has_llseek depends on fops0 @
identifier fops0.fops;
identifier llseek_f;
@@
struct file_operations fops = {
...
.llseek = llseek_f,
...
};
@ has_read depends on fops0 @
identifier fops0.fops;
identifier read_f;
@@
struct file_operations fops = {
...
.read = read_f,
...
};
@ has_write depends on fops0 @
identifier fops0.fops;
identifier write_f;
@@
struct file_operations fops = {
...
.write = write_f,
...
};
@ has_open depends on fops0 @
identifier fops0.fops;
identifier open_f;
@@
struct file_operations fops = {
...
.open = open_f,
...
};
// use no_llseek if we call nonseekable_open
////////////////////////////////////////////
@ nonseekable1 depends on !has_llseek && has_open @
identifier fops0.fops;
identifier nso ~= "nonseekable_open";
@@
struct file_operations fops = {
... .open = nso, ...
+.llseek = no_llseek, /* nonseekable */
};
@ nonseekable2 depends on !has_llseek @
identifier fops0.fops;
identifier open.open_f;
@@
struct file_operations fops = {
... .open = open_f, ...
+.llseek = no_llseek, /* open uses nonseekable */
};
// use seq_lseek for sequential files
/////////////////////////////////////
@ seq depends on !has_llseek @
identifier fops0.fops;
identifier sr ~= "seq_read";
@@
struct file_operations fops = {
... .read = sr, ...
+.llseek = seq_lseek, /* we have seq_read */
};
// use default_llseek if there is a readdir
///////////////////////////////////////////
@ fops1 depends on !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier readdir_e;
@@
// any other fop is used that changes pos
struct file_operations fops = {
... .readdir = readdir_e, ...
+.llseek = default_llseek, /* readdir is present */
};
// use default_llseek if at least one of read/write touches f_pos
/////////////////////////////////////////////////////////////////
@ fops2 depends on !fops1 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read.read_f;
@@
// read fops use offset
struct file_operations fops = {
... .read = read_f, ...
+.llseek = default_llseek, /* read accesses f_pos */
};
@ fops3 depends on !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write.write_f;
@@
// write fops use offset
struct file_operations fops = {
... .write = write_f, ...
+ .llseek = default_llseek, /* write accesses f_pos */
};
// Use noop_llseek if neither read nor write accesses f_pos
///////////////////////////////////////////////////////////
@ fops4 depends on !fops1 && !fops2 && !fops3 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
identifier write_no_fpos.write_f;
@@
// write fops use offset
struct file_operations fops = {
...
.write = write_f,
.read = read_f,
...
+.llseek = noop_llseek, /* read and write both use no f_pos */
};
@ depends on has_write && !has_read && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write_no_fpos.write_f;
@@
struct file_operations fops = {
... .write = write_f, ...
+.llseek = noop_llseek, /* write uses no f_pos */
};
@ depends on has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
@@
struct file_operations fops = {
... .read = read_f, ...
+.llseek = noop_llseek, /* read uses no f_pos */
};
@ depends on !has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
@@
struct file_operations fops = {
...
+.llseek = noop_llseek, /* no read or write fn */
};
===== End semantic patch =====
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Julia Lawall <julia@diku.dk>
Cc: Christoph Hellwig <hch@infradead.org>
2010-08-15 20:52:59 +04:00
. llseek = default_llseek ,
2005-04-17 02:20:36 +04:00
} ;
/* Superblock handling */
2007-02-12 11:55:41 +03:00
static const struct super_operations s_ops = {
2005-04-17 02:20:36 +04:00
. statfs = simple_statfs ,
2010-06-07 22:34:48 +04:00
. evict_inode = bm_evict_inode ,
2005-04-17 02:20:36 +04:00
} ;
2019-03-25 19:38:28 +03:00
static int bm_fill_super ( struct super_block * sb , struct fs_context * fc )
2005-04-17 02:20:36 +04:00
{
2014-12-11 02:52:10 +03:00
int err ;
2017-03-26 07:15:37 +03:00
static const struct tree_descr bm_files [ ] = {
2007-05-08 11:32:31 +04:00
[ 2 ] = { " status " , & bm_status_operations , S_IWUSR | S_IRUGO } ,
[ 3 ] = { " register " , & bm_register_operations , S_IWUSR } ,
2005-04-17 02:20:36 +04:00
/* last one */ { " " }
} ;
2014-12-11 02:52:10 +03:00
err = simple_fill_super ( sb , BINFMTFS_MAGIC , bm_files ) ;
2005-04-17 02:20:36 +04:00
if ( ! err )
sb - > s_op = & s_ops ;
return err ;
}
2019-03-25 19:38:28 +03:00
static int bm_get_tree ( struct fs_context * fc )
2005-04-17 02:20:36 +04:00
{
2019-03-25 19:38:28 +03:00
return get_tree_single ( fc , bm_fill_super ) ;
}
static const struct fs_context_operations bm_context_ops = {
. get_tree = bm_get_tree ,
} ;
static int bm_init_fs_context ( struct fs_context * fc )
{
fc - > ops = & bm_context_ops ;
return 0 ;
2005-04-17 02:20:36 +04:00
}
static struct linux_binfmt misc_format = {
. module = THIS_MODULE ,
. load_binary = load_misc_binary ,
} ;
static struct file_system_type bm_fs_type = {
. owner = THIS_MODULE ,
. name = " binfmt_misc " ,
2019-03-25 19:38:28 +03:00
. init_fs_context = bm_init_fs_context ,
2005-04-17 02:20:36 +04:00
. kill_sb = kill_litter_super ,
} ;
2013-03-03 07:39:14 +04:00
MODULE_ALIAS_FS ( " binfmt_misc " ) ;
2005-04-17 02:20:36 +04:00
static int __init init_misc_binfmt ( void )
{
int err = register_filesystem ( & bm_fs_type ) ;
2012-03-17 11:05:16 +04:00
if ( ! err )
insert_binfmt ( & misc_format ) ;
2022-02-09 10:49:20 +03:00
return err ;
2005-04-17 02:20:36 +04:00
}
static void __exit exit_misc_binfmt ( void )
{
unregister_binfmt ( & misc_format ) ;
unregister_filesystem ( & bm_fs_type ) ;
}
core_initcall ( init_misc_binfmt ) ;
module_exit ( exit_misc_binfmt ) ;
MODULE_LICENSE ( " GPL " ) ;