1 | // SPDX-License-Identifier: GPL-2.0 |
2 | #include <linux/slab.h> |
3 | #include <linux/file.h> |
4 | #include <linux/fdtable.h> |
5 | #include <linux/freezer.h> |
6 | #include <linux/mm.h> |
7 | #include <linux/stat.h> |
8 | #include <linux/fcntl.h> |
9 | #include <linux/swap.h> |
10 | #include <linux/ctype.h> |
11 | #include <linux/string.h> |
12 | #include <linux/init.h> |
13 | #include <linux/pagemap.h> |
14 | #include <linux/perf_event.h> |
15 | #include <linux/highmem.h> |
16 | #include <linux/spinlock.h> |
17 | #include <linux/key.h> |
18 | #include <linux/personality.h> |
19 | #include <linux/binfmts.h> |
20 | #include <linux/coredump.h> |
21 | #include <linux/sched/coredump.h> |
22 | #include <linux/sched/signal.h> |
23 | #include <linux/sched/task_stack.h> |
24 | #include <linux/utsname.h> |
25 | #include <linux/pid_namespace.h> |
26 | #include <linux/module.h> |
27 | #include <linux/namei.h> |
28 | #include <linux/mount.h> |
29 | #include <linux/security.h> |
30 | #include <linux/syscalls.h> |
31 | #include <linux/tsacct_kern.h> |
32 | #include <linux/cn_proc.h> |
33 | #include <linux/audit.h> |
34 | #include <linux/kmod.h> |
35 | #include <linux/fsnotify.h> |
36 | #include <linux/fs_struct.h> |
37 | #include <linux/pipe_fs_i.h> |
38 | #include <linux/oom.h> |
39 | #include <linux/compat.h> |
40 | #include <linux/fs.h> |
41 | #include <linux/path.h> |
42 | #include <linux/timekeeping.h> |
43 | #include <linux/sysctl.h> |
44 | #include <linux/elf.h> |
45 | |
46 | #include <linux/uaccess.h> |
47 | #include <asm/mmu_context.h> |
48 | #include <asm/tlb.h> |
49 | #include <asm/exec.h> |
50 | |
51 | #include <trace/events/task.h> |
52 | #include "internal.h" |
53 | |
54 | #include <trace/events/sched.h> |
55 | |
56 | static bool dump_vma_snapshot(struct coredump_params *cprm); |
57 | static void free_vma_snapshot(struct coredump_params *cprm); |
58 | |
59 | static int core_uses_pid; |
60 | static unsigned int core_pipe_limit; |
61 | static char core_pattern[CORENAME_MAX_SIZE] = "core" ; |
62 | static int core_name_size = CORENAME_MAX_SIZE; |
63 | |
64 | struct core_name { |
65 | char *corename; |
66 | int used, size; |
67 | }; |
68 | |
69 | static int expand_corename(struct core_name *cn, int size) |
70 | { |
71 | char *corename; |
72 | |
73 | size = kmalloc_size_roundup(size); |
74 | corename = krealloc(objp: cn->corename, new_size: size, GFP_KERNEL); |
75 | |
76 | if (!corename) |
77 | return -ENOMEM; |
78 | |
79 | if (size > core_name_size) /* racy but harmless */ |
80 | core_name_size = size; |
81 | |
82 | cn->size = size; |
83 | cn->corename = corename; |
84 | return 0; |
85 | } |
86 | |
87 | static __printf(2, 0) int cn_vprintf(struct core_name *cn, const char *fmt, |
88 | va_list arg) |
89 | { |
90 | int free, need; |
91 | va_list arg_copy; |
92 | |
93 | again: |
94 | free = cn->size - cn->used; |
95 | |
96 | va_copy(arg_copy, arg); |
97 | need = vsnprintf(buf: cn->corename + cn->used, size: free, fmt, args: arg_copy); |
98 | va_end(arg_copy); |
99 | |
100 | if (need < free) { |
101 | cn->used += need; |
102 | return 0; |
103 | } |
104 | |
105 | if (!expand_corename(cn, size: cn->size + need - free + 1)) |
106 | goto again; |
107 | |
108 | return -ENOMEM; |
109 | } |
110 | |
111 | static __printf(2, 3) int cn_printf(struct core_name *cn, const char *fmt, ...) |
112 | { |
113 | va_list arg; |
114 | int ret; |
115 | |
116 | va_start(arg, fmt); |
117 | ret = cn_vprintf(cn, fmt, arg); |
118 | va_end(arg); |
119 | |
120 | return ret; |
121 | } |
122 | |
123 | static __printf(2, 3) |
124 | int cn_esc_printf(struct core_name *cn, const char *fmt, ...) |
125 | { |
126 | int cur = cn->used; |
127 | va_list arg; |
128 | int ret; |
129 | |
130 | va_start(arg, fmt); |
131 | ret = cn_vprintf(cn, fmt, arg); |
132 | va_end(arg); |
133 | |
134 | if (ret == 0) { |
135 | /* |
136 | * Ensure that this coredump name component can't cause the |
137 | * resulting corefile path to consist of a ".." or ".". |
138 | */ |
139 | if ((cn->used - cur == 1 && cn->corename[cur] == '.') || |
140 | (cn->used - cur == 2 && cn->corename[cur] == '.' |
141 | && cn->corename[cur+1] == '.')) |
142 | cn->corename[cur] = '!'; |
143 | |
144 | /* |
145 | * Empty names are fishy and could be used to create a "//" in a |
146 | * corefile name, causing the coredump to happen one directory |
147 | * level too high. Enforce that all components of the core |
148 | * pattern are at least one character long. |
149 | */ |
150 | if (cn->used == cur) |
151 | ret = cn_printf(cn, fmt: "!" ); |
152 | } |
153 | |
154 | for (; cur < cn->used; ++cur) { |
155 | if (cn->corename[cur] == '/') |
156 | cn->corename[cur] = '!'; |
157 | } |
158 | return ret; |
159 | } |
160 | |
161 | static int cn_print_exe_file(struct core_name *cn, bool name_only) |
162 | { |
163 | struct file *exe_file; |
164 | char *pathbuf, *path, *ptr; |
165 | int ret; |
166 | |
167 | exe_file = get_mm_exe_file(current->mm); |
168 | if (!exe_file) |
169 | return cn_esc_printf(cn, fmt: "%s (path unknown)" , current->comm); |
170 | |
171 | pathbuf = kmalloc(PATH_MAX, GFP_KERNEL); |
172 | if (!pathbuf) { |
173 | ret = -ENOMEM; |
174 | goto put_exe_file; |
175 | } |
176 | |
177 | path = file_path(exe_file, pathbuf, PATH_MAX); |
178 | if (IS_ERR(ptr: path)) { |
179 | ret = PTR_ERR(ptr: path); |
180 | goto free_buf; |
181 | } |
182 | |
183 | if (name_only) { |
184 | ptr = strrchr(path, '/'); |
185 | if (ptr) |
186 | path = ptr + 1; |
187 | } |
188 | ret = cn_esc_printf(cn, fmt: "%s" , path); |
189 | |
190 | free_buf: |
191 | kfree(objp: pathbuf); |
192 | put_exe_file: |
193 | fput(exe_file); |
194 | return ret; |
195 | } |
196 | |
197 | /* format_corename will inspect the pattern parameter, and output a |
198 | * name into corename, which must have space for at least |
199 | * CORENAME_MAX_SIZE bytes plus one byte for the zero terminator. |
200 | */ |
201 | static int format_corename(struct core_name *cn, struct coredump_params *cprm, |
202 | size_t **argv, int *argc) |
203 | { |
204 | const struct cred *cred = current_cred(); |
205 | const char *pat_ptr = core_pattern; |
206 | int ispipe = (*pat_ptr == '|'); |
207 | bool was_space = false; |
208 | int pid_in_pattern = 0; |
209 | int err = 0; |
210 | |
211 | cn->used = 0; |
212 | cn->corename = NULL; |
213 | if (expand_corename(cn, size: core_name_size)) |
214 | return -ENOMEM; |
215 | cn->corename[0] = '\0'; |
216 | |
217 | if (ispipe) { |
218 | int argvs = sizeof(core_pattern) / 2; |
219 | (*argv) = kmalloc_array(n: argvs, size: sizeof(**argv), GFP_KERNEL); |
220 | if (!(*argv)) |
221 | return -ENOMEM; |
222 | (*argv)[(*argc)++] = 0; |
223 | ++pat_ptr; |
224 | if (!(*pat_ptr)) |
225 | return -ENOMEM; |
226 | } |
227 | |
228 | /* Repeat as long as we have more pattern to process and more output |
229 | space */ |
230 | while (*pat_ptr) { |
231 | /* |
232 | * Split on spaces before doing template expansion so that |
233 | * %e and %E don't get split if they have spaces in them |
234 | */ |
235 | if (ispipe) { |
236 | if (isspace(*pat_ptr)) { |
237 | if (cn->used != 0) |
238 | was_space = true; |
239 | pat_ptr++; |
240 | continue; |
241 | } else if (was_space) { |
242 | was_space = false; |
243 | err = cn_printf(cn, fmt: "%c" , '\0'); |
244 | if (err) |
245 | return err; |
246 | (*argv)[(*argc)++] = cn->used; |
247 | } |
248 | } |
249 | if (*pat_ptr != '%') { |
250 | err = cn_printf(cn, fmt: "%c" , *pat_ptr++); |
251 | } else { |
252 | switch (*++pat_ptr) { |
253 | /* single % at the end, drop that */ |
254 | case 0: |
255 | goto out; |
256 | /* Double percent, output one percent */ |
257 | case '%': |
258 | err = cn_printf(cn, fmt: "%c" , '%'); |
259 | break; |
260 | /* pid */ |
261 | case 'p': |
262 | pid_in_pattern = 1; |
263 | err = cn_printf(cn, fmt: "%d" , |
264 | task_tgid_vnr(current)); |
265 | break; |
266 | /* global pid */ |
267 | case 'P': |
268 | err = cn_printf(cn, fmt: "%d" , |
269 | task_tgid_nr(current)); |
270 | break; |
271 | case 'i': |
272 | err = cn_printf(cn, fmt: "%d" , |
273 | task_pid_vnr(current)); |
274 | break; |
275 | case 'I': |
276 | err = cn_printf(cn, fmt: "%d" , |
277 | task_pid_nr(current)); |
278 | break; |
279 | /* uid */ |
280 | case 'u': |
281 | err = cn_printf(cn, fmt: "%u" , |
282 | from_kuid(to: &init_user_ns, |
283 | uid: cred->uid)); |
284 | break; |
285 | /* gid */ |
286 | case 'g': |
287 | err = cn_printf(cn, fmt: "%u" , |
288 | from_kgid(to: &init_user_ns, |
289 | gid: cred->gid)); |
290 | break; |
291 | case 'd': |
292 | err = cn_printf(cn, fmt: "%d" , |
293 | __get_dumpable(mm_flags: cprm->mm_flags)); |
294 | break; |
295 | /* signal that caused the coredump */ |
296 | case 's': |
297 | err = cn_printf(cn, fmt: "%d" , |
298 | cprm->siginfo->si_signo); |
299 | break; |
300 | /* UNIX time of coredump */ |
301 | case 't': { |
302 | time64_t time; |
303 | |
304 | time = ktime_get_real_seconds(); |
305 | err = cn_printf(cn, fmt: "%lld" , time); |
306 | break; |
307 | } |
308 | /* hostname */ |
309 | case 'h': |
310 | down_read(sem: &uts_sem); |
311 | err = cn_esc_printf(cn, fmt: "%s" , |
312 | utsname()->nodename); |
313 | up_read(sem: &uts_sem); |
314 | break; |
315 | /* executable, could be changed by prctl PR_SET_NAME etc */ |
316 | case 'e': |
317 | err = cn_esc_printf(cn, fmt: "%s" , current->comm); |
318 | break; |
319 | /* file name of executable */ |
320 | case 'f': |
321 | err = cn_print_exe_file(cn, name_only: true); |
322 | break; |
323 | case 'E': |
324 | err = cn_print_exe_file(cn, name_only: false); |
325 | break; |
326 | /* core limit size */ |
327 | case 'c': |
328 | err = cn_printf(cn, fmt: "%lu" , |
329 | rlimit(RLIMIT_CORE)); |
330 | break; |
331 | /* CPU the task ran on */ |
332 | case 'C': |
333 | err = cn_printf(cn, fmt: "%d" , cprm->cpu); |
334 | break; |
335 | default: |
336 | break; |
337 | } |
338 | ++pat_ptr; |
339 | } |
340 | |
341 | if (err) |
342 | return err; |
343 | } |
344 | |
345 | out: |
346 | /* Backward compatibility with core_uses_pid: |
347 | * |
348 | * If core_pattern does not include a %p (as is the default) |
349 | * and core_uses_pid is set, then .%pid will be appended to |
350 | * the filename. Do not do this for piped commands. */ |
351 | if (!ispipe && !pid_in_pattern && core_uses_pid) { |
352 | err = cn_printf(cn, fmt: ".%d" , task_tgid_vnr(current)); |
353 | if (err) |
354 | return err; |
355 | } |
356 | return ispipe; |
357 | } |
358 | |
359 | static int zap_process(struct task_struct *start, int exit_code) |
360 | { |
361 | struct task_struct *t; |
362 | int nr = 0; |
363 | |
364 | /* Allow SIGKILL, see prepare_signal() */ |
365 | start->signal->flags = SIGNAL_GROUP_EXIT; |
366 | start->signal->group_exit_code = exit_code; |
367 | start->signal->group_stop_count = 0; |
368 | |
369 | for_each_thread(start, t) { |
370 | task_clear_jobctl_pending(task: t, JOBCTL_PENDING_MASK); |
371 | if (t != current && !(t->flags & PF_POSTCOREDUMP)) { |
372 | sigaddset(set: &t->pending.signal, SIGKILL); |
373 | signal_wake_up(t, fatal: 1); |
374 | /* The vhost_worker does not particpate in coredumps */ |
375 | if ((t->flags & (PF_USER_WORKER | PF_IO_WORKER)) != PF_USER_WORKER) |
376 | nr++; |
377 | } |
378 | } |
379 | |
380 | return nr; |
381 | } |
382 | |
383 | static int zap_threads(struct task_struct *tsk, |
384 | struct core_state *core_state, int exit_code) |
385 | { |
386 | struct signal_struct *signal = tsk->signal; |
387 | int nr = -EAGAIN; |
388 | |
389 | spin_lock_irq(lock: &tsk->sighand->siglock); |
390 | if (!(signal->flags & SIGNAL_GROUP_EXIT) && !signal->group_exec_task) { |
391 | signal->core_state = core_state; |
392 | nr = zap_process(start: tsk, exit_code); |
393 | clear_tsk_thread_flag(tsk, TIF_SIGPENDING); |
394 | tsk->flags |= PF_DUMPCORE; |
395 | atomic_set(v: &core_state->nr_threads, i: nr); |
396 | } |
397 | spin_unlock_irq(lock: &tsk->sighand->siglock); |
398 | return nr; |
399 | } |
400 | |
401 | static int coredump_wait(int exit_code, struct core_state *core_state) |
402 | { |
403 | struct task_struct *tsk = current; |
404 | int core_waiters = -EBUSY; |
405 | |
406 | init_completion(x: &core_state->startup); |
407 | core_state->dumper.task = tsk; |
408 | core_state->dumper.next = NULL; |
409 | |
410 | core_waiters = zap_threads(tsk, core_state, exit_code); |
411 | if (core_waiters > 0) { |
412 | struct core_thread *ptr; |
413 | |
414 | wait_for_completion_state(x: &core_state->startup, |
415 | TASK_UNINTERRUPTIBLE|TASK_FREEZABLE); |
416 | /* |
417 | * Wait for all the threads to become inactive, so that |
418 | * all the thread context (extended register state, like |
419 | * fpu etc) gets copied to the memory. |
420 | */ |
421 | ptr = core_state->dumper.next; |
422 | while (ptr != NULL) { |
423 | wait_task_inactive(ptr->task, TASK_ANY); |
424 | ptr = ptr->next; |
425 | } |
426 | } |
427 | |
428 | return core_waiters; |
429 | } |
430 | |
431 | static void coredump_finish(bool core_dumped) |
432 | { |
433 | struct core_thread *curr, *next; |
434 | struct task_struct *task; |
435 | |
436 | spin_lock_irq(lock: ¤t->sighand->siglock); |
437 | if (core_dumped && !__fatal_signal_pending(current)) |
438 | current->signal->group_exit_code |= 0x80; |
439 | next = current->signal->core_state->dumper.next; |
440 | current->signal->core_state = NULL; |
441 | spin_unlock_irq(lock: ¤t->sighand->siglock); |
442 | |
443 | while ((curr = next) != NULL) { |
444 | next = curr->next; |
445 | task = curr->task; |
446 | /* |
447 | * see coredump_task_exit(), curr->task must not see |
448 | * ->task == NULL before we read ->next. |
449 | */ |
450 | smp_mb(); |
451 | curr->task = NULL; |
452 | wake_up_process(tsk: task); |
453 | } |
454 | } |
455 | |
456 | static bool dump_interrupted(void) |
457 | { |
458 | /* |
459 | * SIGKILL or freezing() interrupt the coredumping. Perhaps we |
460 | * can do try_to_freeze() and check __fatal_signal_pending(), |
461 | * but then we need to teach dump_write() to restart and clear |
462 | * TIF_SIGPENDING. |
463 | */ |
464 | return fatal_signal_pending(current) || freezing(current); |
465 | } |
466 | |
467 | static void wait_for_dump_helpers(struct file *file) |
468 | { |
469 | struct pipe_inode_info *pipe = file->private_data; |
470 | |
471 | pipe_lock(pipe); |
472 | pipe->readers++; |
473 | pipe->writers--; |
474 | wake_up_interruptible_sync(&pipe->rd_wait); |
475 | kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN); |
476 | pipe_unlock(pipe); |
477 | |
478 | /* |
479 | * We actually want wait_event_freezable() but then we need |
480 | * to clear TIF_SIGPENDING and improve dump_interrupted(). |
481 | */ |
482 | wait_event_interruptible(pipe->rd_wait, pipe->readers == 1); |
483 | |
484 | pipe_lock(pipe); |
485 | pipe->readers--; |
486 | pipe->writers++; |
487 | pipe_unlock(pipe); |
488 | } |
489 | |
490 | /* |
491 | * umh_pipe_setup |
492 | * helper function to customize the process used |
493 | * to collect the core in userspace. Specifically |
494 | * it sets up a pipe and installs it as fd 0 (stdin) |
495 | * for the process. Returns 0 on success, or |
496 | * PTR_ERR on failure. |
497 | * Note that it also sets the core limit to 1. This |
498 | * is a special value that we use to trap recursive |
499 | * core dumps |
500 | */ |
501 | static int umh_pipe_setup(struct subprocess_info *info, struct cred *new) |
502 | { |
503 | struct file *files[2]; |
504 | struct coredump_params *cp = (struct coredump_params *)info->data; |
505 | int err = create_pipe_files(files, 0); |
506 | if (err) |
507 | return err; |
508 | |
509 | cp->file = files[1]; |
510 | |
511 | err = replace_fd(fd: 0, file: files[0], flags: 0); |
512 | fput(files[0]); |
513 | /* and disallow core files too */ |
514 | current->signal->rlim[RLIMIT_CORE] = (struct rlimit){1, 1}; |
515 | |
516 | return err; |
517 | } |
518 | |
519 | void do_coredump(const kernel_siginfo_t *siginfo) |
520 | { |
521 | struct core_state core_state; |
522 | struct core_name cn; |
523 | struct mm_struct *mm = current->mm; |
524 | struct linux_binfmt * binfmt; |
525 | const struct cred *old_cred; |
526 | struct cred *cred; |
527 | int retval = 0; |
528 | int ispipe; |
529 | size_t *argv = NULL; |
530 | int argc = 0; |
531 | /* require nonrelative corefile path and be extra careful */ |
532 | bool need_suid_safe = false; |
533 | bool core_dumped = false; |
534 | static atomic_t core_dump_count = ATOMIC_INIT(0); |
535 | struct coredump_params cprm = { |
536 | .siginfo = siginfo, |
537 | .limit = rlimit(RLIMIT_CORE), |
538 | /* |
539 | * We must use the same mm->flags while dumping core to avoid |
540 | * inconsistency of bit flags, since this flag is not protected |
541 | * by any locks. |
542 | */ |
543 | .mm_flags = mm->flags, |
544 | .vma_meta = NULL, |
545 | .cpu = raw_smp_processor_id(), |
546 | }; |
547 | |
548 | audit_core_dumps(signr: siginfo->si_signo); |
549 | |
550 | binfmt = mm->binfmt; |
551 | if (!binfmt || !binfmt->core_dump) |
552 | goto fail; |
553 | if (!__get_dumpable(mm_flags: cprm.mm_flags)) |
554 | goto fail; |
555 | |
556 | cred = prepare_creds(); |
557 | if (!cred) |
558 | goto fail; |
559 | /* |
560 | * We cannot trust fsuid as being the "true" uid of the process |
561 | * nor do we know its entire history. We only know it was tainted |
562 | * so we dump it as root in mode 2, and only into a controlled |
563 | * environment (pipe handler or fully qualified path). |
564 | */ |
565 | if (__get_dumpable(mm_flags: cprm.mm_flags) == SUID_DUMP_ROOT) { |
566 | /* Setuid core dump mode */ |
567 | cred->fsuid = GLOBAL_ROOT_UID; /* Dump root private */ |
568 | need_suid_safe = true; |
569 | } |
570 | |
571 | retval = coredump_wait(siginfo->si_signo, &core_state); |
572 | if (retval < 0) |
573 | goto fail_creds; |
574 | |
575 | old_cred = override_creds(cred); |
576 | |
577 | ispipe = format_corename(&cn, &cprm, &argv, &argc); |
578 | |
579 | if (ispipe) { |
580 | int argi; |
581 | int dump_count; |
582 | char **helper_argv; |
583 | struct subprocess_info *sub_info; |
584 | |
585 | if (ispipe < 0) { |
586 | printk(KERN_WARNING "format_corename failed\n" ); |
587 | printk(KERN_WARNING "Aborting core\n" ); |
588 | goto fail_unlock; |
589 | } |
590 | |
591 | if (cprm.limit == 1) { |
592 | /* See umh_pipe_setup() which sets RLIMIT_CORE = 1. |
593 | * |
594 | * Normally core limits are irrelevant to pipes, since |
595 | * we're not writing to the file system, but we use |
596 | * cprm.limit of 1 here as a special value, this is a |
597 | * consistent way to catch recursive crashes. |
598 | * We can still crash if the core_pattern binary sets |
599 | * RLIM_CORE = !1, but it runs as root, and can do |
600 | * lots of stupid things. |
601 | * |
602 | * Note that we use task_tgid_vnr here to grab the pid |
603 | * of the process group leader. That way we get the |
604 | * right pid if a thread in a multi-threaded |
605 | * core_pattern process dies. |
606 | */ |
607 | printk(KERN_WARNING |
608 | "Process %d(%s) has RLIMIT_CORE set to 1\n" , |
609 | task_tgid_vnr(current), current->comm); |
610 | printk(KERN_WARNING "Aborting core\n" ); |
611 | goto fail_unlock; |
612 | } |
613 | cprm.limit = RLIM_INFINITY; |
614 | |
615 | dump_count = atomic_inc_return(&core_dump_count); |
616 | if (core_pipe_limit && (core_pipe_limit < dump_count)) { |
617 | printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n" , |
618 | task_tgid_vnr(current), current->comm); |
619 | printk(KERN_WARNING "Skipping core dump\n" ); |
620 | goto fail_dropcount; |
621 | } |
622 | |
623 | helper_argv = kmalloc_array(argc + 1, sizeof(*helper_argv), |
624 | GFP_KERNEL); |
625 | if (!helper_argv) { |
626 | printk(KERN_WARNING "%s failed to allocate memory\n" , |
627 | __func__); |
628 | goto fail_dropcount; |
629 | } |
630 | for (argi = 0; argi < argc; argi++) |
631 | helper_argv[argi] = cn.corename + argv[argi]; |
632 | helper_argv[argi] = NULL; |
633 | |
634 | retval = -ENOMEM; |
635 | sub_info = call_usermodehelper_setup(helper_argv[0], |
636 | helper_argv, NULL, GFP_KERNEL, |
637 | umh_pipe_setup, NULL, &cprm); |
638 | if (sub_info) |
639 | retval = call_usermodehelper_exec(sub_info, |
640 | UMH_WAIT_EXEC); |
641 | |
642 | kfree(helper_argv); |
643 | if (retval) { |
644 | printk(KERN_INFO "Core dump to |%s pipe failed\n" , |
645 | cn.corename); |
646 | goto close_fail; |
647 | } |
648 | } else { |
649 | struct mnt_idmap *idmap; |
650 | struct inode *inode; |
651 | int open_flags = O_CREAT | O_WRONLY | O_NOFOLLOW | |
652 | O_LARGEFILE | O_EXCL; |
653 | |
654 | if (cprm.limit < binfmt->min_coredump) |
655 | goto fail_unlock; |
656 | |
657 | if (need_suid_safe && cn.corename[0] != '/') { |
658 | printk(KERN_WARNING "Pid %d(%s) can only dump core " \ |
659 | "to fully qualified path!\n" , |
660 | task_tgid_vnr(current), current->comm); |
661 | printk(KERN_WARNING "Skipping core dump\n" ); |
662 | goto fail_unlock; |
663 | } |
664 | |
665 | /* |
666 | * Unlink the file if it exists unless this is a SUID |
667 | * binary - in that case, we're running around with root |
668 | * privs and don't want to unlink another user's coredump. |
669 | */ |
670 | if (!need_suid_safe) { |
671 | /* |
672 | * If it doesn't exist, that's fine. If there's some |
673 | * other problem, we'll catch it at the filp_open(). |
674 | */ |
675 | do_unlinkat(AT_FDCWD, getname_kernel(cn.corename)); |
676 | } |
677 | |
678 | /* |
679 | * There is a race between unlinking and creating the |
680 | * file, but if that causes an EEXIST here, that's |
681 | * fine - another process raced with us while creating |
682 | * the corefile, and the other process won. To userspace, |
683 | * what matters is that at least one of the two processes |
684 | * writes its coredump successfully, not which one. |
685 | */ |
686 | if (need_suid_safe) { |
687 | /* |
688 | * Using user namespaces, normal user tasks can change |
689 | * their current->fs->root to point to arbitrary |
690 | * directories. Since the intention of the "only dump |
691 | * with a fully qualified path" rule is to control where |
692 | * coredumps may be placed using root privileges, |
693 | * current->fs->root must not be used. Instead, use the |
694 | * root directory of init_task. |
695 | */ |
696 | struct path root; |
697 | |
698 | task_lock(&init_task); |
699 | get_fs_root(init_task.fs, &root); |
700 | task_unlock(&init_task); |
701 | cprm.file = file_open_root(&root, cn.corename, |
702 | open_flags, 0600); |
703 | path_put(&root); |
704 | } else { |
705 | cprm.file = filp_open(cn.corename, open_flags, 0600); |
706 | } |
707 | if (IS_ERR(cprm.file)) |
708 | goto fail_unlock; |
709 | |
710 | inode = file_inode(cprm.file); |
711 | if (inode->i_nlink > 1) |
712 | goto close_fail; |
713 | if (d_unhashed(cprm.file->f_path.dentry)) |
714 | goto close_fail; |
715 | /* |
716 | * AK: actually i see no reason to not allow this for named |
717 | * pipes etc, but keep the previous behaviour for now. |
718 | */ |
719 | if (!S_ISREG(inode->i_mode)) |
720 | goto close_fail; |
721 | /* |
722 | * Don't dump core if the filesystem changed owner or mode |
723 | * of the file during file creation. This is an issue when |
724 | * a process dumps core while its cwd is e.g. on a vfat |
725 | * filesystem. |
726 | */ |
727 | idmap = file_mnt_idmap(cprm.file); |
728 | if (!vfsuid_eq_kuid(i_uid_into_vfsuid(idmap, inode), |
729 | current_fsuid())) { |
730 | pr_info_ratelimited("Core dump to %s aborted: cannot preserve file owner\n" , |
731 | cn.corename); |
732 | goto close_fail; |
733 | } |
734 | if ((inode->i_mode & 0677) != 0600) { |
735 | pr_info_ratelimited("Core dump to %s aborted: cannot preserve file permissions\n" , |
736 | cn.corename); |
737 | goto close_fail; |
738 | } |
739 | if (!(cprm.file->f_mode & FMODE_CAN_WRITE)) |
740 | goto close_fail; |
741 | if (do_truncate(idmap, cprm.file->f_path.dentry, |
742 | 0, 0, cprm.file)) |
743 | goto close_fail; |
744 | } |
745 | |
746 | /* get us an unshared descriptor table; almost always a no-op */ |
747 | /* The cell spufs coredump code reads the file descriptor tables */ |
748 | retval = unshare_files(); |
749 | if (retval) |
750 | goto close_fail; |
751 | if (!dump_interrupted()) { |
752 | /* |
753 | * umh disabled with CONFIG_STATIC_USERMODEHELPER_PATH="" would |
754 | * have this set to NULL. |
755 | */ |
756 | if (!cprm.file) { |
757 | pr_info("Core dump to |%s disabled\n" , cn.corename); |
758 | goto close_fail; |
759 | } |
760 | if (!dump_vma_snapshot(&cprm)) |
761 | goto close_fail; |
762 | |
763 | file_start_write(cprm.file); |
764 | core_dumped = binfmt->core_dump(&cprm); |
765 | /* |
766 | * Ensures that file size is big enough to contain the current |
767 | * file postion. This prevents gdb from complaining about |
768 | * a truncated file if the last "write" to the file was |
769 | * dump_skip. |
770 | */ |
771 | if (cprm.to_skip) { |
772 | cprm.to_skip--; |
773 | dump_emit(&cprm, "" , 1); |
774 | } |
775 | file_end_write(cprm.file); |
776 | free_vma_snapshot(&cprm); |
777 | } |
778 | if (ispipe && core_pipe_limit) |
779 | wait_for_dump_helpers(cprm.file); |
780 | close_fail: |
781 | if (cprm.file) |
782 | filp_close(cprm.file, NULL); |
783 | fail_dropcount: |
784 | if (ispipe) |
785 | atomic_dec(&core_dump_count); |
786 | fail_unlock: |
787 | kfree(argv); |
788 | kfree(cn.corename); |
789 | coredump_finish(core_dumped); |
790 | revert_creds(old_cred); |
791 | fail_creds: |
792 | put_cred(cred); |
793 | fail: |
794 | return; |
795 | } |
796 | |
797 | /* |
798 | * Core dumping helper functions. These are the only things you should |
799 | * do on a core-file: use only these functions to write out all the |
800 | * necessary info. |
801 | */ |
802 | static int __dump_emit(struct coredump_params *cprm, const void *addr, int nr) |
803 | { |
804 | struct file *file = cprm->file; |
805 | loff_t pos = file->f_pos; |
806 | ssize_t n; |
807 | if (cprm->written + nr > cprm->limit) |
808 | return 0; |
809 | |
810 | |
811 | if (dump_interrupted()) |
812 | return 0; |
813 | n = __kernel_write(file, addr, nr, &pos); |
814 | if (n != nr) |
815 | return 0; |
816 | file->f_pos = pos; |
817 | cprm->written += n; |
818 | cprm->pos += n; |
819 | |
820 | return 1; |
821 | } |
822 | |
823 | static int __dump_skip(struct coredump_params *cprm, size_t nr) |
824 | { |
825 | static char zeroes[PAGE_SIZE]; |
826 | struct file *file = cprm->file; |
827 | if (file->f_mode & FMODE_LSEEK) { |
828 | if (dump_interrupted() || |
829 | vfs_llseek(file, offset: nr, SEEK_CUR) < 0) |
830 | return 0; |
831 | cprm->pos += nr; |
832 | return 1; |
833 | } else { |
834 | while (nr > PAGE_SIZE) { |
835 | if (!__dump_emit(cprm, addr: zeroes, PAGE_SIZE)) |
836 | return 0; |
837 | nr -= PAGE_SIZE; |
838 | } |
839 | return __dump_emit(cprm, addr: zeroes, nr); |
840 | } |
841 | } |
842 | |
843 | int dump_emit(struct coredump_params *cprm, const void *addr, int nr) |
844 | { |
845 | if (cprm->to_skip) { |
846 | if (!__dump_skip(cprm, nr: cprm->to_skip)) |
847 | return 0; |
848 | cprm->to_skip = 0; |
849 | } |
850 | return __dump_emit(cprm, addr, nr); |
851 | } |
852 | EXPORT_SYMBOL(dump_emit); |
853 | |
854 | void dump_skip_to(struct coredump_params *cprm, unsigned long pos) |
855 | { |
856 | cprm->to_skip = pos - cprm->pos; |
857 | } |
858 | EXPORT_SYMBOL(dump_skip_to); |
859 | |
860 | void dump_skip(struct coredump_params *cprm, size_t nr) |
861 | { |
862 | cprm->to_skip += nr; |
863 | } |
864 | EXPORT_SYMBOL(dump_skip); |
865 | |
866 | #ifdef CONFIG_ELF_CORE |
867 | static int dump_emit_page(struct coredump_params *cprm, struct page *page) |
868 | { |
869 | struct bio_vec bvec; |
870 | struct iov_iter iter; |
871 | struct file *file = cprm->file; |
872 | loff_t pos; |
873 | ssize_t n; |
874 | |
875 | if (cprm->to_skip) { |
876 | if (!__dump_skip(cprm, nr: cprm->to_skip)) |
877 | return 0; |
878 | cprm->to_skip = 0; |
879 | } |
880 | if (cprm->written + PAGE_SIZE > cprm->limit) |
881 | return 0; |
882 | if (dump_interrupted()) |
883 | return 0; |
884 | pos = file->f_pos; |
885 | bvec_set_page(bv: &bvec, page, PAGE_SIZE, offset: 0); |
886 | iov_iter_bvec(i: &iter, ITER_SOURCE, bvec: &bvec, nr_segs: 1, PAGE_SIZE); |
887 | iov_iter_set_copy_mc(i: &iter); |
888 | n = __kernel_write_iter(file: cprm->file, from: &iter, pos: &pos); |
889 | if (n != PAGE_SIZE) |
890 | return 0; |
891 | file->f_pos = pos; |
892 | cprm->written += PAGE_SIZE; |
893 | cprm->pos += PAGE_SIZE; |
894 | |
895 | return 1; |
896 | } |
897 | |
898 | int dump_user_range(struct coredump_params *cprm, unsigned long start, |
899 | unsigned long len) |
900 | { |
901 | unsigned long addr; |
902 | |
903 | for (addr = start; addr < start + len; addr += PAGE_SIZE) { |
904 | struct page *page; |
905 | |
906 | /* |
907 | * To avoid having to allocate page tables for virtual address |
908 | * ranges that have never been used yet, and also to make it |
909 | * easy to generate sparse core files, use a helper that returns |
910 | * NULL when encountering an empty page table entry that would |
911 | * otherwise have been filled with the zero page. |
912 | */ |
913 | page = get_dump_page(addr); |
914 | if (page) { |
915 | int stop = !dump_emit_page(cprm, page); |
916 | put_page(page); |
917 | if (stop) |
918 | return 0; |
919 | } else { |
920 | dump_skip(cprm, PAGE_SIZE); |
921 | } |
922 | } |
923 | return 1; |
924 | } |
925 | #endif |
926 | |
927 | int dump_align(struct coredump_params *cprm, int align) |
928 | { |
929 | unsigned mod = (cprm->pos + cprm->to_skip) & (align - 1); |
930 | if (align & (align - 1)) |
931 | return 0; |
932 | if (mod) |
933 | cprm->to_skip += align - mod; |
934 | return 1; |
935 | } |
936 | EXPORT_SYMBOL(dump_align); |
937 | |
938 | #ifdef CONFIG_SYSCTL |
939 | |
940 | void validate_coredump_safety(void) |
941 | { |
942 | if (suid_dumpable == SUID_DUMP_ROOT && |
943 | core_pattern[0] != '/' && core_pattern[0] != '|') { |
944 | pr_warn( |
945 | "Unsafe core_pattern used with fs.suid_dumpable=2.\n" |
946 | "Pipe handler or fully qualified core dump path required.\n" |
947 | "Set kernel.core_pattern before fs.suid_dumpable.\n" |
948 | ); |
949 | } |
950 | } |
951 | |
952 | static int proc_dostring_coredump(struct ctl_table *table, int write, |
953 | void *buffer, size_t *lenp, loff_t *ppos) |
954 | { |
955 | int error = proc_dostring(table, write, buffer, lenp, ppos); |
956 | |
957 | if (!error) |
958 | validate_coredump_safety(); |
959 | return error; |
960 | } |
961 | |
962 | static struct ctl_table coredump_sysctls[] = { |
963 | { |
964 | .procname = "core_uses_pid" , |
965 | .data = &core_uses_pid, |
966 | .maxlen = sizeof(int), |
967 | .mode = 0644, |
968 | .proc_handler = proc_dointvec, |
969 | }, |
970 | { |
971 | .procname = "core_pattern" , |
972 | .data = core_pattern, |
973 | .maxlen = CORENAME_MAX_SIZE, |
974 | .mode = 0644, |
975 | .proc_handler = proc_dostring_coredump, |
976 | }, |
977 | { |
978 | .procname = "core_pipe_limit" , |
979 | .data = &core_pipe_limit, |
980 | .maxlen = sizeof(unsigned int), |
981 | .mode = 0644, |
982 | .proc_handler = proc_dointvec, |
983 | }, |
984 | { } |
985 | }; |
986 | |
987 | static int __init init_fs_coredump_sysctls(void) |
988 | { |
989 | register_sysctl_init("kernel" , coredump_sysctls); |
990 | return 0; |
991 | } |
992 | fs_initcall(init_fs_coredump_sysctls); |
993 | #endif /* CONFIG_SYSCTL */ |
994 | |
995 | /* |
996 | * The purpose of always_dump_vma() is to make sure that special kernel mappings |
997 | * that are useful for post-mortem analysis are included in every core dump. |
998 | * In that way we ensure that the core dump is fully interpretable later |
999 | * without matching up the same kernel and hardware config to see what PC values |
1000 | * meant. These special mappings include - vDSO, vsyscall, and other |
1001 | * architecture specific mappings |
1002 | */ |
1003 | static bool always_dump_vma(struct vm_area_struct *vma) |
1004 | { |
1005 | /* Any vsyscall mappings? */ |
1006 | if (vma == get_gate_vma(mm: vma->vm_mm)) |
1007 | return true; |
1008 | |
1009 | /* |
1010 | * Assume that all vmas with a .name op should always be dumped. |
1011 | * If this changes, a new vm_ops field can easily be added. |
1012 | */ |
1013 | if (vma->vm_ops && vma->vm_ops->name && vma->vm_ops->name(vma)) |
1014 | return true; |
1015 | |
1016 | /* |
1017 | * arch_vma_name() returns non-NULL for special architecture mappings, |
1018 | * such as vDSO sections. |
1019 | */ |
1020 | if (arch_vma_name(vma)) |
1021 | return true; |
1022 | |
1023 | return false; |
1024 | } |
1025 | |
1026 | #define DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER 1 |
1027 | |
1028 | /* |
1029 | * Decide how much of @vma's contents should be included in a core dump. |
1030 | */ |
1031 | static unsigned long vma_dump_size(struct vm_area_struct *vma, |
1032 | unsigned long mm_flags) |
1033 | { |
1034 | #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type)) |
1035 | |
1036 | /* always dump the vdso and vsyscall sections */ |
1037 | if (always_dump_vma(vma)) |
1038 | goto whole; |
1039 | |
1040 | if (vma->vm_flags & VM_DONTDUMP) |
1041 | return 0; |
1042 | |
1043 | /* support for DAX */ |
1044 | if (vma_is_dax(vma)) { |
1045 | if ((vma->vm_flags & VM_SHARED) && FILTER(DAX_SHARED)) |
1046 | goto whole; |
1047 | if (!(vma->vm_flags & VM_SHARED) && FILTER(DAX_PRIVATE)) |
1048 | goto whole; |
1049 | return 0; |
1050 | } |
1051 | |
1052 | /* Hugetlb memory check */ |
1053 | if (is_vm_hugetlb_page(vma)) { |
1054 | if ((vma->vm_flags & VM_SHARED) && FILTER(HUGETLB_SHARED)) |
1055 | goto whole; |
1056 | if (!(vma->vm_flags & VM_SHARED) && FILTER(HUGETLB_PRIVATE)) |
1057 | goto whole; |
1058 | return 0; |
1059 | } |
1060 | |
1061 | /* Do not dump I/O mapped devices or special mappings */ |
1062 | if (vma->vm_flags & VM_IO) |
1063 | return 0; |
1064 | |
1065 | /* By default, dump shared memory if mapped from an anonymous file. */ |
1066 | if (vma->vm_flags & VM_SHARED) { |
1067 | if (file_inode(f: vma->vm_file)->i_nlink == 0 ? |
1068 | FILTER(ANON_SHARED) : FILTER(MAPPED_SHARED)) |
1069 | goto whole; |
1070 | return 0; |
1071 | } |
1072 | |
1073 | /* Dump segments that have been written to. */ |
1074 | if ((!IS_ENABLED(CONFIG_MMU) || vma->anon_vma) && FILTER(ANON_PRIVATE)) |
1075 | goto whole; |
1076 | if (vma->vm_file == NULL) |
1077 | return 0; |
1078 | |
1079 | if (FILTER(MAPPED_PRIVATE)) |
1080 | goto whole; |
1081 | |
1082 | /* |
1083 | * If this is the beginning of an executable file mapping, |
1084 | * dump the first page to aid in determining what was mapped here. |
1085 | */ |
1086 | if (FILTER(ELF_HEADERS) && |
1087 | vma->vm_pgoff == 0 && (vma->vm_flags & VM_READ)) { |
1088 | if ((READ_ONCE(file_inode(vma->vm_file)->i_mode) & 0111) != 0) |
1089 | return PAGE_SIZE; |
1090 | |
1091 | /* |
1092 | * ELF libraries aren't always executable. |
1093 | * We'll want to check whether the mapping starts with the ELF |
1094 | * magic, but not now - we're holding the mmap lock, |
1095 | * so copy_from_user() doesn't work here. |
1096 | * Use a placeholder instead, and fix it up later in |
1097 | * dump_vma_snapshot(). |
1098 | */ |
1099 | return DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER; |
1100 | } |
1101 | |
1102 | #undef FILTER |
1103 | |
1104 | return 0; |
1105 | |
1106 | whole: |
1107 | return vma->vm_end - vma->vm_start; |
1108 | } |
1109 | |
1110 | /* |
1111 | * Helper function for iterating across a vma list. It ensures that the caller |
1112 | * will visit `gate_vma' prior to terminating the search. |
1113 | */ |
1114 | static struct vm_area_struct *coredump_next_vma(struct vma_iterator *vmi, |
1115 | struct vm_area_struct *vma, |
1116 | struct vm_area_struct *gate_vma) |
1117 | { |
1118 | if (gate_vma && (vma == gate_vma)) |
1119 | return NULL; |
1120 | |
1121 | vma = vma_next(vmi); |
1122 | if (vma) |
1123 | return vma; |
1124 | return gate_vma; |
1125 | } |
1126 | |
1127 | static void free_vma_snapshot(struct coredump_params *cprm) |
1128 | { |
1129 | if (cprm->vma_meta) { |
1130 | int i; |
1131 | for (i = 0; i < cprm->vma_count; i++) { |
1132 | struct file *file = cprm->vma_meta[i].file; |
1133 | if (file) |
1134 | fput(file); |
1135 | } |
1136 | kvfree(addr: cprm->vma_meta); |
1137 | cprm->vma_meta = NULL; |
1138 | } |
1139 | } |
1140 | |
1141 | /* |
1142 | * Under the mmap_lock, take a snapshot of relevant information about the task's |
1143 | * VMAs. |
1144 | */ |
1145 | static bool dump_vma_snapshot(struct coredump_params *cprm) |
1146 | { |
1147 | struct vm_area_struct *gate_vma, *vma = NULL; |
1148 | struct mm_struct *mm = current->mm; |
1149 | VMA_ITERATOR(vmi, mm, 0); |
1150 | int i = 0; |
1151 | |
1152 | /* |
1153 | * Once the stack expansion code is fixed to not change VMA bounds |
1154 | * under mmap_lock in read mode, this can be changed to take the |
1155 | * mmap_lock in read mode. |
1156 | */ |
1157 | if (mmap_write_lock_killable(mm)) |
1158 | return false; |
1159 | |
1160 | cprm->vma_data_size = 0; |
1161 | gate_vma = get_gate_vma(mm); |
1162 | cprm->vma_count = mm->map_count + (gate_vma ? 1 : 0); |
1163 | |
1164 | cprm->vma_meta = kvmalloc_array(n: cprm->vma_count, size: sizeof(*cprm->vma_meta), GFP_KERNEL); |
1165 | if (!cprm->vma_meta) { |
1166 | mmap_write_unlock(mm); |
1167 | return false; |
1168 | } |
1169 | |
1170 | while ((vma = coredump_next_vma(vmi: &vmi, vma, gate_vma)) != NULL) { |
1171 | struct core_vma_metadata *m = cprm->vma_meta + i; |
1172 | |
1173 | m->start = vma->vm_start; |
1174 | m->end = vma->vm_end; |
1175 | m->flags = vma->vm_flags; |
1176 | m->dump_size = vma_dump_size(vma, mm_flags: cprm->mm_flags); |
1177 | m->pgoff = vma->vm_pgoff; |
1178 | m->file = vma->vm_file; |
1179 | if (m->file) |
1180 | get_file(f: m->file); |
1181 | i++; |
1182 | } |
1183 | |
1184 | mmap_write_unlock(mm); |
1185 | |
1186 | for (i = 0; i < cprm->vma_count; i++) { |
1187 | struct core_vma_metadata *m = cprm->vma_meta + i; |
1188 | |
1189 | if (m->dump_size == DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER) { |
1190 | char elfmag[SELFMAG]; |
1191 | |
1192 | if (copy_from_user(to: elfmag, from: (void __user *)m->start, SELFMAG) || |
1193 | memcmp(p: elfmag, ELFMAG, SELFMAG) != 0) { |
1194 | m->dump_size = 0; |
1195 | } else { |
1196 | m->dump_size = PAGE_SIZE; |
1197 | } |
1198 | } |
1199 | |
1200 | cprm->vma_data_size += m->dump_size; |
1201 | } |
1202 | |
1203 | return true; |
1204 | } |
1205 | |