1// SPDX-License-Identifier: GPL-2.0
2#include <linux/slab.h>
3#include <linux/file.h>
4#include <linux/fdtable.h>
5#include <linux/freezer.h>
6#include <linux/mm.h>
7#include <linux/stat.h>
8#include <linux/fcntl.h>
9#include <linux/swap.h>
10#include <linux/ctype.h>
11#include <linux/string.h>
12#include <linux/init.h>
13#include <linux/pagemap.h>
14#include <linux/perf_event.h>
15#include <linux/highmem.h>
16#include <linux/spinlock.h>
17#include <linux/key.h>
18#include <linux/personality.h>
19#include <linux/binfmts.h>
20#include <linux/coredump.h>
21#include <linux/sched/coredump.h>
22#include <linux/sched/signal.h>
23#include <linux/sched/task_stack.h>
24#include <linux/utsname.h>
25#include <linux/pid_namespace.h>
26#include <linux/module.h>
27#include <linux/namei.h>
28#include <linux/mount.h>
29#include <linux/security.h>
30#include <linux/syscalls.h>
31#include <linux/tsacct_kern.h>
32#include <linux/cn_proc.h>
33#include <linux/audit.h>
34#include <linux/kmod.h>
35#include <linux/fsnotify.h>
36#include <linux/fs_struct.h>
37#include <linux/pipe_fs_i.h>
38#include <linux/oom.h>
39#include <linux/compat.h>
40#include <linux/fs.h>
41#include <linux/path.h>
42#include <linux/timekeeping.h>
43#include <linux/sysctl.h>
44#include <linux/elf.h>
45
46#include <linux/uaccess.h>
47#include <asm/mmu_context.h>
48#include <asm/tlb.h>
49#include <asm/exec.h>
50
51#include <trace/events/task.h>
52#include "internal.h"
53
54#include <trace/events/sched.h>
55
56static bool dump_vma_snapshot(struct coredump_params *cprm);
57static void free_vma_snapshot(struct coredump_params *cprm);
58
59static int core_uses_pid;
60static unsigned int core_pipe_limit;
61static char core_pattern[CORENAME_MAX_SIZE] = "core";
62static int core_name_size = CORENAME_MAX_SIZE;
63
64struct core_name {
65 char *corename;
66 int used, size;
67};
68
69static int expand_corename(struct core_name *cn, int size)
70{
71 char *corename;
72
73 size = kmalloc_size_roundup(size);
74 corename = krealloc(objp: cn->corename, new_size: size, GFP_KERNEL);
75
76 if (!corename)
77 return -ENOMEM;
78
79 if (size > core_name_size) /* racy but harmless */
80 core_name_size = size;
81
82 cn->size = size;
83 cn->corename = corename;
84 return 0;
85}
86
87static __printf(2, 0) int cn_vprintf(struct core_name *cn, const char *fmt,
88 va_list arg)
89{
90 int free, need;
91 va_list arg_copy;
92
93again:
94 free = cn->size - cn->used;
95
96 va_copy(arg_copy, arg);
97 need = vsnprintf(buf: cn->corename + cn->used, size: free, fmt, args: arg_copy);
98 va_end(arg_copy);
99
100 if (need < free) {
101 cn->used += need;
102 return 0;
103 }
104
105 if (!expand_corename(cn, size: cn->size + need - free + 1))
106 goto again;
107
108 return -ENOMEM;
109}
110
111static __printf(2, 3) int cn_printf(struct core_name *cn, const char *fmt, ...)
112{
113 va_list arg;
114 int ret;
115
116 va_start(arg, fmt);
117 ret = cn_vprintf(cn, fmt, arg);
118 va_end(arg);
119
120 return ret;
121}
122
123static __printf(2, 3)
124int cn_esc_printf(struct core_name *cn, const char *fmt, ...)
125{
126 int cur = cn->used;
127 va_list arg;
128 int ret;
129
130 va_start(arg, fmt);
131 ret = cn_vprintf(cn, fmt, arg);
132 va_end(arg);
133
134 if (ret == 0) {
135 /*
136 * Ensure that this coredump name component can't cause the
137 * resulting corefile path to consist of a ".." or ".".
138 */
139 if ((cn->used - cur == 1 && cn->corename[cur] == '.') ||
140 (cn->used - cur == 2 && cn->corename[cur] == '.'
141 && cn->corename[cur+1] == '.'))
142 cn->corename[cur] = '!';
143
144 /*
145 * Empty names are fishy and could be used to create a "//" in a
146 * corefile name, causing the coredump to happen one directory
147 * level too high. Enforce that all components of the core
148 * pattern are at least one character long.
149 */
150 if (cn->used == cur)
151 ret = cn_printf(cn, fmt: "!");
152 }
153
154 for (; cur < cn->used; ++cur) {
155 if (cn->corename[cur] == '/')
156 cn->corename[cur] = '!';
157 }
158 return ret;
159}
160
161static int cn_print_exe_file(struct core_name *cn, bool name_only)
162{
163 struct file *exe_file;
164 char *pathbuf, *path, *ptr;
165 int ret;
166
167 exe_file = get_mm_exe_file(current->mm);
168 if (!exe_file)
169 return cn_esc_printf(cn, fmt: "%s (path unknown)", current->comm);
170
171 pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
172 if (!pathbuf) {
173 ret = -ENOMEM;
174 goto put_exe_file;
175 }
176
177 path = file_path(exe_file, pathbuf, PATH_MAX);
178 if (IS_ERR(ptr: path)) {
179 ret = PTR_ERR(ptr: path);
180 goto free_buf;
181 }
182
183 if (name_only) {
184 ptr = strrchr(path, '/');
185 if (ptr)
186 path = ptr + 1;
187 }
188 ret = cn_esc_printf(cn, fmt: "%s", path);
189
190free_buf:
191 kfree(objp: pathbuf);
192put_exe_file:
193 fput(exe_file);
194 return ret;
195}
196
197/* format_corename will inspect the pattern parameter, and output a
198 * name into corename, which must have space for at least
199 * CORENAME_MAX_SIZE bytes plus one byte for the zero terminator.
200 */
201static int format_corename(struct core_name *cn, struct coredump_params *cprm,
202 size_t **argv, int *argc)
203{
204 const struct cred *cred = current_cred();
205 const char *pat_ptr = core_pattern;
206 int ispipe = (*pat_ptr == '|');
207 bool was_space = false;
208 int pid_in_pattern = 0;
209 int err = 0;
210
211 cn->used = 0;
212 cn->corename = NULL;
213 if (expand_corename(cn, size: core_name_size))
214 return -ENOMEM;
215 cn->corename[0] = '\0';
216
217 if (ispipe) {
218 int argvs = sizeof(core_pattern) / 2;
219 (*argv) = kmalloc_array(n: argvs, size: sizeof(**argv), GFP_KERNEL);
220 if (!(*argv))
221 return -ENOMEM;
222 (*argv)[(*argc)++] = 0;
223 ++pat_ptr;
224 if (!(*pat_ptr))
225 return -ENOMEM;
226 }
227
228 /* Repeat as long as we have more pattern to process and more output
229 space */
230 while (*pat_ptr) {
231 /*
232 * Split on spaces before doing template expansion so that
233 * %e and %E don't get split if they have spaces in them
234 */
235 if (ispipe) {
236 if (isspace(*pat_ptr)) {
237 if (cn->used != 0)
238 was_space = true;
239 pat_ptr++;
240 continue;
241 } else if (was_space) {
242 was_space = false;
243 err = cn_printf(cn, fmt: "%c", '\0');
244 if (err)
245 return err;
246 (*argv)[(*argc)++] = cn->used;
247 }
248 }
249 if (*pat_ptr != '%') {
250 err = cn_printf(cn, fmt: "%c", *pat_ptr++);
251 } else {
252 switch (*++pat_ptr) {
253 /* single % at the end, drop that */
254 case 0:
255 goto out;
256 /* Double percent, output one percent */
257 case '%':
258 err = cn_printf(cn, fmt: "%c", '%');
259 break;
260 /* pid */
261 case 'p':
262 pid_in_pattern = 1;
263 err = cn_printf(cn, fmt: "%d",
264 task_tgid_vnr(current));
265 break;
266 /* global pid */
267 case 'P':
268 err = cn_printf(cn, fmt: "%d",
269 task_tgid_nr(current));
270 break;
271 case 'i':
272 err = cn_printf(cn, fmt: "%d",
273 task_pid_vnr(current));
274 break;
275 case 'I':
276 err = cn_printf(cn, fmt: "%d",
277 task_pid_nr(current));
278 break;
279 /* uid */
280 case 'u':
281 err = cn_printf(cn, fmt: "%u",
282 from_kuid(to: &init_user_ns,
283 uid: cred->uid));
284 break;
285 /* gid */
286 case 'g':
287 err = cn_printf(cn, fmt: "%u",
288 from_kgid(to: &init_user_ns,
289 gid: cred->gid));
290 break;
291 case 'd':
292 err = cn_printf(cn, fmt: "%d",
293 __get_dumpable(mm_flags: cprm->mm_flags));
294 break;
295 /* signal that caused the coredump */
296 case 's':
297 err = cn_printf(cn, fmt: "%d",
298 cprm->siginfo->si_signo);
299 break;
300 /* UNIX time of coredump */
301 case 't': {
302 time64_t time;
303
304 time = ktime_get_real_seconds();
305 err = cn_printf(cn, fmt: "%lld", time);
306 break;
307 }
308 /* hostname */
309 case 'h':
310 down_read(sem: &uts_sem);
311 err = cn_esc_printf(cn, fmt: "%s",
312 utsname()->nodename);
313 up_read(sem: &uts_sem);
314 break;
315 /* executable, could be changed by prctl PR_SET_NAME etc */
316 case 'e':
317 err = cn_esc_printf(cn, fmt: "%s", current->comm);
318 break;
319 /* file name of executable */
320 case 'f':
321 err = cn_print_exe_file(cn, name_only: true);
322 break;
323 case 'E':
324 err = cn_print_exe_file(cn, name_only: false);
325 break;
326 /* core limit size */
327 case 'c':
328 err = cn_printf(cn, fmt: "%lu",
329 rlimit(RLIMIT_CORE));
330 break;
331 /* CPU the task ran on */
332 case 'C':
333 err = cn_printf(cn, fmt: "%d", cprm->cpu);
334 break;
335 default:
336 break;
337 }
338 ++pat_ptr;
339 }
340
341 if (err)
342 return err;
343 }
344
345out:
346 /* Backward compatibility with core_uses_pid:
347 *
348 * If core_pattern does not include a %p (as is the default)
349 * and core_uses_pid is set, then .%pid will be appended to
350 * the filename. Do not do this for piped commands. */
351 if (!ispipe && !pid_in_pattern && core_uses_pid) {
352 err = cn_printf(cn, fmt: ".%d", task_tgid_vnr(current));
353 if (err)
354 return err;
355 }
356 return ispipe;
357}
358
359static int zap_process(struct task_struct *start, int exit_code)
360{
361 struct task_struct *t;
362 int nr = 0;
363
364 /* Allow SIGKILL, see prepare_signal() */
365 start->signal->flags = SIGNAL_GROUP_EXIT;
366 start->signal->group_exit_code = exit_code;
367 start->signal->group_stop_count = 0;
368
369 for_each_thread(start, t) {
370 task_clear_jobctl_pending(task: t, JOBCTL_PENDING_MASK);
371 if (t != current && !(t->flags & PF_POSTCOREDUMP)) {
372 sigaddset(set: &t->pending.signal, SIGKILL);
373 signal_wake_up(t, fatal: 1);
374 /* The vhost_worker does not particpate in coredumps */
375 if ((t->flags & (PF_USER_WORKER | PF_IO_WORKER)) != PF_USER_WORKER)
376 nr++;
377 }
378 }
379
380 return nr;
381}
382
383static int zap_threads(struct task_struct *tsk,
384 struct core_state *core_state, int exit_code)
385{
386 struct signal_struct *signal = tsk->signal;
387 int nr = -EAGAIN;
388
389 spin_lock_irq(lock: &tsk->sighand->siglock);
390 if (!(signal->flags & SIGNAL_GROUP_EXIT) && !signal->group_exec_task) {
391 signal->core_state = core_state;
392 nr = zap_process(start: tsk, exit_code);
393 clear_tsk_thread_flag(tsk, TIF_SIGPENDING);
394 tsk->flags |= PF_DUMPCORE;
395 atomic_set(v: &core_state->nr_threads, i: nr);
396 }
397 spin_unlock_irq(lock: &tsk->sighand->siglock);
398 return nr;
399}
400
401static int coredump_wait(int exit_code, struct core_state *core_state)
402{
403 struct task_struct *tsk = current;
404 int core_waiters = -EBUSY;
405
406 init_completion(x: &core_state->startup);
407 core_state->dumper.task = tsk;
408 core_state->dumper.next = NULL;
409
410 core_waiters = zap_threads(tsk, core_state, exit_code);
411 if (core_waiters > 0) {
412 struct core_thread *ptr;
413
414 wait_for_completion_state(x: &core_state->startup,
415 TASK_UNINTERRUPTIBLE|TASK_FREEZABLE);
416 /*
417 * Wait for all the threads to become inactive, so that
418 * all the thread context (extended register state, like
419 * fpu etc) gets copied to the memory.
420 */
421 ptr = core_state->dumper.next;
422 while (ptr != NULL) {
423 wait_task_inactive(ptr->task, TASK_ANY);
424 ptr = ptr->next;
425 }
426 }
427
428 return core_waiters;
429}
430
431static void coredump_finish(bool core_dumped)
432{
433 struct core_thread *curr, *next;
434 struct task_struct *task;
435
436 spin_lock_irq(lock: &current->sighand->siglock);
437 if (core_dumped && !__fatal_signal_pending(current))
438 current->signal->group_exit_code |= 0x80;
439 next = current->signal->core_state->dumper.next;
440 current->signal->core_state = NULL;
441 spin_unlock_irq(lock: &current->sighand->siglock);
442
443 while ((curr = next) != NULL) {
444 next = curr->next;
445 task = curr->task;
446 /*
447 * see coredump_task_exit(), curr->task must not see
448 * ->task == NULL before we read ->next.
449 */
450 smp_mb();
451 curr->task = NULL;
452 wake_up_process(tsk: task);
453 }
454}
455
456static bool dump_interrupted(void)
457{
458 /*
459 * SIGKILL or freezing() interrupt the coredumping. Perhaps we
460 * can do try_to_freeze() and check __fatal_signal_pending(),
461 * but then we need to teach dump_write() to restart and clear
462 * TIF_SIGPENDING.
463 */
464 return fatal_signal_pending(current) || freezing(current);
465}
466
467static void wait_for_dump_helpers(struct file *file)
468{
469 struct pipe_inode_info *pipe = file->private_data;
470
471 pipe_lock(pipe);
472 pipe->readers++;
473 pipe->writers--;
474 wake_up_interruptible_sync(&pipe->rd_wait);
475 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
476 pipe_unlock(pipe);
477
478 /*
479 * We actually want wait_event_freezable() but then we need
480 * to clear TIF_SIGPENDING and improve dump_interrupted().
481 */
482 wait_event_interruptible(pipe->rd_wait, pipe->readers == 1);
483
484 pipe_lock(pipe);
485 pipe->readers--;
486 pipe->writers++;
487 pipe_unlock(pipe);
488}
489
490/*
491 * umh_pipe_setup
492 * helper function to customize the process used
493 * to collect the core in userspace. Specifically
494 * it sets up a pipe and installs it as fd 0 (stdin)
495 * for the process. Returns 0 on success, or
496 * PTR_ERR on failure.
497 * Note that it also sets the core limit to 1. This
498 * is a special value that we use to trap recursive
499 * core dumps
500 */
501static int umh_pipe_setup(struct subprocess_info *info, struct cred *new)
502{
503 struct file *files[2];
504 struct coredump_params *cp = (struct coredump_params *)info->data;
505 int err = create_pipe_files(files, 0);
506 if (err)
507 return err;
508
509 cp->file = files[1];
510
511 err = replace_fd(fd: 0, file: files[0], flags: 0);
512 fput(files[0]);
513 /* and disallow core files too */
514 current->signal->rlim[RLIMIT_CORE] = (struct rlimit){1, 1};
515
516 return err;
517}
518
519void do_coredump(const kernel_siginfo_t *siginfo)
520{
521 struct core_state core_state;
522 struct core_name cn;
523 struct mm_struct *mm = current->mm;
524 struct linux_binfmt * binfmt;
525 const struct cred *old_cred;
526 struct cred *cred;
527 int retval = 0;
528 int ispipe;
529 size_t *argv = NULL;
530 int argc = 0;
531 /* require nonrelative corefile path and be extra careful */
532 bool need_suid_safe = false;
533 bool core_dumped = false;
534 static atomic_t core_dump_count = ATOMIC_INIT(0);
535 struct coredump_params cprm = {
536 .siginfo = siginfo,
537 .limit = rlimit(RLIMIT_CORE),
538 /*
539 * We must use the same mm->flags while dumping core to avoid
540 * inconsistency of bit flags, since this flag is not protected
541 * by any locks.
542 */
543 .mm_flags = mm->flags,
544 .vma_meta = NULL,
545 .cpu = raw_smp_processor_id(),
546 };
547
548 audit_core_dumps(signr: siginfo->si_signo);
549
550 binfmt = mm->binfmt;
551 if (!binfmt || !binfmt->core_dump)
552 goto fail;
553 if (!__get_dumpable(mm_flags: cprm.mm_flags))
554 goto fail;
555
556 cred = prepare_creds();
557 if (!cred)
558 goto fail;
559 /*
560 * We cannot trust fsuid as being the "true" uid of the process
561 * nor do we know its entire history. We only know it was tainted
562 * so we dump it as root in mode 2, and only into a controlled
563 * environment (pipe handler or fully qualified path).
564 */
565 if (__get_dumpable(mm_flags: cprm.mm_flags) == SUID_DUMP_ROOT) {
566 /* Setuid core dump mode */
567 cred->fsuid = GLOBAL_ROOT_UID; /* Dump root private */
568 need_suid_safe = true;
569 }
570
571 retval = coredump_wait(siginfo->si_signo, &core_state);
572 if (retval < 0)
573 goto fail_creds;
574
575 old_cred = override_creds(cred);
576
577 ispipe = format_corename(&cn, &cprm, &argv, &argc);
578
579 if (ispipe) {
580 int argi;
581 int dump_count;
582 char **helper_argv;
583 struct subprocess_info *sub_info;
584
585 if (ispipe < 0) {
586 printk(KERN_WARNING "format_corename failed\n");
587 printk(KERN_WARNING "Aborting core\n");
588 goto fail_unlock;
589 }
590
591 if (cprm.limit == 1) {
592 /* See umh_pipe_setup() which sets RLIMIT_CORE = 1.
593 *
594 * Normally core limits are irrelevant to pipes, since
595 * we're not writing to the file system, but we use
596 * cprm.limit of 1 here as a special value, this is a
597 * consistent way to catch recursive crashes.
598 * We can still crash if the core_pattern binary sets
599 * RLIM_CORE = !1, but it runs as root, and can do
600 * lots of stupid things.
601 *
602 * Note that we use task_tgid_vnr here to grab the pid
603 * of the process group leader. That way we get the
604 * right pid if a thread in a multi-threaded
605 * core_pattern process dies.
606 */
607 printk(KERN_WARNING
608 "Process %d(%s) has RLIMIT_CORE set to 1\n",
609 task_tgid_vnr(current), current->comm);
610 printk(KERN_WARNING "Aborting core\n");
611 goto fail_unlock;
612 }
613 cprm.limit = RLIM_INFINITY;
614
615 dump_count = atomic_inc_return(&core_dump_count);
616 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
617 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
618 task_tgid_vnr(current), current->comm);
619 printk(KERN_WARNING "Skipping core dump\n");
620 goto fail_dropcount;
621 }
622
623 helper_argv = kmalloc_array(argc + 1, sizeof(*helper_argv),
624 GFP_KERNEL);
625 if (!helper_argv) {
626 printk(KERN_WARNING "%s failed to allocate memory\n",
627 __func__);
628 goto fail_dropcount;
629 }
630 for (argi = 0; argi < argc; argi++)
631 helper_argv[argi] = cn.corename + argv[argi];
632 helper_argv[argi] = NULL;
633
634 retval = -ENOMEM;
635 sub_info = call_usermodehelper_setup(helper_argv[0],
636 helper_argv, NULL, GFP_KERNEL,
637 umh_pipe_setup, NULL, &cprm);
638 if (sub_info)
639 retval = call_usermodehelper_exec(sub_info,
640 UMH_WAIT_EXEC);
641
642 kfree(helper_argv);
643 if (retval) {
644 printk(KERN_INFO "Core dump to |%s pipe failed\n",
645 cn.corename);
646 goto close_fail;
647 }
648 } else {
649 struct mnt_idmap *idmap;
650 struct inode *inode;
651 int open_flags = O_CREAT | O_WRONLY | O_NOFOLLOW |
652 O_LARGEFILE | O_EXCL;
653
654 if (cprm.limit < binfmt->min_coredump)
655 goto fail_unlock;
656
657 if (need_suid_safe && cn.corename[0] != '/') {
658 printk(KERN_WARNING "Pid %d(%s) can only dump core "\
659 "to fully qualified path!\n",
660 task_tgid_vnr(current), current->comm);
661 printk(KERN_WARNING "Skipping core dump\n");
662 goto fail_unlock;
663 }
664
665 /*
666 * Unlink the file if it exists unless this is a SUID
667 * binary - in that case, we're running around with root
668 * privs and don't want to unlink another user's coredump.
669 */
670 if (!need_suid_safe) {
671 /*
672 * If it doesn't exist, that's fine. If there's some
673 * other problem, we'll catch it at the filp_open().
674 */
675 do_unlinkat(AT_FDCWD, getname_kernel(cn.corename));
676 }
677
678 /*
679 * There is a race between unlinking and creating the
680 * file, but if that causes an EEXIST here, that's
681 * fine - another process raced with us while creating
682 * the corefile, and the other process won. To userspace,
683 * what matters is that at least one of the two processes
684 * writes its coredump successfully, not which one.
685 */
686 if (need_suid_safe) {
687 /*
688 * Using user namespaces, normal user tasks can change
689 * their current->fs->root to point to arbitrary
690 * directories. Since the intention of the "only dump
691 * with a fully qualified path" rule is to control where
692 * coredumps may be placed using root privileges,
693 * current->fs->root must not be used. Instead, use the
694 * root directory of init_task.
695 */
696 struct path root;
697
698 task_lock(&init_task);
699 get_fs_root(init_task.fs, &root);
700 task_unlock(&init_task);
701 cprm.file = file_open_root(&root, cn.corename,
702 open_flags, 0600);
703 path_put(&root);
704 } else {
705 cprm.file = filp_open(cn.corename, open_flags, 0600);
706 }
707 if (IS_ERR(cprm.file))
708 goto fail_unlock;
709
710 inode = file_inode(cprm.file);
711 if (inode->i_nlink > 1)
712 goto close_fail;
713 if (d_unhashed(cprm.file->f_path.dentry))
714 goto close_fail;
715 /*
716 * AK: actually i see no reason to not allow this for named
717 * pipes etc, but keep the previous behaviour for now.
718 */
719 if (!S_ISREG(inode->i_mode))
720 goto close_fail;
721 /*
722 * Don't dump core if the filesystem changed owner or mode
723 * of the file during file creation. This is an issue when
724 * a process dumps core while its cwd is e.g. on a vfat
725 * filesystem.
726 */
727 idmap = file_mnt_idmap(cprm.file);
728 if (!vfsuid_eq_kuid(i_uid_into_vfsuid(idmap, inode),
729 current_fsuid())) {
730 pr_info_ratelimited("Core dump to %s aborted: cannot preserve file owner\n",
731 cn.corename);
732 goto close_fail;
733 }
734 if ((inode->i_mode & 0677) != 0600) {
735 pr_info_ratelimited("Core dump to %s aborted: cannot preserve file permissions\n",
736 cn.corename);
737 goto close_fail;
738 }
739 if (!(cprm.file->f_mode & FMODE_CAN_WRITE))
740 goto close_fail;
741 if (do_truncate(idmap, cprm.file->f_path.dentry,
742 0, 0, cprm.file))
743 goto close_fail;
744 }
745
746 /* get us an unshared descriptor table; almost always a no-op */
747 /* The cell spufs coredump code reads the file descriptor tables */
748 retval = unshare_files();
749 if (retval)
750 goto close_fail;
751 if (!dump_interrupted()) {
752 /*
753 * umh disabled with CONFIG_STATIC_USERMODEHELPER_PATH="" would
754 * have this set to NULL.
755 */
756 if (!cprm.file) {
757 pr_info("Core dump to |%s disabled\n", cn.corename);
758 goto close_fail;
759 }
760 if (!dump_vma_snapshot(&cprm))
761 goto close_fail;
762
763 file_start_write(cprm.file);
764 core_dumped = binfmt->core_dump(&cprm);
765 /*
766 * Ensures that file size is big enough to contain the current
767 * file postion. This prevents gdb from complaining about
768 * a truncated file if the last "write" to the file was
769 * dump_skip.
770 */
771 if (cprm.to_skip) {
772 cprm.to_skip--;
773 dump_emit(&cprm, "", 1);
774 }
775 file_end_write(cprm.file);
776 free_vma_snapshot(&cprm);
777 }
778 if (ispipe && core_pipe_limit)
779 wait_for_dump_helpers(cprm.file);
780close_fail:
781 if (cprm.file)
782 filp_close(cprm.file, NULL);
783fail_dropcount:
784 if (ispipe)
785 atomic_dec(&core_dump_count);
786fail_unlock:
787 kfree(argv);
788 kfree(cn.corename);
789 coredump_finish(core_dumped);
790 revert_creds(old_cred);
791fail_creds:
792 put_cred(cred);
793fail:
794 return;
795}
796
797/*
798 * Core dumping helper functions. These are the only things you should
799 * do on a core-file: use only these functions to write out all the
800 * necessary info.
801 */
802static int __dump_emit(struct coredump_params *cprm, const void *addr, int nr)
803{
804 struct file *file = cprm->file;
805 loff_t pos = file->f_pos;
806 ssize_t n;
807 if (cprm->written + nr > cprm->limit)
808 return 0;
809
810
811 if (dump_interrupted())
812 return 0;
813 n = __kernel_write(file, addr, nr, &pos);
814 if (n != nr)
815 return 0;
816 file->f_pos = pos;
817 cprm->written += n;
818 cprm->pos += n;
819
820 return 1;
821}
822
823static int __dump_skip(struct coredump_params *cprm, size_t nr)
824{
825 static char zeroes[PAGE_SIZE];
826 struct file *file = cprm->file;
827 if (file->f_mode & FMODE_LSEEK) {
828 if (dump_interrupted() ||
829 vfs_llseek(file, offset: nr, SEEK_CUR) < 0)
830 return 0;
831 cprm->pos += nr;
832 return 1;
833 } else {
834 while (nr > PAGE_SIZE) {
835 if (!__dump_emit(cprm, addr: zeroes, PAGE_SIZE))
836 return 0;
837 nr -= PAGE_SIZE;
838 }
839 return __dump_emit(cprm, addr: zeroes, nr);
840 }
841}
842
843int dump_emit(struct coredump_params *cprm, const void *addr, int nr)
844{
845 if (cprm->to_skip) {
846 if (!__dump_skip(cprm, nr: cprm->to_skip))
847 return 0;
848 cprm->to_skip = 0;
849 }
850 return __dump_emit(cprm, addr, nr);
851}
852EXPORT_SYMBOL(dump_emit);
853
854void dump_skip_to(struct coredump_params *cprm, unsigned long pos)
855{
856 cprm->to_skip = pos - cprm->pos;
857}
858EXPORT_SYMBOL(dump_skip_to);
859
860void dump_skip(struct coredump_params *cprm, size_t nr)
861{
862 cprm->to_skip += nr;
863}
864EXPORT_SYMBOL(dump_skip);
865
866#ifdef CONFIG_ELF_CORE
867static int dump_emit_page(struct coredump_params *cprm, struct page *page)
868{
869 struct bio_vec bvec;
870 struct iov_iter iter;
871 struct file *file = cprm->file;
872 loff_t pos;
873 ssize_t n;
874
875 if (cprm->to_skip) {
876 if (!__dump_skip(cprm, nr: cprm->to_skip))
877 return 0;
878 cprm->to_skip = 0;
879 }
880 if (cprm->written + PAGE_SIZE > cprm->limit)
881 return 0;
882 if (dump_interrupted())
883 return 0;
884 pos = file->f_pos;
885 bvec_set_page(bv: &bvec, page, PAGE_SIZE, offset: 0);
886 iov_iter_bvec(i: &iter, ITER_SOURCE, bvec: &bvec, nr_segs: 1, PAGE_SIZE);
887 iov_iter_set_copy_mc(i: &iter);
888 n = __kernel_write_iter(file: cprm->file, from: &iter, pos: &pos);
889 if (n != PAGE_SIZE)
890 return 0;
891 file->f_pos = pos;
892 cprm->written += PAGE_SIZE;
893 cprm->pos += PAGE_SIZE;
894
895 return 1;
896}
897
898int dump_user_range(struct coredump_params *cprm, unsigned long start,
899 unsigned long len)
900{
901 unsigned long addr;
902
903 for (addr = start; addr < start + len; addr += PAGE_SIZE) {
904 struct page *page;
905
906 /*
907 * To avoid having to allocate page tables for virtual address
908 * ranges that have never been used yet, and also to make it
909 * easy to generate sparse core files, use a helper that returns
910 * NULL when encountering an empty page table entry that would
911 * otherwise have been filled with the zero page.
912 */
913 page = get_dump_page(addr);
914 if (page) {
915 int stop = !dump_emit_page(cprm, page);
916 put_page(page);
917 if (stop)
918 return 0;
919 } else {
920 dump_skip(cprm, PAGE_SIZE);
921 }
922 }
923 return 1;
924}
925#endif
926
927int dump_align(struct coredump_params *cprm, int align)
928{
929 unsigned mod = (cprm->pos + cprm->to_skip) & (align - 1);
930 if (align & (align - 1))
931 return 0;
932 if (mod)
933 cprm->to_skip += align - mod;
934 return 1;
935}
936EXPORT_SYMBOL(dump_align);
937
938#ifdef CONFIG_SYSCTL
939
940void validate_coredump_safety(void)
941{
942 if (suid_dumpable == SUID_DUMP_ROOT &&
943 core_pattern[0] != '/' && core_pattern[0] != '|') {
944 pr_warn(
945"Unsafe core_pattern used with fs.suid_dumpable=2.\n"
946"Pipe handler or fully qualified core dump path required.\n"
947"Set kernel.core_pattern before fs.suid_dumpable.\n"
948 );
949 }
950}
951
952static int proc_dostring_coredump(struct ctl_table *table, int write,
953 void *buffer, size_t *lenp, loff_t *ppos)
954{
955 int error = proc_dostring(table, write, buffer, lenp, ppos);
956
957 if (!error)
958 validate_coredump_safety();
959 return error;
960}
961
962static struct ctl_table coredump_sysctls[] = {
963 {
964 .procname = "core_uses_pid",
965 .data = &core_uses_pid,
966 .maxlen = sizeof(int),
967 .mode = 0644,
968 .proc_handler = proc_dointvec,
969 },
970 {
971 .procname = "core_pattern",
972 .data = core_pattern,
973 .maxlen = CORENAME_MAX_SIZE,
974 .mode = 0644,
975 .proc_handler = proc_dostring_coredump,
976 },
977 {
978 .procname = "core_pipe_limit",
979 .data = &core_pipe_limit,
980 .maxlen = sizeof(unsigned int),
981 .mode = 0644,
982 .proc_handler = proc_dointvec,
983 },
984 { }
985};
986
987static int __init init_fs_coredump_sysctls(void)
988{
989 register_sysctl_init("kernel", coredump_sysctls);
990 return 0;
991}
992fs_initcall(init_fs_coredump_sysctls);
993#endif /* CONFIG_SYSCTL */
994
995/*
996 * The purpose of always_dump_vma() is to make sure that special kernel mappings
997 * that are useful for post-mortem analysis are included in every core dump.
998 * In that way we ensure that the core dump is fully interpretable later
999 * without matching up the same kernel and hardware config to see what PC values
1000 * meant. These special mappings include - vDSO, vsyscall, and other
1001 * architecture specific mappings
1002 */
1003static bool always_dump_vma(struct vm_area_struct *vma)
1004{
1005 /* Any vsyscall mappings? */
1006 if (vma == get_gate_vma(mm: vma->vm_mm))
1007 return true;
1008
1009 /*
1010 * Assume that all vmas with a .name op should always be dumped.
1011 * If this changes, a new vm_ops field can easily be added.
1012 */
1013 if (vma->vm_ops && vma->vm_ops->name && vma->vm_ops->name(vma))
1014 return true;
1015
1016 /*
1017 * arch_vma_name() returns non-NULL for special architecture mappings,
1018 * such as vDSO sections.
1019 */
1020 if (arch_vma_name(vma))
1021 return true;
1022
1023 return false;
1024}
1025
1026#define DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER 1
1027
1028/*
1029 * Decide how much of @vma's contents should be included in a core dump.
1030 */
1031static unsigned long vma_dump_size(struct vm_area_struct *vma,
1032 unsigned long mm_flags)
1033{
1034#define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
1035
1036 /* always dump the vdso and vsyscall sections */
1037 if (always_dump_vma(vma))
1038 goto whole;
1039
1040 if (vma->vm_flags & VM_DONTDUMP)
1041 return 0;
1042
1043 /* support for DAX */
1044 if (vma_is_dax(vma)) {
1045 if ((vma->vm_flags & VM_SHARED) && FILTER(DAX_SHARED))
1046 goto whole;
1047 if (!(vma->vm_flags & VM_SHARED) && FILTER(DAX_PRIVATE))
1048 goto whole;
1049 return 0;
1050 }
1051
1052 /* Hugetlb memory check */
1053 if (is_vm_hugetlb_page(vma)) {
1054 if ((vma->vm_flags & VM_SHARED) && FILTER(HUGETLB_SHARED))
1055 goto whole;
1056 if (!(vma->vm_flags & VM_SHARED) && FILTER(HUGETLB_PRIVATE))
1057 goto whole;
1058 return 0;
1059 }
1060
1061 /* Do not dump I/O mapped devices or special mappings */
1062 if (vma->vm_flags & VM_IO)
1063 return 0;
1064
1065 /* By default, dump shared memory if mapped from an anonymous file. */
1066 if (vma->vm_flags & VM_SHARED) {
1067 if (file_inode(f: vma->vm_file)->i_nlink == 0 ?
1068 FILTER(ANON_SHARED) : FILTER(MAPPED_SHARED))
1069 goto whole;
1070 return 0;
1071 }
1072
1073 /* Dump segments that have been written to. */
1074 if ((!IS_ENABLED(CONFIG_MMU) || vma->anon_vma) && FILTER(ANON_PRIVATE))
1075 goto whole;
1076 if (vma->vm_file == NULL)
1077 return 0;
1078
1079 if (FILTER(MAPPED_PRIVATE))
1080 goto whole;
1081
1082 /*
1083 * If this is the beginning of an executable file mapping,
1084 * dump the first page to aid in determining what was mapped here.
1085 */
1086 if (FILTER(ELF_HEADERS) &&
1087 vma->vm_pgoff == 0 && (vma->vm_flags & VM_READ)) {
1088 if ((READ_ONCE(file_inode(vma->vm_file)->i_mode) & 0111) != 0)
1089 return PAGE_SIZE;
1090
1091 /*
1092 * ELF libraries aren't always executable.
1093 * We'll want to check whether the mapping starts with the ELF
1094 * magic, but not now - we're holding the mmap lock,
1095 * so copy_from_user() doesn't work here.
1096 * Use a placeholder instead, and fix it up later in
1097 * dump_vma_snapshot().
1098 */
1099 return DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER;
1100 }
1101
1102#undef FILTER
1103
1104 return 0;
1105
1106whole:
1107 return vma->vm_end - vma->vm_start;
1108}
1109
1110/*
1111 * Helper function for iterating across a vma list. It ensures that the caller
1112 * will visit `gate_vma' prior to terminating the search.
1113 */
1114static struct vm_area_struct *coredump_next_vma(struct vma_iterator *vmi,
1115 struct vm_area_struct *vma,
1116 struct vm_area_struct *gate_vma)
1117{
1118 if (gate_vma && (vma == gate_vma))
1119 return NULL;
1120
1121 vma = vma_next(vmi);
1122 if (vma)
1123 return vma;
1124 return gate_vma;
1125}
1126
1127static void free_vma_snapshot(struct coredump_params *cprm)
1128{
1129 if (cprm->vma_meta) {
1130 int i;
1131 for (i = 0; i < cprm->vma_count; i++) {
1132 struct file *file = cprm->vma_meta[i].file;
1133 if (file)
1134 fput(file);
1135 }
1136 kvfree(addr: cprm->vma_meta);
1137 cprm->vma_meta = NULL;
1138 }
1139}
1140
1141/*
1142 * Under the mmap_lock, take a snapshot of relevant information about the task's
1143 * VMAs.
1144 */
1145static bool dump_vma_snapshot(struct coredump_params *cprm)
1146{
1147 struct vm_area_struct *gate_vma, *vma = NULL;
1148 struct mm_struct *mm = current->mm;
1149 VMA_ITERATOR(vmi, mm, 0);
1150 int i = 0;
1151
1152 /*
1153 * Once the stack expansion code is fixed to not change VMA bounds
1154 * under mmap_lock in read mode, this can be changed to take the
1155 * mmap_lock in read mode.
1156 */
1157 if (mmap_write_lock_killable(mm))
1158 return false;
1159
1160 cprm->vma_data_size = 0;
1161 gate_vma = get_gate_vma(mm);
1162 cprm->vma_count = mm->map_count + (gate_vma ? 1 : 0);
1163
1164 cprm->vma_meta = kvmalloc_array(n: cprm->vma_count, size: sizeof(*cprm->vma_meta), GFP_KERNEL);
1165 if (!cprm->vma_meta) {
1166 mmap_write_unlock(mm);
1167 return false;
1168 }
1169
1170 while ((vma = coredump_next_vma(vmi: &vmi, vma, gate_vma)) != NULL) {
1171 struct core_vma_metadata *m = cprm->vma_meta + i;
1172
1173 m->start = vma->vm_start;
1174 m->end = vma->vm_end;
1175 m->flags = vma->vm_flags;
1176 m->dump_size = vma_dump_size(vma, mm_flags: cprm->mm_flags);
1177 m->pgoff = vma->vm_pgoff;
1178 m->file = vma->vm_file;
1179 if (m->file)
1180 get_file(f: m->file);
1181 i++;
1182 }
1183
1184 mmap_write_unlock(mm);
1185
1186 for (i = 0; i < cprm->vma_count; i++) {
1187 struct core_vma_metadata *m = cprm->vma_meta + i;
1188
1189 if (m->dump_size == DUMP_SIZE_MAYBE_ELFHDR_PLACEHOLDER) {
1190 char elfmag[SELFMAG];
1191
1192 if (copy_from_user(to: elfmag, from: (void __user *)m->start, SELFMAG) ||
1193 memcmp(p: elfmag, ELFMAG, SELFMAG) != 0) {
1194 m->dump_size = 0;
1195 } else {
1196 m->dump_size = PAGE_SIZE;
1197 }
1198 }
1199
1200 cprm->vma_data_size += m->dump_size;
1201 }
1202
1203 return true;
1204}
1205

source code of linux/fs/coredump.c