1 /* $NetBSD: exec_elf.c,v 1.53 2013/12/21 17:44:33 skrll Exp $ */ 2 3 /*- 4 * Copyright (c) 1994, 2000, 2005 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Christos Zoulas. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 /* 33 * Copyright (c) 1996 Christopher G. Demetriou 34 * All rights reserved. 35 * 36 * Redistribution and use in source and binary forms, with or without 37 * modification, are permitted provided that the following conditions 38 * are met: 39 * 1. Redistributions of source code must retain the above copyright 40 * notice, this list of conditions and the following disclaimer. 41 * 2. Redistributions in binary form must reproduce the above copyright 42 * notice, this list of conditions and the following disclaimer in the 43 * documentation and/or other materials provided with the distribution. 44 * 3. The name of the author may not be used to endorse or promote products 45 * derived from this software without specific prior written permission 46 * 47 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 48 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 49 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 50 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 51 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 52 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 53 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 54 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 55 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 56 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 57 */ 58 59 #include <sys/cdefs.h> 60 __KERNEL_RCSID(1, "$NetBSD: exec_elf.c,v 1.53 2013/12/21 17:44:33 skrll Exp $"); 61 62 #ifdef _KERNEL_OPT 63 #include "opt_pax.h" 64 #endif /* _KERNEL_OPT */ 65 66 #include <sys/param.h> 67 #include <sys/proc.h> 68 #include <sys/kmem.h> 69 #include <sys/namei.h> 70 #include <sys/vnode.h> 71 #include <sys/exec.h> 72 #include <sys/exec_elf.h> 73 #include <sys/syscall.h> 74 #include <sys/signalvar.h> 75 #include <sys/mount.h> 76 #include <sys/stat.h> 77 #include <sys/kauth.h> 78 #include <sys/bitops.h> 79 #include <sys/cprng.h> 80 81 #include <sys/cpu.h> 82 #include <machine/reg.h> 83 84 #include <compat/common/compat_util.h> 85 86 #include <sys/pax.h> 87 #include <uvm/uvm_param.h> 88 89 extern struct emul emul_netbsd; 90 91 #define elf_check_header ELFNAME(check_header) 92 #define elf_copyargs ELFNAME(copyargs) 93 #define elf_load_file ELFNAME(load_file) 94 #define elf_load_psection ELFNAME(load_psection) 95 #define exec_elf_makecmds ELFNAME2(exec,makecmds) 96 #define netbsd_elf_signature ELFNAME2(netbsd,signature) 97 #define netbsd_elf_probe ELFNAME2(netbsd,probe) 98 #define coredump ELFNAMEEND(coredump) 99 #define elf_free_emul_arg ELFNAME(free_emul_arg) 100 101 int elf_load_file(struct lwp *, struct exec_package *, char *, 102 struct exec_vmcmd_set *, u_long *, struct elf_args *, Elf_Addr *); 103 void elf_load_psection(struct exec_vmcmd_set *, struct vnode *, 104 const Elf_Phdr *, Elf_Addr *, u_long *, int *, int); 105 106 int netbsd_elf_signature(struct lwp *, struct exec_package *, Elf_Ehdr *); 107 int netbsd_elf_probe(struct lwp *, struct exec_package *, void *, char *, 108 vaddr_t *); 109 110 static void elf_free_emul_arg(void *); 111 112 /* round up and down to page boundaries. */ 113 #define ELF_ROUND(a, b) (((a) + (b) - 1) & ~((b) - 1)) 114 #define ELF_TRUNC(a, b) ((a) & ~((b) - 1)) 115 116 /* 117 * Arbitrary limits to avoid DoS for excessive memory allocation. 118 */ 119 #define MAXPHNUM 128 120 #define MAXSHNUM 32768 121 #define MAXNOTESIZE 1024 122 123 static void 124 elf_placedynexec(struct lwp *l, struct exec_package *epp, Elf_Ehdr *eh, 125 Elf_Phdr *ph) 126 { 127 Elf_Addr align, offset; 128 int i; 129 130 for (align = i = 0; i < eh->e_phnum; i++) 131 if (ph[i].p_type == PT_LOAD && ph[i].p_align > align) 132 align = ph[i].p_align; 133 134 #ifdef PAX_ASLR 135 if (pax_aslr_active(l)) { 136 size_t pax_align, l2, delta; 137 uint32_t r; 138 139 pax_align = align; 140 141 r = cprng_fast32(); 142 143 if (pax_align == 0) 144 pax_align = PGSHIFT; 145 l2 = ilog2(pax_align); 146 delta = PAX_ASLR_DELTA(r, l2, PAX_ASLR_DELTA_EXEC_LEN); 147 offset = ELF_TRUNC(delta, pax_align) + PAGE_SIZE; 148 #ifdef PAX_ASLR_DEBUG 149 uprintf("r=0x%x l2=0x%zx PGSHIFT=0x%x Delta=0x%zx\n", r, l2, 150 PGSHIFT, delta); 151 uprintf("pax offset=0x%llx entry=0x%llx\n", 152 (unsigned long long)offset, 153 (unsigned long long)eh->e_entry); 154 #endif /* PAX_ASLR_DEBUG */ 155 } else 156 #endif /* PAX_ASLR */ 157 offset = MAX(align, PAGE_SIZE); 158 159 offset += epp->ep_vm_minaddr; 160 161 for (i = 0; i < eh->e_phnum; i++) 162 ph[i].p_vaddr += offset; 163 eh->e_entry += offset; 164 } 165 166 /* 167 * Copy arguments onto the stack in the normal way, but add some 168 * extra information in case of dynamic binding. 169 */ 170 int 171 elf_copyargs(struct lwp *l, struct exec_package *pack, 172 struct ps_strings *arginfo, char **stackp, void *argp) 173 { 174 size_t len, vlen; 175 AuxInfo ai[ELF_AUX_ENTRIES], *a, *execname; 176 struct elf_args *ap; 177 int error; 178 179 if ((error = copyargs(l, pack, arginfo, stackp, argp)) != 0) 180 return error; 181 182 a = ai; 183 execname = NULL; 184 185 /* 186 * Push extra arguments on the stack needed by dynamically 187 * linked binaries 188 */ 189 if ((ap = (struct elf_args *)pack->ep_emul_arg)) { 190 struct vattr *vap = pack->ep_vap; 191 192 a->a_type = AT_PHDR; 193 a->a_v = ap->arg_phaddr; 194 a++; 195 196 a->a_type = AT_PHENT; 197 a->a_v = ap->arg_phentsize; 198 a++; 199 200 a->a_type = AT_PHNUM; 201 a->a_v = ap->arg_phnum; 202 a++; 203 204 a->a_type = AT_PAGESZ; 205 a->a_v = PAGE_SIZE; 206 a++; 207 208 a->a_type = AT_BASE; 209 a->a_v = ap->arg_interp; 210 a++; 211 212 a->a_type = AT_FLAGS; 213 a->a_v = 0; 214 a++; 215 216 a->a_type = AT_ENTRY; 217 a->a_v = ap->arg_entry; 218 a++; 219 220 a->a_type = AT_EUID; 221 if (vap->va_mode & S_ISUID) 222 a->a_v = vap->va_uid; 223 else 224 a->a_v = kauth_cred_geteuid(l->l_cred); 225 a++; 226 227 a->a_type = AT_RUID; 228 a->a_v = kauth_cred_getuid(l->l_cred); 229 a++; 230 231 a->a_type = AT_EGID; 232 if (vap->va_mode & S_ISGID) 233 a->a_v = vap->va_gid; 234 else 235 a->a_v = kauth_cred_getegid(l->l_cred); 236 a++; 237 238 a->a_type = AT_RGID; 239 a->a_v = kauth_cred_getgid(l->l_cred); 240 a++; 241 242 a->a_type = AT_STACKBASE; 243 a->a_v = l->l_proc->p_stackbase; 244 a++; 245 246 if (pack->ep_path) { 247 execname = a; 248 a->a_type = AT_SUN_EXECNAME; 249 a++; 250 } 251 252 exec_free_emul_arg(pack); 253 } 254 255 a->a_type = AT_NULL; 256 a->a_v = 0; 257 a++; 258 259 vlen = (a - ai) * sizeof(ai[0]); 260 261 KASSERT(vlen <= sizeof(ai)); 262 263 if (execname) { 264 char *path = pack->ep_path; 265 execname->a_v = (uintptr_t)(*stackp + vlen); 266 len = strlen(path) + 1; 267 if ((error = copyout(path, (*stackp + vlen), len)) != 0) 268 return error; 269 len = ALIGN(len); 270 } else 271 len = 0; 272 273 if ((error = copyout(ai, *stackp, vlen)) != 0) 274 return error; 275 *stackp += vlen + len; 276 277 return 0; 278 } 279 280 /* 281 * elf_check_header(): 282 * 283 * Check header for validity; return 0 if ok, ENOEXEC if error 284 */ 285 int 286 elf_check_header(Elf_Ehdr *eh, int type) 287 { 288 289 if (memcmp(eh->e_ident, ELFMAG, SELFMAG) != 0 || 290 eh->e_ident[EI_CLASS] != ELFCLASS) 291 return ENOEXEC; 292 293 switch (eh->e_machine) { 294 295 ELFDEFNNAME(MACHDEP_ID_CASES) 296 297 default: 298 return ENOEXEC; 299 } 300 301 if (ELF_EHDR_FLAGS_OK(eh) == 0) 302 return ENOEXEC; 303 304 if (eh->e_type != type) 305 return ENOEXEC; 306 307 if (eh->e_shnum > MAXSHNUM || eh->e_phnum > MAXPHNUM) 308 return ENOEXEC; 309 310 return 0; 311 } 312 313 /* 314 * elf_load_psection(): 315 * 316 * Load a psection at the appropriate address 317 */ 318 void 319 elf_load_psection(struct exec_vmcmd_set *vcset, struct vnode *vp, 320 const Elf_Phdr *ph, Elf_Addr *addr, u_long *size, int *prot, int flags) 321 { 322 u_long msize, psize, rm, rf; 323 long diff, offset; 324 325 /* 326 * If the user specified an address, then we load there. 327 */ 328 if (*addr == ELFDEFNNAME(NO_ADDR)) 329 *addr = ph->p_vaddr; 330 331 if (ph->p_align > 1) { 332 /* 333 * Make sure we are virtually aligned as we are supposed to be. 334 */ 335 diff = ph->p_vaddr - ELF_TRUNC(ph->p_vaddr, ph->p_align); 336 KASSERT(*addr - diff == ELF_TRUNC(*addr, ph->p_align)); 337 /* 338 * But make sure to not map any pages before the start of the 339 * psection by limiting the difference to within a page. 340 */ 341 diff &= PAGE_MASK; 342 } else 343 diff = 0; 344 345 *prot |= (ph->p_flags & PF_R) ? VM_PROT_READ : 0; 346 *prot |= (ph->p_flags & PF_W) ? VM_PROT_WRITE : 0; 347 *prot |= (ph->p_flags & PF_X) ? VM_PROT_EXECUTE : 0; 348 349 /* 350 * Adjust everything so it all starts on a page boundary. 351 */ 352 *addr -= diff; 353 offset = ph->p_offset - diff; 354 *size = ph->p_filesz + diff; 355 msize = ph->p_memsz + diff; 356 357 if (ph->p_align >= PAGE_SIZE) { 358 if ((ph->p_flags & PF_W) != 0) { 359 /* 360 * Because the pagedvn pager can't handle zero fill 361 * of the last data page if it's not page aligned we 362 * map the last page readvn. 363 */ 364 psize = trunc_page(*size); 365 } else { 366 psize = round_page(*size); 367 } 368 } else { 369 psize = *size; 370 } 371 372 if (psize > 0) { 373 NEW_VMCMD2(vcset, ph->p_align < PAGE_SIZE ? 374 vmcmd_map_readvn : vmcmd_map_pagedvn, psize, *addr, vp, 375 offset, *prot, flags); 376 flags &= VMCMD_RELATIVE; 377 } 378 if (psize < *size) { 379 NEW_VMCMD2(vcset, vmcmd_map_readvn, *size - psize, 380 *addr + psize, vp, offset + psize, *prot, flags); 381 } 382 383 /* 384 * Check if we need to extend the size of the segment (does 385 * bss extend page the next page boundary)? 386 */ 387 rm = round_page(*addr + msize); 388 rf = round_page(*addr + *size); 389 390 if (rm != rf) { 391 NEW_VMCMD2(vcset, vmcmd_map_zero, rm - rf, rf, NULLVP, 392 0, *prot, flags & VMCMD_RELATIVE); 393 *size = msize; 394 } 395 } 396 397 /* 398 * elf_load_file(): 399 * 400 * Load a file (interpreter/library) pointed to by path 401 * [stolen from coff_load_shlib()]. Made slightly generic 402 * so it might be used externally. 403 */ 404 int 405 elf_load_file(struct lwp *l, struct exec_package *epp, char *path, 406 struct exec_vmcmd_set *vcset, u_long *entryoff, struct elf_args *ap, 407 Elf_Addr *last) 408 { 409 int error, i; 410 struct vnode *vp; 411 struct vattr attr; 412 Elf_Ehdr eh; 413 Elf_Phdr *ph = NULL; 414 const Elf_Phdr *ph0; 415 const Elf_Phdr *base_ph; 416 const Elf_Phdr *last_ph; 417 u_long phsize; 418 Elf_Addr addr = *last; 419 struct proc *p; 420 bool use_topdown; 421 422 p = l->l_proc; 423 424 KASSERT(p->p_vmspace); 425 if (__predict_true(p->p_vmspace != proc0.p_vmspace)) { 426 use_topdown = p->p_vmspace->vm_map.flags & VM_MAP_TOPDOWN; 427 } else { 428 #ifdef __USING_TOPDOWN_VM 429 use_topdown = epp->ep_flags & EXEC_TOPDOWN_VM; 430 #else 431 use_topdown = false; 432 #endif 433 } 434 435 /* 436 * 1. open file 437 * 2. read filehdr 438 * 3. map text, data, and bss out of it using VM_* 439 */ 440 vp = epp->ep_interp; 441 if (vp == NULL) { 442 error = emul_find_interp(l, epp, path); 443 if (error != 0) 444 return error; 445 vp = epp->ep_interp; 446 } 447 /* We'll tidy this ourselves - otherwise we have locking issues */ 448 epp->ep_interp = NULL; 449 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY); 450 451 /* 452 * Similarly, if it's not marked as executable, or it's not a regular 453 * file, we don't allow it to be used. 454 */ 455 if (vp->v_type != VREG) { 456 error = EACCES; 457 goto badunlock; 458 } 459 if ((error = VOP_ACCESS(vp, VEXEC, l->l_cred)) != 0) 460 goto badunlock; 461 462 /* get attributes */ 463 if ((error = VOP_GETATTR(vp, &attr, l->l_cred)) != 0) 464 goto badunlock; 465 466 /* 467 * Check mount point. Though we're not trying to exec this binary, 468 * we will be executing code from it, so if the mount point 469 * disallows execution or set-id-ness, we punt or kill the set-id. 470 */ 471 if (vp->v_mount->mnt_flag & MNT_NOEXEC) { 472 error = EACCES; 473 goto badunlock; 474 } 475 if (vp->v_mount->mnt_flag & MNT_NOSUID) 476 epp->ep_vap->va_mode &= ~(S_ISUID | S_ISGID); 477 478 #ifdef notyet /* XXX cgd 960926 */ 479 XXX cgd 960926: (maybe) VOP_OPEN it (and VOP_CLOSE in copyargs?) 480 481 XXXps: this problem will make it impossible to use an interpreter 482 from a file system which actually does something in VOP_OPEN 483 #endif 484 485 error = vn_marktext(vp); 486 if (error) 487 goto badunlock; 488 489 VOP_UNLOCK(vp); 490 491 if ((error = exec_read_from(l, vp, 0, &eh, sizeof(eh))) != 0) 492 goto bad; 493 494 if ((error = elf_check_header(&eh, ET_DYN)) != 0) 495 goto bad; 496 497 if (eh.e_phnum == 0) { 498 error = ENOEXEC; 499 goto bad; 500 } 501 502 phsize = eh.e_phnum * sizeof(Elf_Phdr); 503 ph = kmem_alloc(phsize, KM_SLEEP); 504 505 if ((error = exec_read_from(l, vp, eh.e_phoff, ph, phsize)) != 0) 506 goto bad; 507 508 #ifdef ELF_INTERP_NON_RELOCATABLE 509 /* 510 * Evil hack: Only MIPS should be non-relocatable, and the 511 * psections should have a high address (typically 0x5ffe0000). 512 * If it's now relocatable, it should be linked at 0 and the 513 * psections should have zeros in the upper part of the address. 514 * Otherwise, force the load at the linked address. 515 */ 516 if (*last == ELF_LINK_ADDR && (ph->p_vaddr & 0xffff0000) == 0) 517 *last = ELFDEFNNAME(NO_ADDR); 518 #endif 519 520 /* 521 * If no position to load the interpreter was set by a probe 522 * function, pick the same address that a non-fixed mmap(0, ..) 523 * would (i.e. something safely out of the way). 524 */ 525 if (*last == ELFDEFNNAME(NO_ADDR)) { 526 u_long limit = 0; 527 /* 528 * Find the start and ending addresses of the psections to 529 * be loaded. This will give us the size. 530 */ 531 for (i = 0, ph0 = ph, base_ph = NULL; i < eh.e_phnum; 532 i++, ph0++) { 533 if (ph0->p_type == PT_LOAD) { 534 u_long psize = ph0->p_vaddr + ph0->p_memsz; 535 if (base_ph == NULL) 536 base_ph = ph0; 537 if (psize > limit) 538 limit = psize; 539 } 540 } 541 542 if (base_ph == NULL) { 543 error = ENOEXEC; 544 goto bad; 545 } 546 547 /* 548 * Now compute the size and load address. 549 */ 550 addr = (*epp->ep_esch->es_emul->e_vm_default_addr)(p, 551 epp->ep_daddr, 552 round_page(limit) - trunc_page(base_ph->p_vaddr)); 553 } else 554 addr = *last; /* may be ELF_LINK_ADDR */ 555 556 /* 557 * Load all the necessary sections 558 */ 559 for (i = 0, ph0 = ph, base_ph = NULL, last_ph = NULL; 560 i < eh.e_phnum; i++, ph0++) { 561 switch (ph0->p_type) { 562 case PT_LOAD: { 563 u_long size; 564 int prot = 0; 565 int flags; 566 567 if (base_ph == NULL) { 568 /* 569 * First encountered psection is always the 570 * base psection. Make sure it's aligned 571 * properly (align down for topdown and align 572 * upwards for not topdown). 573 */ 574 base_ph = ph0; 575 flags = VMCMD_BASE; 576 if (addr == ELF_LINK_ADDR) 577 addr = ph0->p_vaddr; 578 if (use_topdown) 579 addr = ELF_TRUNC(addr, ph0->p_align); 580 else 581 addr = ELF_ROUND(addr, ph0->p_align); 582 } else { 583 u_long limit = round_page(last_ph->p_vaddr 584 + last_ph->p_memsz); 585 u_long base = trunc_page(ph0->p_vaddr); 586 587 /* 588 * If there is a gap in between the psections, 589 * map it as inaccessible so nothing else 590 * mmap'ed will be placed there. 591 */ 592 if (limit != base) { 593 NEW_VMCMD2(vcset, vmcmd_map_zero, 594 base - limit, 595 limit - base_ph->p_vaddr, NULLVP, 596 0, VM_PROT_NONE, VMCMD_RELATIVE); 597 } 598 599 addr = ph0->p_vaddr - base_ph->p_vaddr; 600 flags = VMCMD_RELATIVE; 601 } 602 last_ph = ph0; 603 elf_load_psection(vcset, vp, &ph[i], &addr, 604 &size, &prot, flags); 605 /* 606 * If entry is within this psection then this 607 * must contain the .text section. *entryoff is 608 * relative to the base psection. 609 */ 610 if (eh.e_entry >= ph0->p_vaddr && 611 eh.e_entry < (ph0->p_vaddr + size)) { 612 *entryoff = eh.e_entry - base_ph->p_vaddr; 613 } 614 addr += size; 615 break; 616 } 617 618 case PT_DYNAMIC: 619 case PT_PHDR: 620 break; 621 622 case PT_NOTE: 623 break; 624 625 default: 626 break; 627 } 628 } 629 630 kmem_free(ph, phsize); 631 /* 632 * This value is ignored if TOPDOWN. 633 */ 634 *last = addr; 635 vrele(vp); 636 return 0; 637 638 badunlock: 639 VOP_UNLOCK(vp); 640 641 bad: 642 if (ph != NULL) 643 kmem_free(ph, phsize); 644 #ifdef notyet /* XXX cgd 960926 */ 645 (maybe) VOP_CLOSE it 646 #endif 647 vrele(vp); 648 return error; 649 } 650 651 /* 652 * exec_elf_makecmds(): Prepare an Elf binary's exec package 653 * 654 * First, set of the various offsets/lengths in the exec package. 655 * 656 * Then, mark the text image busy (so it can be demand paged) or error 657 * out if this is not possible. Finally, set up vmcmds for the 658 * text, data, bss, and stack segments. 659 */ 660 int 661 exec_elf_makecmds(struct lwp *l, struct exec_package *epp) 662 { 663 Elf_Ehdr *eh = epp->ep_hdr; 664 Elf_Phdr *ph, *pp; 665 Elf_Addr phdr = 0, computed_phdr = 0, pos = 0, end_text = 0; 666 int error, i, nload; 667 char *interp = NULL; 668 u_long phsize; 669 struct elf_args *ap = NULL; 670 bool is_dyn; 671 672 if (epp->ep_hdrvalid < sizeof(Elf_Ehdr)) 673 return ENOEXEC; 674 675 is_dyn = elf_check_header(eh, ET_DYN) == 0; 676 /* 677 * XXX allow for executing shared objects. It seems silly 678 * but other ELF-based systems allow it as well. 679 */ 680 if (!is_dyn && elf_check_header(eh, ET_EXEC) != 0) 681 return ENOEXEC; 682 683 if (eh->e_phnum == 0) 684 return ENOEXEC; 685 686 error = vn_marktext(epp->ep_vp); 687 if (error) 688 return error; 689 690 /* 691 * Allocate space to hold all the program headers, and read them 692 * from the file 693 */ 694 phsize = eh->e_phnum * sizeof(Elf_Phdr); 695 ph = kmem_alloc(phsize, KM_SLEEP); 696 697 if ((error = exec_read_from(l, epp->ep_vp, eh->e_phoff, ph, phsize)) != 698 0) 699 goto bad; 700 701 epp->ep_taddr = epp->ep_tsize = ELFDEFNNAME(NO_ADDR); 702 epp->ep_daddr = epp->ep_dsize = ELFDEFNNAME(NO_ADDR); 703 704 for (i = 0; i < eh->e_phnum; i++) { 705 pp = &ph[i]; 706 if (pp->p_type == PT_INTERP) { 707 if (pp->p_filesz < 2 || pp->p_filesz > MAXPATHLEN) { 708 error = ENOEXEC; 709 goto bad; 710 } 711 interp = PNBUF_GET(); 712 if ((error = exec_read_from(l, epp->ep_vp, 713 pp->p_offset, interp, pp->p_filesz)) != 0) 714 goto bad; 715 /* Ensure interp is NUL-terminated and of the expected length */ 716 if (strnlen(interp, pp->p_filesz) != pp->p_filesz - 1) { 717 error = ENOEXEC; 718 goto bad; 719 } 720 break; 721 } 722 } 723 724 /* 725 * On the same architecture, we may be emulating different systems. 726 * See which one will accept this executable. 727 * 728 * Probe functions would normally see if the interpreter (if any) 729 * exists. Emulation packages may possibly replace the interpreter in 730 * interp[] with a changed path (/emul/xxx/<path>). 731 */ 732 pos = ELFDEFNNAME(NO_ADDR); 733 if (epp->ep_esch->u.elf_probe_func) { 734 vaddr_t startp = (vaddr_t)pos; 735 736 error = (*epp->ep_esch->u.elf_probe_func)(l, epp, eh, interp, 737 &startp); 738 if (error) 739 goto bad; 740 pos = (Elf_Addr)startp; 741 } 742 743 #if defined(PAX_MPROTECT) || defined(PAX_SEGVGUARD) || defined(PAX_ASLR) 744 l->l_proc->p_pax = epp->ep_pax_flags; 745 #endif /* PAX_MPROTECT || PAX_SEGVGUARD || PAX_ASLR */ 746 747 if (is_dyn) 748 elf_placedynexec(l, epp, eh, ph); 749 750 /* 751 * Load all the necessary sections 752 */ 753 for (i = nload = 0; i < eh->e_phnum; i++) { 754 Elf_Addr addr = ELFDEFNNAME(NO_ADDR); 755 u_long size = 0; 756 int prot = 0; 757 758 pp = &ph[i]; 759 760 switch (ph[i].p_type) { 761 case PT_LOAD: 762 elf_load_psection(&epp->ep_vmcmds, epp->ep_vp, 763 &ph[i], &addr, &size, &prot, VMCMD_FIXED); 764 765 /* 766 * Consider this as text segment, if it is executable. 767 * If there is more than one text segment, pick the 768 * largest. 769 */ 770 if (ph[i].p_flags & PF_X) { 771 if (epp->ep_taddr == ELFDEFNNAME(NO_ADDR) || 772 size > epp->ep_tsize) { 773 epp->ep_taddr = addr; 774 epp->ep_tsize = size; 775 } 776 end_text = addr + size; 777 } else { 778 epp->ep_daddr = addr; 779 epp->ep_dsize = size; 780 } 781 if (ph[i].p_offset == 0) { 782 computed_phdr = ph[i].p_vaddr + eh->e_phoff; 783 } 784 break; 785 786 case PT_SHLIB: 787 /* SCO has these sections. */ 788 case PT_INTERP: 789 /* Already did this one. */ 790 case PT_DYNAMIC: 791 break; 792 case PT_NOTE: 793 break; 794 case PT_PHDR: 795 /* Note address of program headers (in text segment) */ 796 phdr = pp->p_vaddr; 797 break; 798 799 default: 800 /* 801 * Not fatal; we don't need to understand everything. 802 */ 803 break; 804 } 805 } 806 if (interp || (epp->ep_flags & EXEC_FORCEAUX) != 0) { 807 ap = kmem_alloc(sizeof(*ap), KM_SLEEP); 808 ap->arg_interp = (vaddr_t)NULL; 809 } 810 811 if (epp->ep_daddr == ELFDEFNNAME(NO_ADDR)) { 812 epp->ep_daddr = round_page(end_text); 813 epp->ep_dsize = 0; 814 } 815 816 /* 817 * Check if we found a dynamically linked binary and arrange to load 818 * its interpreter 819 */ 820 if (interp) { 821 int j = epp->ep_vmcmds.evs_used; 822 u_long interp_offset; 823 824 if ((error = elf_load_file(l, epp, interp, 825 &epp->ep_vmcmds, &interp_offset, ap, &pos)) != 0) { 826 goto bad; 827 } 828 ap->arg_interp = epp->ep_vmcmds.evs_cmds[j].ev_addr; 829 epp->ep_entry = ap->arg_interp + interp_offset; 830 PNBUF_PUT(interp); 831 } else 832 epp->ep_entry = eh->e_entry; 833 834 if (ap) { 835 ap->arg_phaddr = phdr ? phdr : computed_phdr; 836 ap->arg_phentsize = eh->e_phentsize; 837 ap->arg_phnum = eh->e_phnum; 838 ap->arg_entry = eh->e_entry; 839 epp->ep_emul_arg = ap; 840 epp->ep_emul_arg_free = elf_free_emul_arg; 841 } 842 843 #ifdef ELF_MAP_PAGE_ZERO 844 /* Dell SVR4 maps page zero, yeuch! */ 845 NEW_VMCMD(&epp->ep_vmcmds, vmcmd_map_readvn, PAGE_SIZE, 0, 846 epp->ep_vp, 0, VM_PROT_READ); 847 #endif 848 kmem_free(ph, phsize); 849 return (*epp->ep_esch->es_setup_stack)(l, epp); 850 851 bad: 852 if (interp) 853 PNBUF_PUT(interp); 854 exec_free_emul_arg(epp); 855 kmem_free(ph, phsize); 856 kill_vmcmds(&epp->ep_vmcmds); 857 return error; 858 } 859 860 int 861 netbsd_elf_signature(struct lwp *l, struct exec_package *epp, 862 Elf_Ehdr *eh) 863 { 864 size_t i; 865 Elf_Shdr *sh; 866 Elf_Nhdr *np; 867 size_t shsize; 868 int error; 869 int isnetbsd = 0; 870 char *ndata; 871 872 epp->ep_pax_flags = 0; 873 if (eh->e_shnum > MAXSHNUM || eh->e_shnum == 0) 874 return ENOEXEC; 875 876 shsize = eh->e_shnum * sizeof(Elf_Shdr); 877 sh = kmem_alloc(shsize, KM_SLEEP); 878 error = exec_read_from(l, epp->ep_vp, eh->e_shoff, sh, shsize); 879 if (error) 880 goto out; 881 882 np = kmem_alloc(MAXNOTESIZE, KM_SLEEP); 883 for (i = 0; i < eh->e_shnum; i++) { 884 Elf_Shdr *shp = &sh[i]; 885 886 if (shp->sh_type != SHT_NOTE || 887 shp->sh_size > MAXNOTESIZE || 888 shp->sh_size < sizeof(Elf_Nhdr) + ELF_NOTE_NETBSD_NAMESZ) 889 continue; 890 891 error = exec_read_from(l, epp->ep_vp, shp->sh_offset, np, 892 shp->sh_size); 893 if (error) 894 continue; 895 896 ndata = (char *)(np + 1); 897 unsigned int maxlen = (unsigned int)(shp->sh_size - 898 ((char *)ndata - (char *)np)); 899 if (maxlen < np->n_namesz) 900 goto bad; 901 switch (np->n_type) { 902 case ELF_NOTE_TYPE_NETBSD_TAG: 903 /* 904 * It is us 905 */ 906 if (np->n_namesz == ELF_NOTE_NETBSD_NAMESZ && 907 np->n_descsz == ELF_NOTE_NETBSD_DESCSZ && 908 memcmp(ndata, ELF_NOTE_NETBSD_NAME, 909 ELF_NOTE_NETBSD_NAMESZ) == 0) { 910 memcpy(&epp->ep_osversion, 911 ndata + ELF_NOTE_NETBSD_NAMESZ + 1, 912 ELF_NOTE_NETBSD_DESCSZ); 913 isnetbsd = 1; 914 break; 915 } 916 /* 917 * Ignore SuSE tags 918 */ 919 if (np->n_namesz == ELF_NOTE_SUSE_NAMESZ && 920 memcmp(ndata, ELF_NOTE_SUSE_NAME, 921 ELF_NOTE_SUSE_NAMESZ) == 0) 922 break; 923 /* 924 * Dunno, warn for diagnostic 925 */ 926 goto bad; 927 928 case ELF_NOTE_TYPE_PAX_TAG: 929 if (np->n_namesz != ELF_NOTE_PAX_NAMESZ || 930 np->n_descsz != ELF_NOTE_PAX_DESCSZ || 931 memcmp(ndata, ELF_NOTE_PAX_NAME, 932 ELF_NOTE_PAX_NAMESZ)) { 933 bad: 934 #ifdef DIAGNOSTIC 935 { 936 /* 937 * Ignore GNU tags 938 */ 939 if (np->n_namesz == ELF_NOTE_GNU_NAMESZ && 940 memcmp(ndata, ELF_NOTE_GNU_NAME, 941 ELF_NOTE_GNU_NAMESZ) == 0) 942 break; 943 int ns = MIN(np->n_namesz, maxlen); 944 printf("%s: Unknown elf note type %d: " 945 "[namesz=%d, descsz=%d name=%*.*s]\n", 946 epp->ep_kname, np->n_type, np->n_namesz, 947 np->n_descsz, ns, ns, ndata); 948 } 949 #endif 950 continue; 951 } 952 (void)memcpy(&epp->ep_pax_flags, 953 ndata + ELF_NOTE_PAX_NAMESZ, 954 sizeof(epp->ep_pax_flags)); 955 break; 956 957 case ELF_NOTE_TYPE_MARCH_TAG: 958 /* 959 * Copy the machine arch into the package. 960 */ 961 if (np->n_namesz == ELF_NOTE_MARCH_NAMESZ 962 && memcmp(ndata, ELF_NOTE_MARCH_NAME, 963 ELF_NOTE_MARCH_NAMESZ) == 0) { 964 strlcpy(epp->ep_machine_arch, 965 ndata + roundup(ELF_NOTE_MARCH_NAMESZ, 4), 966 sizeof(epp->ep_machine_arch)); 967 break; 968 } 969 case ELF_NOTE_TYPE_MCMODEL_TAG: 970 /* 971 * arch specific check for code model 972 */ 973 #ifdef ELF_MD_MCMODEL_CHECK 974 if (np->n_namesz == ELF_NOTE_MCMODEL_NAMESZ 975 && memcmp(ndata, ELF_NOTE_MCMODEL_NAME, 976 ELF_NOTE_MCMODEL_NAMESZ) == 0) { 977 ELF_MD_MCMODEL_CHECK(epp, 978 ndata + roundup(ELF_NOTE_MCMODEL_NAMESZ, 4), 979 np->n_descsz); 980 break; 981 } 982 #endif 983 break; 984 985 case ELF_NOTE_TYPE_SUSE_VERSION_TAG: 986 break; 987 988 default: 989 #ifdef DIAGNOSTIC 990 printf("%s: unknown note type %d\n", epp->ep_kname, 991 np->n_type); 992 #endif 993 break; 994 } 995 } 996 kmem_free(np, MAXNOTESIZE); 997 998 error = isnetbsd ? 0 : ENOEXEC; 999 out: 1000 kmem_free(sh, shsize); 1001 return error; 1002 } 1003 1004 int 1005 netbsd_elf_probe(struct lwp *l, struct exec_package *epp, void *eh, char *itp, 1006 vaddr_t *pos) 1007 { 1008 int error; 1009 1010 if ((error = netbsd_elf_signature(l, epp, eh)) != 0) 1011 return error; 1012 #ifdef ELF_MD_PROBE_FUNC 1013 if ((error = ELF_MD_PROBE_FUNC(l, epp, eh, itp, pos)) != 0) 1014 return error; 1015 #elif defined(ELF_INTERP_NON_RELOCATABLE) 1016 *pos = ELF_LINK_ADDR; 1017 #endif 1018 epp->ep_flags |= EXEC_FORCEAUX; 1019 return 0; 1020 } 1021 1022 void 1023 elf_free_emul_arg(void *arg) 1024 { 1025 struct elf_args *ap = arg; 1026 KASSERT(ap != NULL); 1027 kmem_free(ap, sizeof(*ap)); 1028 } 1029