1 /* $NetBSD: linux_exec_elf32.c,v 1.100 2020/01/12 18:30:58 ad Exp $ */ 2 3 /*- 4 * Copyright (c) 1995, 1998, 2000, 2001 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Christos Zoulas, Frank van der Linden, Eric Haszlakiewicz and 9 * Emmanuel Dreyfus. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 21 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 22 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 23 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 24 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 * POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 /* 34 * based on exec_aout.c, sunos_exec.c and svr4_exec.c 35 */ 36 37 #include <sys/cdefs.h> 38 __KERNEL_RCSID(0, "$NetBSD: linux_exec_elf32.c,v 1.100 2020/01/12 18:30:58 ad Exp $"); 39 40 #ifndef ELFSIZE 41 /* XXX should die */ 42 #define ELFSIZE 32 43 #endif 44 45 #include <sys/param.h> 46 #include <sys/systm.h> 47 #include <sys/kernel.h> 48 #include <sys/proc.h> 49 #include <sys/malloc.h> 50 #include <sys/namei.h> 51 #include <sys/vnode.h> 52 #include <sys/mount.h> 53 #include <sys/exec.h> 54 #include <sys/exec_elf.h> 55 #include <sys/stat.h> 56 #include <sys/kauth.h> 57 #include <sys/cprng.h> 58 #include <sys/compat_stub.h> 59 60 #include <sys/mman.h> 61 #include <sys/syscallargs.h> 62 63 #include <sys/cpu.h> 64 #include <machine/reg.h> 65 66 #include <compat/linux/common/linux_types.h> 67 #include <compat/linux/common/linux_signal.h> 68 #include <compat/linux/common/linux_util.h> 69 #include <compat/linux/common/linux_exec.h> 70 #include <compat/linux/common/linux_machdep.h> 71 #include <compat/linux/common/linux_ipc.h> 72 #include <compat/linux/common/linux_sem.h> 73 74 #include <compat/linux/linux_syscallargs.h> 75 #include <compat/linux/linux_syscall.h> 76 77 #define LINUX_GO_RT0_SIGNATURE 78 79 #ifdef DEBUG_LINUX 80 #define DPRINTF(a) uprintf a 81 #else 82 #define DPRINTF(a) do {} while (0) 83 #endif 84 85 #ifdef LINUX_ATEXIT_SIGNATURE 86 /* 87 * On the PowerPC, statically linked Linux binaries are not recognized 88 * by linux_signature nor by linux_gcc_signature. Fortunately, thoses 89 * binaries features a __libc_atexit ELF section. We therefore assume we 90 * have a Linux binary if we find this section. 91 */ 92 int 93 ELFNAME2(linux,atexit_signature)( 94 struct lwp *l, 95 struct exec_package *epp, 96 Elf_Ehdr *eh) 97 { 98 Elf_Shdr *sh; 99 size_t shsize; 100 u_int shstrndx; 101 size_t i; 102 static const char signature[] = "__libc_atexit"; 103 const size_t sigsz = sizeof(signature); 104 char tbuf[sizeof(signature)]; 105 int error; 106 107 /* Load the section header table. */ 108 shsize = eh->e_shnum * sizeof(Elf_Shdr); 109 sh = (Elf_Shdr *) malloc(shsize, M_TEMP, M_WAITOK); 110 error = exec_read(l, epp->ep_vp, eh->e_shoff, sh, shsize, 111 IO_NODELOCKED); 112 if (error) 113 goto out; 114 115 /* Now let's find the string table. If it does not exist, give up. */ 116 shstrndx = eh->e_shstrndx; 117 if (shstrndx == SHN_UNDEF || shstrndx >= eh->e_shnum) { 118 error = ENOEXEC; 119 goto out; 120 } 121 122 /* Check if any section has the name we're looking for. */ 123 const off_t stroff = sh[shstrndx].sh_offset; 124 for (i = 0; i < eh->e_shnum; i++) { 125 Elf_Shdr *s = &sh[i]; 126 127 if (s->sh_name + sigsz > sh[shstrndx].sh_size) 128 continue; 129 130 error = exec_read(l, epp->ep_vp, stroff + s->sh_name, tbuf, 131 sigsz, IO_NODELOCKED); 132 if (error) 133 goto out; 134 if (!memcmp(tbuf, signature, sigsz)) { 135 DPRINTF(("linux_atexit_sig=%s\n", tbuf)); 136 error = 0; 137 goto out; 138 } 139 } 140 error = ENOEXEC; 141 142 out: 143 free(sh, M_TEMP); 144 return (error); 145 } 146 #endif 147 148 #ifdef LINUX_GCC_SIGNATURE 149 /* 150 * Take advantage of the fact that all the linux binaries are compiled 151 * with gcc, and gcc sticks in the comment field a signature. Note that 152 * on SVR4 binaries, the gcc signature will follow the OS name signature, 153 * that will not be a problem. We don't bother to read in the string table, 154 * but we check all the progbits headers. 155 * 156 * XXX This only works in the i386. On the alpha (at least) 157 * XXX we have the same gcc signature which incorrectly identifies 158 * XXX NetBSD binaries as Linux. 159 */ 160 int 161 ELFNAME2(linux,gcc_signature)( 162 struct lwp *l, 163 struct exec_package *epp, 164 Elf_Ehdr *eh) 165 { 166 size_t shsize; 167 size_t i; 168 static const char signature[] = "\0GCC: (GNU) "; 169 char tbuf[sizeof(signature) - 1]; 170 Elf_Shdr *sh; 171 int error; 172 173 shsize = eh->e_shnum * sizeof(Elf_Shdr); 174 sh = (Elf_Shdr *) malloc(shsize, M_TEMP, M_WAITOK); 175 error = exec_read(l, epp->ep_vp, eh->e_shoff, sh, shsize, 176 IO_NODELOCKED); 177 if (error) 178 goto out; 179 180 for (i = 0; i < eh->e_shnum; i++) { 181 Elf_Shdr *s = &sh[i]; 182 183 /* 184 * Identify candidates for the comment header; 185 * Header cannot have a load address, or flags and 186 * it must be large enough. 187 */ 188 if (s->sh_type != SHT_PROGBITS || 189 s->sh_addr != 0 || 190 s->sh_flags != 0 || 191 s->sh_size < sizeof(signature) - 1) 192 continue; 193 194 error = exec_read(l, epp->ep_vp, s->sh_offset, tbuf, 195 sizeof(signature) - 1, IO_NODELOCKED); 196 if (error) 197 continue; 198 199 /* 200 * error is 0, if the signatures match we are done. 201 */ 202 DPRINTF(("linux_gcc_sig: sig=%s\n", tbuf)); 203 if (!memcmp(tbuf, signature, sizeof(signature) - 1)) { 204 error = 0; 205 goto out; 206 } 207 } 208 error = ENOEXEC; 209 210 out: 211 free(sh, M_TEMP); 212 return (error); 213 } 214 #endif 215 216 #ifdef LINUX_DEBUGLINK_SIGNATURE 217 /* 218 * Look for a .gnu_debuglink, specific to x86_64 interpreter 219 */ 220 int 221 ELFNAME2(linux,debuglink_signature)(struct lwp *l, struct exec_package *epp, Elf_Ehdr *eh) 222 { 223 Elf_Shdr *sh; 224 size_t shsize; 225 u_int shstrndx; 226 size_t i; 227 static const char signature[] = ".gnu_debuglink"; 228 const size_t sigsz = sizeof(signature); 229 char tbuf[sizeof(signature)]; 230 int error; 231 232 /* Load the section header table. */ 233 shsize = eh->e_shnum * sizeof(Elf_Shdr); 234 sh = (Elf_Shdr *) malloc(shsize, M_TEMP, M_WAITOK); 235 error = exec_read(l, epp->ep_vp, eh->e_shoff, sh, shsize, 236 IO_NODELOCKED); 237 if (error) 238 goto out; 239 240 /* Now let's find the string table. If it does not exist, give up. */ 241 shstrndx = eh->e_shstrndx; 242 if (shstrndx == SHN_UNDEF || shstrndx >= eh->e_shnum) { 243 error = ENOEXEC; 244 goto out; 245 } 246 247 /* Check if any section has the name we're looking for. */ 248 const off_t stroff = sh[shstrndx].sh_offset; 249 for (i = 0; i < eh->e_shnum; i++) { 250 Elf_Shdr *s = &sh[i]; 251 252 if (s->sh_name + sigsz > sh[shstrndx].sh_size) 253 continue; 254 255 error = exec_read(l, epp->ep_vp, stroff + s->sh_name, tbuf, 256 sigsz, IO_NODELOCKED); 257 if (error) 258 goto out; 259 if (!memcmp(tbuf, signature, sigsz)) { 260 DPRINTF(("linux_debuglink_sig=%s\n", tbuf)); 261 error = 0; 262 goto out; 263 } 264 } 265 error = ENOEXEC; 266 267 out: 268 free(sh, M_TEMP); 269 return (error); 270 } 271 #endif 272 273 #ifdef LINUX_GO_RT0_SIGNATURE 274 /* 275 * Look for a .gopclntab, specific to go binaries 276 * in it look for a symbol called _rt0_<cpu>_linux 277 */ 278 static int 279 ELFNAME2(linux,go_rt0_signature)(struct lwp *l, struct exec_package *epp, Elf_Ehdr *eh) 280 { 281 Elf_Shdr *sh; 282 size_t shsize; 283 u_int shstrndx; 284 size_t i; 285 static const char signature[] = ".gopclntab"; 286 const size_t sigsz = sizeof(signature); 287 char tbuf[sizeof(signature)], *tmp = NULL; 288 char mbuf[64]; 289 const char *m; 290 int mlen; 291 int error; 292 293 /* Load the section header table. */ 294 shsize = eh->e_shnum * sizeof(Elf_Shdr); 295 sh = malloc(shsize, M_TEMP, M_WAITOK); 296 error = exec_read(l, epp->ep_vp, eh->e_shoff, sh, shsize, 297 IO_NODELOCKED); 298 if (error) 299 goto out; 300 301 /* Now let's find the string table. If it does not exist, give up. */ 302 shstrndx = eh->e_shstrndx; 303 if (shstrndx == SHN_UNDEF || shstrndx >= eh->e_shnum) { 304 error = ENOEXEC; 305 goto out; 306 } 307 308 /* Check if any section has the name we're looking for. */ 309 const off_t stroff = sh[shstrndx].sh_offset; 310 for (i = 0; i < eh->e_shnum; i++) { 311 Elf_Shdr *s = &sh[i]; 312 313 if (s->sh_name + sigsz > sh[shstrndx].sh_size) 314 continue; 315 316 error = exec_read(l, epp->ep_vp, stroff + s->sh_name, tbuf, 317 sigsz, IO_NODELOCKED); 318 if (error) 319 goto out; 320 if (!memcmp(tbuf, signature, sigsz)) { 321 DPRINTF(("linux_goplcntab_sig=%s\n", tbuf)); 322 break; 323 } 324 } 325 326 if (i == eh->e_shnum) { 327 error = ENOEXEC; 328 goto out; 329 } 330 331 // Don't scan more than 1MB 332 if (sh[i].sh_size > 1024 * 1024) 333 sh[i].sh_size = 1024 * 1024; 334 335 tmp = malloc(sh[i].sh_size, M_TEMP, M_WAITOK); 336 error = exec_read(l, epp->ep_vp, sh[i].sh_offset, tmp, 337 sh[i].sh_size, IO_NODELOCKED); 338 if (error) 339 goto out; 340 341 #if (ELFSIZE == 32) 342 extern struct netbsd32_machine32_hook_t netbsd32_machine32_hook; 343 MODULE_HOOK_CALL(netbsd32_machine32_hook, (), machine, m); 344 #else 345 m = machine; 346 #endif 347 mlen = snprintf(mbuf, sizeof(mbuf), "_rt0_%s_linux", m); 348 if (memmem(tmp, sh[i].sh_size, mbuf, mlen) == NULL) 349 error = ENOEXEC; 350 else 351 DPRINTF(("linux_rt0_sig=%s\n", mbuf)); 352 out: 353 if (tmp) 354 free(tmp, M_TEMP); 355 free(sh, M_TEMP); 356 return error; 357 } 358 #endif 359 360 int 361 ELFNAME2(linux,signature)(struct lwp *l, struct exec_package *epp, Elf_Ehdr *eh, char *itp) 362 { 363 size_t i; 364 Elf_Phdr *ph; 365 size_t phsize; 366 int error; 367 static const char linux[] = "Linux"; 368 369 if (eh->e_ident[EI_OSABI] == ELFOSABI_LINUX || 370 memcmp(&eh->e_ident[EI_ABIVERSION], linux, sizeof(linux)) == 0) 371 return 0; 372 373 phsize = eh->e_phnum * sizeof(Elf_Phdr); 374 ph = (Elf_Phdr *)malloc(phsize, M_TEMP, M_WAITOK); 375 error = exec_read(l, epp->ep_vp, eh->e_phoff, ph, phsize, 376 IO_NODELOCKED); 377 if (error) 378 goto out; 379 380 for (i = 0; i < eh->e_phnum; i++) { 381 Elf_Phdr *ephp = &ph[i]; 382 Elf_Nhdr *np; 383 u_int32_t *abi; 384 385 if (ephp->p_type != PT_NOTE || 386 ephp->p_filesz > 1024 || 387 ephp->p_filesz < sizeof(Elf_Nhdr) + 20) 388 continue; 389 390 np = (Elf_Nhdr *)malloc(ephp->p_filesz, M_TEMP, M_WAITOK); 391 error = exec_read(l, epp->ep_vp, ephp->p_offset, np, 392 ephp->p_filesz, IO_NODELOCKED); 393 if (error) 394 goto next; 395 396 if (np->n_type != ELF_NOTE_TYPE_ABI_TAG || 397 np->n_namesz != ELF_NOTE_ABI_NAMESZ || 398 np->n_descsz != ELF_NOTE_ABI_DESCSZ || 399 memcmp((void *)(np + 1), ELF_NOTE_ABI_NAME, 400 ELF_NOTE_ABI_NAMESZ)) 401 goto next; 402 403 /* Make sure the OS is Linux. */ 404 abi = (u_int32_t *)((char *)np + sizeof(Elf_Nhdr) + 405 np->n_namesz); 406 if (abi[0] == ELF_NOTE_ABI_OS_LINUX) 407 error = 0; 408 else 409 error = ENOEXEC; 410 free(np, M_TEMP); 411 goto out; 412 413 next: 414 free(np, M_TEMP); 415 continue; 416 } 417 418 /* Check for certain interpreter names. */ 419 if (itp) { 420 if (!strncmp(itp, "/lib/ld-linux", 13) || 421 #if (ELFSIZE == 64) 422 !strncmp(itp, "/lib64/ld-linux", 15) || 423 #endif 424 !strncmp(itp, "/lib/ld.so.", 11)) 425 error = 0; 426 else 427 error = ENOEXEC; 428 goto out; 429 } 430 431 error = ENOEXEC; 432 out: 433 free(ph, M_TEMP); 434 return (error); 435 } 436 437 int 438 ELFNAME2(linux,probe)(struct lwp *l, struct exec_package *epp, void *eh, 439 char *itp, vaddr_t *pos) 440 { 441 int error; 442 443 if (((error = ELFNAME2(linux,signature)(l, epp, eh, itp)) != 0) && 444 #ifdef LINUX_GCC_SIGNATURE 445 ((error = ELFNAME2(linux,gcc_signature)(l, epp, eh)) != 0) && 446 #endif 447 #ifdef LINUX_ATEXIT_SIGNATURE 448 ((error = ELFNAME2(linux,atexit_signature)(l, epp, eh)) != 0) && 449 #endif 450 #ifdef LINUX_DEBUGLINK_SIGNATURE 451 ((error = ELFNAME2(linux,debuglink_signature)(l, epp, eh)) != 0) && 452 #endif 453 #ifdef LINUX_GO_RT0_SIGNATURE 454 ((error = ELFNAME2(linux,go_rt0_signature)(l, epp, eh)) != 0) && 455 #endif 456 1) { 457 DPRINTF(("linux_probe: returning %d\n", error)); 458 return error; 459 } 460 461 if (itp) { 462 if ((error = emul_find_interp(l, epp, itp))) 463 return (error); 464 } 465 epp->ep_flags |= EXEC_FORCEAUX; 466 DPRINTF(("linux_probe: returning 0\n")); 467 return 0; 468 } 469 470 #ifndef LINUX_MACHDEP_ELF_COPYARGS 471 /* 472 * Copy arguments onto the stack in the normal way, but add some 473 * extra information in case of dynamic binding. 474 */ 475 int 476 ELFNAME2(linux,copyargs)(struct lwp *l, struct exec_package *pack, 477 struct ps_strings *arginfo, char **stackp, void *argp) 478 { 479 size_t len; 480 AuxInfo ai[LINUX_ELF_AUX_ENTRIES], *a; 481 struct elf_args *ap; 482 int error; 483 struct vattr *vap; 484 uint32_t randbytes[4]; 485 486 if ((error = copyargs(l, pack, arginfo, stackp, argp)) != 0) 487 return error; 488 489 a = ai; 490 491 memset(ai, 0, sizeof(ai)); 492 493 /* 494 * Push extra arguments used by glibc on the stack. 495 */ 496 497 a->a_type = AT_PAGESZ; 498 a->a_v = PAGE_SIZE; 499 a++; 500 501 if ((ap = (struct elf_args *)pack->ep_emul_arg)) { 502 503 a->a_type = AT_PHDR; 504 a->a_v = ap->arg_phaddr; 505 a++; 506 507 a->a_type = AT_PHENT; 508 a->a_v = ap->arg_phentsize; 509 a++; 510 511 a->a_type = AT_PHNUM; 512 a->a_v = ap->arg_phnum; 513 a++; 514 515 a->a_type = AT_BASE; 516 a->a_v = ap->arg_interp; 517 a++; 518 519 a->a_type = AT_FLAGS; 520 a->a_v = 0; 521 a++; 522 523 a->a_type = AT_ENTRY; 524 a->a_v = ap->arg_entry; 525 a++; 526 527 exec_free_emul_arg(pack); 528 } 529 530 /* Linux-specific items */ 531 a->a_type = LINUX_AT_CLKTCK; 532 a->a_v = hz; 533 a++; 534 535 vap = pack->ep_vap; 536 537 a->a_type = LINUX_AT_UID; 538 a->a_v = kauth_cred_getuid(l->l_cred); 539 a++; 540 541 a->a_type = LINUX_AT_EUID; 542 if (vap->va_mode & S_ISUID) 543 a->a_v = vap->va_uid; 544 else 545 a->a_v = kauth_cred_geteuid(l->l_cred); 546 a++; 547 548 a->a_type = LINUX_AT_GID; 549 a->a_v = kauth_cred_getgid(l->l_cred); 550 a++; 551 552 a->a_type = LINUX_AT_EGID; 553 if (vap->va_mode & S_ISGID) 554 a->a_v = vap->va_gid; 555 else 556 a->a_v = kauth_cred_getegid(l->l_cred); 557 a++; 558 559 a->a_type = LINUX_AT_RANDOM; 560 a->a_v = (Elf_Addr)(uintptr_t)*stackp; 561 a++; 562 563 a->a_type = AT_NULL; 564 a->a_v = 0; 565 a++; 566 567 randbytes[0] = cprng_strong32(); 568 randbytes[1] = cprng_strong32(); 569 randbytes[2] = cprng_strong32(); 570 randbytes[3] = cprng_strong32(); 571 572 len = sizeof(randbytes); 573 if ((error = copyout(randbytes, *stackp, len)) != 0) 574 return error; 575 *stackp += len; 576 577 len = (a - ai) * sizeof(AuxInfo); 578 KASSERT(len <= LINUX_ELF_AUX_ENTRIES * sizeof(AuxInfo)); 579 if ((error = copyout(ai, *stackp, len)) != 0) 580 return error; 581 *stackp += len; 582 583 return 0; 584 } 585 #endif /* !LINUX_MACHDEP_ELF_COPYARGS */ 586