1 // SPDX-License-Identifier: GPL-2.0-only 1 // SPDX-License-Identifier: GPL-2.0-only
2 /* 2 /*
3 * binfmt_misc.c 3 * binfmt_misc.c
4 * 4 *
5 * Copyright (C) 1997 Richard Günther 5 * Copyright (C) 1997 Richard Günther
6 * 6 *
7 * binfmt_misc detects binaries via a magic or 7 * binfmt_misc detects binaries via a magic or filename extension and invokes
8 * a specified wrapper. See Documentation/admi 8 * a specified wrapper. See Documentation/admin-guide/binfmt-misc.rst for more details.
9 */ 9 */
10 10
11 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 11 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12 12
13 #include <linux/kernel.h> 13 #include <linux/kernel.h>
14 #include <linux/module.h> 14 #include <linux/module.h>
15 #include <linux/init.h> 15 #include <linux/init.h>
16 #include <linux/sched/mm.h> 16 #include <linux/sched/mm.h>
17 #include <linux/magic.h> 17 #include <linux/magic.h>
18 #include <linux/binfmts.h> 18 #include <linux/binfmts.h>
19 #include <linux/slab.h> 19 #include <linux/slab.h>
20 #include <linux/ctype.h> 20 #include <linux/ctype.h>
21 #include <linux/string_helpers.h> 21 #include <linux/string_helpers.h>
22 #include <linux/file.h> 22 #include <linux/file.h>
23 #include <linux/pagemap.h> 23 #include <linux/pagemap.h>
24 #include <linux/namei.h> 24 #include <linux/namei.h>
25 #include <linux/mount.h> 25 #include <linux/mount.h>
26 #include <linux/fs_context.h> 26 #include <linux/fs_context.h>
27 #include <linux/syscalls.h> 27 #include <linux/syscalls.h>
28 #include <linux/fs.h> 28 #include <linux/fs.h>
29 #include <linux/uaccess.h> 29 #include <linux/uaccess.h>
30 30
31 #include "internal.h" 31 #include "internal.h"
32 32
33 #ifdef DEBUG 33 #ifdef DEBUG
34 # define USE_DEBUG 1 34 # define USE_DEBUG 1
35 #else 35 #else
36 # define USE_DEBUG 0 36 # define USE_DEBUG 0
37 #endif 37 #endif
38 38
39 enum { 39 enum {
40 VERBOSE_STATUS = 1 /* make it zero to 40 VERBOSE_STATUS = 1 /* make it zero to save 400 bytes kernel memory */
41 }; 41 };
42 42
43 enum {Enabled, Magic}; 43 enum {Enabled, Magic};
44 #define MISC_FMT_PRESERVE_ARGV0 (1UL << 31) 44 #define MISC_FMT_PRESERVE_ARGV0 (1UL << 31)
45 #define MISC_FMT_OPEN_BINARY (1UL << 30) 45 #define MISC_FMT_OPEN_BINARY (1UL << 30)
46 #define MISC_FMT_CREDENTIALS (1UL << 29) 46 #define MISC_FMT_CREDENTIALS (1UL << 29)
47 #define MISC_FMT_OPEN_FILE (1UL << 28) 47 #define MISC_FMT_OPEN_FILE (1UL << 28)
48 48
49 typedef struct { 49 typedef struct {
50 struct list_head list; 50 struct list_head list;
51 unsigned long flags; /* typ 51 unsigned long flags; /* type, status, etc. */
52 int offset; /* off 52 int offset; /* offset of magic */
53 int size; /* siz 53 int size; /* size of magic/mask */
54 char *magic; /* mag 54 char *magic; /* magic or filename extension */
55 char *mask; /* mas 55 char *mask; /* mask, NULL for exact match */
56 const char *interpreter; /* fil 56 const char *interpreter; /* filename of interpreter */
57 char *name; 57 char *name;
58 struct dentry *dentry; 58 struct dentry *dentry;
59 struct file *interp_file; 59 struct file *interp_file;
60 refcount_t users; /* syn 60 refcount_t users; /* sync removal with load_misc_binary() */
61 } Node; 61 } Node;
62 62
63 static struct file_system_type bm_fs_type; 63 static struct file_system_type bm_fs_type;
64 64
65 /* 65 /*
66 * Max length of the register string. Determi 66 * Max length of the register string. Determined by:
67 * - 7 delimiters 67 * - 7 delimiters
68 * - name: ~50 bytes 68 * - name: ~50 bytes
69 * - type: 1 byte 69 * - type: 1 byte
70 * - offset: 3 bytes (has to be smaller than 70 * - offset: 3 bytes (has to be smaller than BINPRM_BUF_SIZE)
71 * - magic: 128 bytes (512 in escaped form) 71 * - magic: 128 bytes (512 in escaped form)
72 * - mask: 128 bytes (512 in escaped form) 72 * - mask: 128 bytes (512 in escaped form)
73 * - interp: ~50 bytes 73 * - interp: ~50 bytes
74 * - flags: 5 bytes 74 * - flags: 5 bytes
75 * Round that up a bit, and then back off to h 75 * Round that up a bit, and then back off to hold the internal data
76 * (like struct Node). 76 * (like struct Node).
77 */ 77 */
78 #define MAX_REGISTER_LENGTH 1920 78 #define MAX_REGISTER_LENGTH 1920
79 79
80 /** 80 /**
81 * search_binfmt_handler - search for a binary 81 * search_binfmt_handler - search for a binary handler for @bprm
82 * @misc: handle to binfmt_misc instance 82 * @misc: handle to binfmt_misc instance
83 * @bprm: binary for which we are looking for 83 * @bprm: binary for which we are looking for a handler
84 * 84 *
85 * Search for a binary type handler for @bprm 85 * Search for a binary type handler for @bprm in the list of registered binary
86 * type handlers. 86 * type handlers.
87 * 87 *
88 * Return: binary type list entry on success, 88 * Return: binary type list entry on success, NULL on failure
89 */ 89 */
90 static Node *search_binfmt_handler(struct binf 90 static Node *search_binfmt_handler(struct binfmt_misc *misc,
91 struct linu 91 struct linux_binprm *bprm)
92 { 92 {
93 char *p = strrchr(bprm->interp, '.'); 93 char *p = strrchr(bprm->interp, '.');
94 Node *e; 94 Node *e;
95 95
96 /* Walk all the registered handlers. * 96 /* Walk all the registered handlers. */
97 list_for_each_entry(e, &misc->entries, 97 list_for_each_entry(e, &misc->entries, list) {
98 char *s; 98 char *s;
99 int j; 99 int j;
100 100
101 /* Make sure this one is curre 101 /* Make sure this one is currently enabled. */
102 if (!test_bit(Enabled, &e->fla 102 if (!test_bit(Enabled, &e->flags))
103 continue; 103 continue;
104 104
105 /* Do matching based on extens 105 /* Do matching based on extension if applicable. */
106 if (!test_bit(Magic, &e->flags 106 if (!test_bit(Magic, &e->flags)) {
107 if (p && !strcmp(e->ma 107 if (p && !strcmp(e->magic, p + 1))
108 return e; 108 return e;
109 continue; 109 continue;
110 } 110 }
111 111
112 /* Do matching based on magic 112 /* Do matching based on magic & mask. */
113 s = bprm->buf + e->offset; 113 s = bprm->buf + e->offset;
114 if (e->mask) { 114 if (e->mask) {
115 for (j = 0; j < e->siz 115 for (j = 0; j < e->size; j++)
116 if ((*s++ ^ e- 116 if ((*s++ ^ e->magic[j]) & e->mask[j])
117 break; 117 break;
118 } else { 118 } else {
119 for (j = 0; j < e->siz 119 for (j = 0; j < e->size; j++)
120 if ((*s++ ^ e- 120 if ((*s++ ^ e->magic[j]))
121 break; 121 break;
122 } 122 }
123 if (j == e->size) 123 if (j == e->size)
124 return e; 124 return e;
125 } 125 }
126 126
127 return NULL; 127 return NULL;
128 } 128 }
129 129
130 /** 130 /**
131 * get_binfmt_handler - try to find a binary t 131 * get_binfmt_handler - try to find a binary type handler
132 * @misc: handle to binfmt_misc instance 132 * @misc: handle to binfmt_misc instance
133 * @bprm: binary for which we are looking for 133 * @bprm: binary for which we are looking for a handler
134 * 134 *
135 * Try to find a binfmt handler for the binary 135 * Try to find a binfmt handler for the binary type. If one is found take a
136 * reference to protect against removal via bm 136 * reference to protect against removal via bm_{entry,status}_write().
137 * 137 *
138 * Return: binary type list entry on success, 138 * Return: binary type list entry on success, NULL on failure
139 */ 139 */
140 static Node *get_binfmt_handler(struct binfmt_ 140 static Node *get_binfmt_handler(struct binfmt_misc *misc,
141 struct linux_b 141 struct linux_binprm *bprm)
142 { 142 {
143 Node *e; 143 Node *e;
144 144
145 read_lock(&misc->entries_lock); 145 read_lock(&misc->entries_lock);
146 e = search_binfmt_handler(misc, bprm); 146 e = search_binfmt_handler(misc, bprm);
147 if (e) 147 if (e)
148 refcount_inc(&e->users); 148 refcount_inc(&e->users);
149 read_unlock(&misc->entries_lock); 149 read_unlock(&misc->entries_lock);
150 return e; 150 return e;
151 } 151 }
152 152
153 /** 153 /**
154 * put_binfmt_handler - put binary handler nod 154 * put_binfmt_handler - put binary handler node
155 * @e: node to put 155 * @e: node to put
156 * 156 *
157 * Free node syncing with load_misc_binary() a 157 * Free node syncing with load_misc_binary() and defer final free to
158 * load_misc_binary() in case it is using the 158 * load_misc_binary() in case it is using the binary type handler we were
159 * requested to remove. 159 * requested to remove.
160 */ 160 */
161 static void put_binfmt_handler(Node *e) 161 static void put_binfmt_handler(Node *e)
162 { 162 {
163 if (refcount_dec_and_test(&e->users)) 163 if (refcount_dec_and_test(&e->users)) {
164 if (e->flags & MISC_FMT_OPEN_F 164 if (e->flags & MISC_FMT_OPEN_FILE)
165 filp_close(e->interp_f 165 filp_close(e->interp_file, NULL);
166 kfree(e); 166 kfree(e);
167 } 167 }
168 } 168 }
169 169
170 /** 170 /**
171 * load_binfmt_misc - load the binfmt_misc of 171 * load_binfmt_misc - load the binfmt_misc of the caller's user namespace
172 * 172 *
173 * To be called in load_misc_binary() to load 173 * To be called in load_misc_binary() to load the relevant struct binfmt_misc.
174 * If a user namespace doesn't have its own bi 174 * If a user namespace doesn't have its own binfmt_misc mount it can make use
175 * of its ancestor's binfmt_misc handlers. Thi 175 * of its ancestor's binfmt_misc handlers. This mimicks the behavior of
176 * pre-namespaced binfmt_misc where all regist 176 * pre-namespaced binfmt_misc where all registered binfmt_misc handlers where
177 * available to all user and user namespaces o 177 * available to all user and user namespaces on the system.
178 * 178 *
179 * Return: the binfmt_misc instance of the cal 179 * Return: the binfmt_misc instance of the caller's user namespace
180 */ 180 */
181 static struct binfmt_misc *load_binfmt_misc(vo 181 static struct binfmt_misc *load_binfmt_misc(void)
182 { 182 {
183 const struct user_namespace *user_ns; 183 const struct user_namespace *user_ns;
184 struct binfmt_misc *misc; 184 struct binfmt_misc *misc;
185 185
186 user_ns = current_user_ns(); 186 user_ns = current_user_ns();
187 while (user_ns) { 187 while (user_ns) {
188 /* Pairs with smp_store_releas 188 /* Pairs with smp_store_release() in bm_fill_super(). */
189 misc = smp_load_acquire(&user_ 189 misc = smp_load_acquire(&user_ns->binfmt_misc);
190 if (misc) 190 if (misc)
191 return misc; 191 return misc;
192 192
193 user_ns = user_ns->parent; 193 user_ns = user_ns->parent;
194 } 194 }
195 195
196 return &init_binfmt_misc; 196 return &init_binfmt_misc;
197 } 197 }
198 198
199 /* 199 /*
200 * the loader itself 200 * the loader itself
201 */ 201 */
202 static int load_misc_binary(struct linux_binpr 202 static int load_misc_binary(struct linux_binprm *bprm)
203 { 203 {
204 Node *fmt; 204 Node *fmt;
205 struct file *interp_file = NULL; 205 struct file *interp_file = NULL;
206 int retval = -ENOEXEC; 206 int retval = -ENOEXEC;
207 struct binfmt_misc *misc; 207 struct binfmt_misc *misc;
208 208
209 misc = load_binfmt_misc(); 209 misc = load_binfmt_misc();
210 if (!misc->enabled) 210 if (!misc->enabled)
211 return retval; 211 return retval;
212 212
213 fmt = get_binfmt_handler(misc, bprm); 213 fmt = get_binfmt_handler(misc, bprm);
214 if (!fmt) 214 if (!fmt)
215 return retval; 215 return retval;
216 216
217 /* Need to be able to load the file af 217 /* Need to be able to load the file after exec */
218 retval = -ENOENT; 218 retval = -ENOENT;
219 if (bprm->interp_flags & BINPRM_FLAGS_ 219 if (bprm->interp_flags & BINPRM_FLAGS_PATH_INACCESSIBLE)
220 goto ret; 220 goto ret;
221 221
222 if (fmt->flags & MISC_FMT_PRESERVE_ARG 222 if (fmt->flags & MISC_FMT_PRESERVE_ARGV0) {
223 bprm->interp_flags |= BINPRM_F 223 bprm->interp_flags |= BINPRM_FLAGS_PRESERVE_ARGV0;
224 } else { 224 } else {
225 retval = remove_arg_zero(bprm) 225 retval = remove_arg_zero(bprm);
226 if (retval) 226 if (retval)
227 goto ret; 227 goto ret;
228 } 228 }
229 229
230 if (fmt->flags & MISC_FMT_OPEN_BINARY) 230 if (fmt->flags & MISC_FMT_OPEN_BINARY)
231 bprm->have_execfd = 1; 231 bprm->have_execfd = 1;
232 232
233 /* make argv[1] be the path to the bin 233 /* make argv[1] be the path to the binary */
234 retval = copy_string_kernel(bprm->inte 234 retval = copy_string_kernel(bprm->interp, bprm);
235 if (retval < 0) 235 if (retval < 0)
236 goto ret; 236 goto ret;
237 bprm->argc++; 237 bprm->argc++;
238 238
239 /* add the interp as argv[0] */ 239 /* add the interp as argv[0] */
240 retval = copy_string_kernel(fmt->inter 240 retval = copy_string_kernel(fmt->interpreter, bprm);
241 if (retval < 0) 241 if (retval < 0)
242 goto ret; 242 goto ret;
243 bprm->argc++; 243 bprm->argc++;
244 244
245 /* Update interp in case binfmt_script 245 /* Update interp in case binfmt_script needs it. */
246 retval = bprm_change_interp(fmt->inter 246 retval = bprm_change_interp(fmt->interpreter, bprm);
247 if (retval < 0) 247 if (retval < 0)
248 goto ret; 248 goto ret;
249 249
250 if (fmt->flags & MISC_FMT_OPEN_FILE) 250 if (fmt->flags & MISC_FMT_OPEN_FILE)
251 interp_file = file_clone_open( 251 interp_file = file_clone_open(fmt->interp_file);
252 else 252 else
253 interp_file = open_exec(fmt->i 253 interp_file = open_exec(fmt->interpreter);
254 retval = PTR_ERR(interp_file); 254 retval = PTR_ERR(interp_file);
255 if (IS_ERR(interp_file)) 255 if (IS_ERR(interp_file))
256 goto ret; 256 goto ret;
257 257
258 bprm->interpreter = interp_file; 258 bprm->interpreter = interp_file;
259 if (fmt->flags & MISC_FMT_CREDENTIALS) 259 if (fmt->flags & MISC_FMT_CREDENTIALS)
260 bprm->execfd_creds = 1; 260 bprm->execfd_creds = 1;
261 261
262 retval = 0; 262 retval = 0;
263 ret: 263 ret:
264 264
265 /* 265 /*
266 * If we actually put the node here al 266 * If we actually put the node here all concurrent calls to
267 * load_misc_binary() will have finish 267 * load_misc_binary() will have finished. We also know
268 * that for the refcount to be zero so 268 * that for the refcount to be zero someone must have concurently
269 * removed the binary type handler fro 269 * removed the binary type handler from the list and it's our job to
270 * free it. 270 * free it.
271 */ 271 */
272 put_binfmt_handler(fmt); 272 put_binfmt_handler(fmt);
273 273
274 return retval; 274 return retval;
275 } 275 }
276 276
277 /* Command parsers */ 277 /* Command parsers */
278 278
279 /* 279 /*
280 * parses and copies one argument enclosed in 280 * parses and copies one argument enclosed in del from *sp to *dp,
281 * recognising the \x special. 281 * recognising the \x special.
282 * returns pointer to the copied argument or N 282 * returns pointer to the copied argument or NULL in case of an
283 * error (and sets err) or null argument lengt 283 * error (and sets err) or null argument length.
284 */ 284 */
285 static char *scanarg(char *s, char del) 285 static char *scanarg(char *s, char del)
286 { 286 {
287 char c; 287 char c;
288 288
289 while ((c = *s++) != del) { 289 while ((c = *s++) != del) {
290 if (c == '\\' && *s == 'x') { 290 if (c == '\\' && *s == 'x') {
291 s++; 291 s++;
292 if (!isxdigit(*s++)) 292 if (!isxdigit(*s++))
293 return NULL; 293 return NULL;
294 if (!isxdigit(*s++)) 294 if (!isxdigit(*s++))
295 return NULL; 295 return NULL;
296 } 296 }
297 } 297 }
298 s[-1] ='\0'; 298 s[-1] ='\0';
299 return s; 299 return s;
300 } 300 }
301 301
302 static char *check_special_flags(char *sfs, No 302 static char *check_special_flags(char *sfs, Node *e)
303 { 303 {
304 char *p = sfs; 304 char *p = sfs;
305 int cont = 1; 305 int cont = 1;
306 306
307 /* special flags */ 307 /* special flags */
308 while (cont) { 308 while (cont) {
309 switch (*p) { 309 switch (*p) {
310 case 'P': 310 case 'P':
311 pr_debug("register: fl 311 pr_debug("register: flag: P (preserve argv0)\n");
312 p++; 312 p++;
313 e->flags |= MISC_FMT_P 313 e->flags |= MISC_FMT_PRESERVE_ARGV0;
314 break; 314 break;
315 case 'O': 315 case 'O':
316 pr_debug("register: fl 316 pr_debug("register: flag: O (open binary)\n");
317 p++; 317 p++;
318 e->flags |= MISC_FMT_O 318 e->flags |= MISC_FMT_OPEN_BINARY;
319 break; 319 break;
320 case 'C': 320 case 'C':
321 pr_debug("register: fl 321 pr_debug("register: flag: C (preserve creds)\n");
322 p++; 322 p++;
323 /* this flags also imp 323 /* this flags also implies the
324 open-binary flag */ 324 open-binary flag */
325 e->flags |= (MISC_FMT_ 325 e->flags |= (MISC_FMT_CREDENTIALS |
326 MISC_F 326 MISC_FMT_OPEN_BINARY);
327 break; 327 break;
328 case 'F': 328 case 'F':
329 pr_debug("register: fl 329 pr_debug("register: flag: F: open interpreter file now\n");
330 p++; 330 p++;
331 e->flags |= MISC_FMT_O 331 e->flags |= MISC_FMT_OPEN_FILE;
332 break; 332 break;
333 default: 333 default:
334 cont = 0; 334 cont = 0;
335 } 335 }
336 } 336 }
337 337
338 return p; 338 return p;
339 } 339 }
340 340
341 /* 341 /*
342 * This registers a new binary format, it reco 342 * This registers a new binary format, it recognises the syntax
343 * ':name:type:offset:magic:mask:interpreter:f 343 * ':name:type:offset:magic:mask:interpreter:flags'
344 * where the ':' is the IFS, that can be chose 344 * where the ':' is the IFS, that can be chosen with the first char
345 */ 345 */
346 static Node *create_entry(const char __user *b 346 static Node *create_entry(const char __user *buffer, size_t count)
347 { 347 {
348 Node *e; 348 Node *e;
349 int memsize, err; 349 int memsize, err;
350 char *buf, *p; 350 char *buf, *p;
351 char del; 351 char del;
352 352
353 pr_debug("register: received %zu bytes 353 pr_debug("register: received %zu bytes\n", count);
354 354
355 /* some sanity checks */ 355 /* some sanity checks */
356 err = -EINVAL; 356 err = -EINVAL;
357 if ((count < 11) || (count > MAX_REGIS 357 if ((count < 11) || (count > MAX_REGISTER_LENGTH))
358 goto out; 358 goto out;
359 359
360 err = -ENOMEM; 360 err = -ENOMEM;
361 memsize = sizeof(Node) + count + 8; 361 memsize = sizeof(Node) + count + 8;
362 e = kmalloc(memsize, GFP_KERNEL_ACCOUN 362 e = kmalloc(memsize, GFP_KERNEL_ACCOUNT);
363 if (!e) 363 if (!e)
364 goto out; 364 goto out;
365 365
366 p = buf = (char *)e + sizeof(Node); 366 p = buf = (char *)e + sizeof(Node);
367 367
368 memset(e, 0, sizeof(Node)); 368 memset(e, 0, sizeof(Node));
369 if (copy_from_user(buf, buffer, count) 369 if (copy_from_user(buf, buffer, count))
370 goto efault; 370 goto efault;
371 371
372 del = *p++; /* delimeter */ 372 del = *p++; /* delimeter */
373 373
374 pr_debug("register: delim: %#x {%c}\n" 374 pr_debug("register: delim: %#x {%c}\n", del, del);
375 375
376 /* Pad the buffer with the delim to si 376 /* Pad the buffer with the delim to simplify parsing below. */
377 memset(buf + count, del, 8); 377 memset(buf + count, del, 8);
378 378
379 /* Parse the 'name' field. */ 379 /* Parse the 'name' field. */
380 e->name = p; 380 e->name = p;
381 p = strchr(p, del); 381 p = strchr(p, del);
382 if (!p) 382 if (!p)
383 goto einval; 383 goto einval;
384 *p++ = '\0'; 384 *p++ = '\0';
385 if (!e->name[0] || 385 if (!e->name[0] ||
386 !strcmp(e->name, ".") || 386 !strcmp(e->name, ".") ||
387 !strcmp(e->name, "..") || 387 !strcmp(e->name, "..") ||
388 strchr(e->name, '/')) 388 strchr(e->name, '/'))
389 goto einval; 389 goto einval;
390 390
391 pr_debug("register: name: {%s}\n", e-> 391 pr_debug("register: name: {%s}\n", e->name);
392 392
393 /* Parse the 'type' field. */ 393 /* Parse the 'type' field. */
394 switch (*p++) { 394 switch (*p++) {
395 case 'E': 395 case 'E':
396 pr_debug("register: type: E (e 396 pr_debug("register: type: E (extension)\n");
397 e->flags = 1 << Enabled; 397 e->flags = 1 << Enabled;
398 break; 398 break;
399 case 'M': 399 case 'M':
400 pr_debug("register: type: M (m 400 pr_debug("register: type: M (magic)\n");
401 e->flags = (1 << Enabled) | (1 401 e->flags = (1 << Enabled) | (1 << Magic);
402 break; 402 break;
403 default: 403 default:
404 goto einval; 404 goto einval;
405 } 405 }
406 if (*p++ != del) 406 if (*p++ != del)
407 goto einval; 407 goto einval;
408 408
409 if (test_bit(Magic, &e->flags)) { 409 if (test_bit(Magic, &e->flags)) {
410 /* Handle the 'M' (magic) form 410 /* Handle the 'M' (magic) format. */
411 char *s; 411 char *s;
412 412
413 /* Parse the 'offset' field. * 413 /* Parse the 'offset' field. */
414 s = strchr(p, del); 414 s = strchr(p, del);
415 if (!s) 415 if (!s)
416 goto einval; 416 goto einval;
417 *s = '\0'; 417 *s = '\0';
418 if (p != s) { 418 if (p != s) {
419 int r = kstrtoint(p, 1 419 int r = kstrtoint(p, 10, &e->offset);
420 if (r != 0 || e->offse 420 if (r != 0 || e->offset < 0)
421 goto einval; 421 goto einval;
422 } 422 }
423 p = s; 423 p = s;
424 if (*p++) 424 if (*p++)
425 goto einval; 425 goto einval;
426 pr_debug("register: offset: %# 426 pr_debug("register: offset: %#x\n", e->offset);
427 427
428 /* Parse the 'magic' field. */ 428 /* Parse the 'magic' field. */
429 e->magic = p; 429 e->magic = p;
430 p = scanarg(p, del); 430 p = scanarg(p, del);
431 if (!p) 431 if (!p)
432 goto einval; 432 goto einval;
433 if (!e->magic[0]) 433 if (!e->magic[0])
434 goto einval; 434 goto einval;
435 if (USE_DEBUG) 435 if (USE_DEBUG)
436 print_hex_dump_bytes( 436 print_hex_dump_bytes(
437 KBUILD_MODNAME 437 KBUILD_MODNAME ": register: magic[raw]: ",
438 DUMP_PREFIX_NO 438 DUMP_PREFIX_NONE, e->magic, p - e->magic);
439 439
440 /* Parse the 'mask' field. */ 440 /* Parse the 'mask' field. */
441 e->mask = p; 441 e->mask = p;
442 p = scanarg(p, del); 442 p = scanarg(p, del);
443 if (!p) 443 if (!p)
444 goto einval; 444 goto einval;
445 if (!e->mask[0]) { 445 if (!e->mask[0]) {
446 e->mask = NULL; 446 e->mask = NULL;
447 pr_debug("register: m 447 pr_debug("register: mask[raw]: none\n");
448 } else if (USE_DEBUG) 448 } else if (USE_DEBUG)
449 print_hex_dump_bytes( 449 print_hex_dump_bytes(
450 KBUILD_MODNAME 450 KBUILD_MODNAME ": register: mask[raw]: ",
451 DUMP_PREFIX_NO 451 DUMP_PREFIX_NONE, e->mask, p - e->mask);
452 452
453 /* 453 /*
454 * Decode the magic & mask fie 454 * Decode the magic & mask fields.
455 * Note: while we might have a 455 * Note: while we might have accepted embedded NUL bytes from
456 * above, the unescape helpers 456 * above, the unescape helpers here will stop at the first one
457 * it encounters. 457 * it encounters.
458 */ 458 */
459 e->size = string_unescape_inpl 459 e->size = string_unescape_inplace(e->magic, UNESCAPE_HEX);
460 if (e->mask && 460 if (e->mask &&
461 string_unescape_inplace(e- 461 string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size)
462 goto einval; 462 goto einval;
463 if (e->size > BINPRM_BUF_SIZE 463 if (e->size > BINPRM_BUF_SIZE ||
464 BINPRM_BUF_SIZE - e->size 464 BINPRM_BUF_SIZE - e->size < e->offset)
465 goto einval; 465 goto einval;
466 pr_debug("register: magic/mask 466 pr_debug("register: magic/mask length: %i\n", e->size);
467 if (USE_DEBUG) { 467 if (USE_DEBUG) {
468 print_hex_dump_bytes( 468 print_hex_dump_bytes(
469 KBUILD_MODNAME 469 KBUILD_MODNAME ": register: magic[decoded]: ",
470 DUMP_PREFIX_NO 470 DUMP_PREFIX_NONE, e->magic, e->size);
471 471
472 if (e->mask) { 472 if (e->mask) {
473 int i; 473 int i;
474 char *masked = 474 char *masked = kmalloc(e->size, GFP_KERNEL_ACCOUNT);
475 475
476 print_hex_dump 476 print_hex_dump_bytes(
477 KBUILD 477 KBUILD_MODNAME ": register: mask[decoded]: ",
478 DUMP_P 478 DUMP_PREFIX_NONE, e->mask, e->size);
479 479
480 if (masked) { 480 if (masked) {
481 for (i 481 for (i = 0; i < e->size; ++i)
482 482 masked[i] = e->magic[i] & e->mask[i];
483 print_ 483 print_hex_dump_bytes(
484 484 KBUILD_MODNAME ": register: magic[masked]: ",
485 485 DUMP_PREFIX_NONE, masked, e->size);
486 486
487 kfree( 487 kfree(masked);
488 } 488 }
489 } 489 }
490 } 490 }
491 } else { 491 } else {
492 /* Handle the 'E' (extension) 492 /* Handle the 'E' (extension) format. */
493 493
494 /* Skip the 'offset' field. */ 494 /* Skip the 'offset' field. */
495 p = strchr(p, del); 495 p = strchr(p, del);
496 if (!p) 496 if (!p)
497 goto einval; 497 goto einval;
498 *p++ = '\0'; 498 *p++ = '\0';
499 499
500 /* Parse the 'magic' field. */ 500 /* Parse the 'magic' field. */
501 e->magic = p; 501 e->magic = p;
502 p = strchr(p, del); 502 p = strchr(p, del);
503 if (!p) 503 if (!p)
504 goto einval; 504 goto einval;
505 *p++ = '\0'; 505 *p++ = '\0';
506 if (!e->magic[0] || strchr(e-> 506 if (!e->magic[0] || strchr(e->magic, '/'))
507 goto einval; 507 goto einval;
508 pr_debug("register: extension: 508 pr_debug("register: extension: {%s}\n", e->magic);
509 509
510 /* Skip the 'mask' field. */ 510 /* Skip the 'mask' field. */
511 p = strchr(p, del); 511 p = strchr(p, del);
512 if (!p) 512 if (!p)
513 goto einval; 513 goto einval;
514 *p++ = '\0'; 514 *p++ = '\0';
515 } 515 }
516 516
517 /* Parse the 'interpreter' field. */ 517 /* Parse the 'interpreter' field. */
518 e->interpreter = p; 518 e->interpreter = p;
519 p = strchr(p, del); 519 p = strchr(p, del);
520 if (!p) 520 if (!p)
521 goto einval; 521 goto einval;
522 *p++ = '\0'; 522 *p++ = '\0';
523 if (!e->interpreter[0]) 523 if (!e->interpreter[0])
524 goto einval; 524 goto einval;
525 pr_debug("register: interpreter: {%s}\ 525 pr_debug("register: interpreter: {%s}\n", e->interpreter);
526 526
527 /* Parse the 'flags' field. */ 527 /* Parse the 'flags' field. */
528 p = check_special_flags(p, e); 528 p = check_special_flags(p, e);
529 if (*p == '\n') 529 if (*p == '\n')
530 p++; 530 p++;
531 if (p != buf + count) 531 if (p != buf + count)
532 goto einval; 532 goto einval;
533 533
534 return e; 534 return e;
535 535
536 out: 536 out:
537 return ERR_PTR(err); 537 return ERR_PTR(err);
538 538
539 efault: 539 efault:
540 kfree(e); 540 kfree(e);
541 return ERR_PTR(-EFAULT); 541 return ERR_PTR(-EFAULT);
542 einval: 542 einval:
543 kfree(e); 543 kfree(e);
544 return ERR_PTR(-EINVAL); 544 return ERR_PTR(-EINVAL);
545 } 545 }
546 546
547 /* 547 /*
548 * Set status of entry/binfmt_misc: 548 * Set status of entry/binfmt_misc:
549 * '1' enables, '' disables and '-1' clears en 549 * '1' enables, '' disables and '-1' clears entry/binfmt_misc
550 */ 550 */
551 static int parse_command(const char __user *bu 551 static int parse_command(const char __user *buffer, size_t count)
552 { 552 {
553 char s[4]; 553 char s[4];
554 554
555 if (count > 3) 555 if (count > 3)
556 return -EINVAL; 556 return -EINVAL;
557 if (copy_from_user(s, buffer, count)) 557 if (copy_from_user(s, buffer, count))
558 return -EFAULT; 558 return -EFAULT;
559 if (!count) 559 if (!count)
560 return 0; 560 return 0;
561 if (s[count - 1] == '\n') 561 if (s[count - 1] == '\n')
562 count--; 562 count--;
563 if (count == 1 && s[0] == '') 563 if (count == 1 && s[0] == '')
564 return 1; 564 return 1;
565 if (count == 1 && s[0] == '1') 565 if (count == 1 && s[0] == '1')
566 return 2; 566 return 2;
567 if (count == 2 && s[0] == '-' && s[1] 567 if (count == 2 && s[0] == '-' && s[1] == '1')
568 return 3; 568 return 3;
569 return -EINVAL; 569 return -EINVAL;
570 } 570 }
571 571
572 /* generic stuff */ 572 /* generic stuff */
573 573
574 static void entry_status(Node *e, char *page) 574 static void entry_status(Node *e, char *page)
575 { 575 {
576 char *dp = page; 576 char *dp = page;
577 const char *status = "disabled"; 577 const char *status = "disabled";
578 578
579 if (test_bit(Enabled, &e->flags)) 579 if (test_bit(Enabled, &e->flags))
580 status = "enabled"; 580 status = "enabled";
581 581
582 if (!VERBOSE_STATUS) { 582 if (!VERBOSE_STATUS) {
583 sprintf(page, "%s\n", status); 583 sprintf(page, "%s\n", status);
584 return; 584 return;
585 } 585 }
586 586
587 dp += sprintf(dp, "%s\ninterpreter %s\ 587 dp += sprintf(dp, "%s\ninterpreter %s\n", status, e->interpreter);
588 588
589 /* print the special flags */ 589 /* print the special flags */
590 dp += sprintf(dp, "flags: "); 590 dp += sprintf(dp, "flags: ");
591 if (e->flags & MISC_FMT_PRESERVE_ARGV0 591 if (e->flags & MISC_FMT_PRESERVE_ARGV0)
592 *dp++ = 'P'; 592 *dp++ = 'P';
593 if (e->flags & MISC_FMT_OPEN_BINARY) 593 if (e->flags & MISC_FMT_OPEN_BINARY)
594 *dp++ = 'O'; 594 *dp++ = 'O';
595 if (e->flags & MISC_FMT_CREDENTIALS) 595 if (e->flags & MISC_FMT_CREDENTIALS)
596 *dp++ = 'C'; 596 *dp++ = 'C';
597 if (e->flags & MISC_FMT_OPEN_FILE) 597 if (e->flags & MISC_FMT_OPEN_FILE)
598 *dp++ = 'F'; 598 *dp++ = 'F';
599 *dp++ = '\n'; 599 *dp++ = '\n';
600 600
601 if (!test_bit(Magic, &e->flags)) { 601 if (!test_bit(Magic, &e->flags)) {
602 sprintf(dp, "extension .%s\n", 602 sprintf(dp, "extension .%s\n", e->magic);
603 } else { 603 } else {
604 dp += sprintf(dp, "offset %i\n 604 dp += sprintf(dp, "offset %i\nmagic ", e->offset);
605 dp = bin2hex(dp, e->magic, e-> 605 dp = bin2hex(dp, e->magic, e->size);
606 if (e->mask) { 606 if (e->mask) {
607 dp += sprintf(dp, "\nm 607 dp += sprintf(dp, "\nmask ");
608 dp = bin2hex(dp, e->ma 608 dp = bin2hex(dp, e->mask, e->size);
609 } 609 }
610 *dp++ = '\n'; 610 *dp++ = '\n';
611 *dp = '\0'; 611 *dp = '\0';
612 } 612 }
613 } 613 }
614 614
615 static struct inode *bm_get_inode(struct super 615 static struct inode *bm_get_inode(struct super_block *sb, int mode)
616 { 616 {
617 struct inode *inode = new_inode(sb); 617 struct inode *inode = new_inode(sb);
618 618
619 if (inode) { 619 if (inode) {
620 inode->i_ino = get_next_ino(); 620 inode->i_ino = get_next_ino();
621 inode->i_mode = mode; 621 inode->i_mode = mode;
622 simple_inode_init_ts(inode); 622 simple_inode_init_ts(inode);
623 } 623 }
624 return inode; 624 return inode;
625 } 625 }
626 626
627 /** 627 /**
628 * i_binfmt_misc - retrieve struct binfmt_misc 628 * i_binfmt_misc - retrieve struct binfmt_misc from a binfmt_misc inode
629 * @inode: inode of the relevant binfmt_misc i 629 * @inode: inode of the relevant binfmt_misc instance
630 * 630 *
631 * This helper retrieves struct binfmt_misc fr 631 * This helper retrieves struct binfmt_misc from a binfmt_misc inode. This can
632 * be done without any memory barriers because 632 * be done without any memory barriers because we are guaranteed that
633 * user_ns->binfmt_misc is fully initialized. 633 * user_ns->binfmt_misc is fully initialized. It was fully initialized when the
634 * binfmt_misc mount was first created. 634 * binfmt_misc mount was first created.
635 * 635 *
636 * Return: struct binfmt_misc of the relevant 636 * Return: struct binfmt_misc of the relevant binfmt_misc instance
637 */ 637 */
638 static struct binfmt_misc *i_binfmt_misc(struc 638 static struct binfmt_misc *i_binfmt_misc(struct inode *inode)
639 { 639 {
640 return inode->i_sb->s_user_ns->binfmt_ 640 return inode->i_sb->s_user_ns->binfmt_misc;
641 } 641 }
642 642
643 /** 643 /**
644 * bm_evict_inode - cleanup data associated wi 644 * bm_evict_inode - cleanup data associated with @inode
645 * @inode: inode to which the data is attached 645 * @inode: inode to which the data is attached
646 * 646 *
647 * Cleanup the binary type handler data associ 647 * Cleanup the binary type handler data associated with @inode if a binary type
648 * entry is removed or the filesystem is unmou 648 * entry is removed or the filesystem is unmounted and the super block is
649 * shutdown. 649 * shutdown.
650 * 650 *
651 * If the ->evict call was not caused by a sup 651 * If the ->evict call was not caused by a super block shutdown but by a write
652 * to remove the entry or all entries via bm_{ 652 * to remove the entry or all entries via bm_{entry,status}_write() the entry
653 * will have already been removed from the lis 653 * will have already been removed from the list. We keep the list_empty() check
654 * to make that explicit. 654 * to make that explicit.
655 */ 655 */
656 static void bm_evict_inode(struct inode *inode 656 static void bm_evict_inode(struct inode *inode)
657 { 657 {
658 Node *e = inode->i_private; 658 Node *e = inode->i_private;
659 659
660 clear_inode(inode); 660 clear_inode(inode);
661 661
662 if (e) { 662 if (e) {
663 struct binfmt_misc *misc; 663 struct binfmt_misc *misc;
664 664
665 misc = i_binfmt_misc(inode); 665 misc = i_binfmt_misc(inode);
666 write_lock(&misc->entries_lock 666 write_lock(&misc->entries_lock);
667 if (!list_empty(&e->list)) 667 if (!list_empty(&e->list))
668 list_del_init(&e->list 668 list_del_init(&e->list);
669 write_unlock(&misc->entries_lo 669 write_unlock(&misc->entries_lock);
670 put_binfmt_handler(e); 670 put_binfmt_handler(e);
671 } 671 }
672 } 672 }
673 673
674 /** 674 /**
675 * unlink_binfmt_dentry - remove the dentry fo 675 * unlink_binfmt_dentry - remove the dentry for the binary type handler
676 * @dentry: dentry associated with the binary 676 * @dentry: dentry associated with the binary type handler
677 * 677 *
678 * Do the actual filesystem work to remove a d 678 * Do the actual filesystem work to remove a dentry for a registered binary
679 * type handler. Since binfmt_misc only allows 679 * type handler. Since binfmt_misc only allows simple files to be created
680 * directly under the root dentry of the files 680 * directly under the root dentry of the filesystem we ensure that we are
681 * indeed passed a dentry directly beneath the 681 * indeed passed a dentry directly beneath the root dentry, that the inode
682 * associated with the root dentry is locked, 682 * associated with the root dentry is locked, and that it is a regular file we
683 * are asked to remove. 683 * are asked to remove.
684 */ 684 */
685 static void unlink_binfmt_dentry(struct dentry 685 static void unlink_binfmt_dentry(struct dentry *dentry)
686 { 686 {
687 struct dentry *parent = dentry->d_pare 687 struct dentry *parent = dentry->d_parent;
688 struct inode *inode, *parent_inode; 688 struct inode *inode, *parent_inode;
689 689
690 /* All entries are immediate descendan 690 /* All entries are immediate descendants of the root dentry. */
691 if (WARN_ON_ONCE(dentry->d_sb->s_root 691 if (WARN_ON_ONCE(dentry->d_sb->s_root != parent))
692 return; 692 return;
693 693
694 /* We only expect to be called on regu 694 /* We only expect to be called on regular files. */
695 inode = d_inode(dentry); 695 inode = d_inode(dentry);
696 if (WARN_ON_ONCE(!S_ISREG(inode->i_mod 696 if (WARN_ON_ONCE(!S_ISREG(inode->i_mode)))
697 return; 697 return;
698 698
699 /* The parent inode must be locked. */ 699 /* The parent inode must be locked. */
700 parent_inode = d_inode(parent); 700 parent_inode = d_inode(parent);
701 if (WARN_ON_ONCE(!inode_is_locked(pare 701 if (WARN_ON_ONCE(!inode_is_locked(parent_inode)))
702 return; 702 return;
703 703
704 if (simple_positive(dentry)) { 704 if (simple_positive(dentry)) {
705 dget(dentry); 705 dget(dentry);
706 simple_unlink(parent_inode, de 706 simple_unlink(parent_inode, dentry);
707 d_delete(dentry); 707 d_delete(dentry);
708 dput(dentry); 708 dput(dentry);
709 } 709 }
710 } 710 }
711 711
712 /** 712 /**
713 * remove_binfmt_handler - remove a binary typ 713 * remove_binfmt_handler - remove a binary type handler
714 * @misc: handle to binfmt_misc instance 714 * @misc: handle to binfmt_misc instance
715 * @e: binary type handler to remove 715 * @e: binary type handler to remove
716 * 716 *
717 * Remove a binary type handler from the list 717 * Remove a binary type handler from the list of binary type handlers and
718 * remove its associated dentry. This is calle 718 * remove its associated dentry. This is called from
719 * binfmt_{entry,status}_write(). In the futur 719 * binfmt_{entry,status}_write(). In the future, we might want to think about
720 * adding a proper ->unlink() method to binfmt 720 * adding a proper ->unlink() method to binfmt_misc instead of forcing caller's
721 * to use writes to files in order to delete b 721 * to use writes to files in order to delete binary type handlers. But it has
722 * worked for so long that it's not a pressing 722 * worked for so long that it's not a pressing issue.
723 */ 723 */
724 static void remove_binfmt_handler(struct binfm 724 static void remove_binfmt_handler(struct binfmt_misc *misc, Node *e)
725 { 725 {
726 write_lock(&misc->entries_lock); 726 write_lock(&misc->entries_lock);
727 list_del_init(&e->list); 727 list_del_init(&e->list);
728 write_unlock(&misc->entries_lock); 728 write_unlock(&misc->entries_lock);
729 unlink_binfmt_dentry(e->dentry); 729 unlink_binfmt_dentry(e->dentry);
730 } 730 }
731 731
732 /* /<entry> */ 732 /* /<entry> */
733 733
734 static ssize_t 734 static ssize_t
735 bm_entry_read(struct file *file, char __user * 735 bm_entry_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
736 { 736 {
737 Node *e = file_inode(file)->i_private; 737 Node *e = file_inode(file)->i_private;
738 ssize_t res; 738 ssize_t res;
739 char *page; 739 char *page;
740 740
741 page = (char *) __get_free_page(GFP_KE 741 page = (char *) __get_free_page(GFP_KERNEL);
742 if (!page) 742 if (!page)
743 return -ENOMEM; 743 return -ENOMEM;
744 744
745 entry_status(e, page); 745 entry_status(e, page);
746 746
747 res = simple_read_from_buffer(buf, nby 747 res = simple_read_from_buffer(buf, nbytes, ppos, page, strlen(page));
748 748
749 free_page((unsigned long) page); 749 free_page((unsigned long) page);
750 return res; 750 return res;
751 } 751 }
752 752
753 static ssize_t bm_entry_write(struct file *fil 753 static ssize_t bm_entry_write(struct file *file, const char __user *buffer,
754 size_t count, 754 size_t count, loff_t *ppos)
755 { 755 {
756 struct inode *inode = file_inode(file) 756 struct inode *inode = file_inode(file);
757 Node *e = inode->i_private; 757 Node *e = inode->i_private;
758 int res = parse_command(buffer, count) 758 int res = parse_command(buffer, count);
759 759
760 switch (res) { 760 switch (res) {
761 case 1: 761 case 1:
762 /* Disable this handler. */ 762 /* Disable this handler. */
763 clear_bit(Enabled, &e->flags); 763 clear_bit(Enabled, &e->flags);
764 break; 764 break;
765 case 2: 765 case 2:
766 /* Enable this handler. */ 766 /* Enable this handler. */
767 set_bit(Enabled, &e->flags); 767 set_bit(Enabled, &e->flags);
768 break; 768 break;
769 case 3: 769 case 3:
770 /* Delete this handler. */ 770 /* Delete this handler. */
771 inode = d_inode(inode->i_sb->s 771 inode = d_inode(inode->i_sb->s_root);
772 inode_lock(inode); 772 inode_lock(inode);
773 773
774 /* 774 /*
775 * In order to add new element 775 * In order to add new element or remove elements from the list
776 * via bm_{entry,register,stat 776 * via bm_{entry,register,status}_write() inode_lock() on the
777 * root inode must be held. 777 * root inode must be held.
778 * The lock is exclusive ensur 778 * The lock is exclusive ensuring that the list can't be
779 * modified. Only load_misc_bi 779 * modified. Only load_misc_binary() can access but does so
780 * read-only. So we only need 780 * read-only. So we only need to take the write lock when we
781 * actually remove the entry f 781 * actually remove the entry from the list.
782 */ 782 */
783 if (!list_empty(&e->list)) 783 if (!list_empty(&e->list))
784 remove_binfmt_handler( 784 remove_binfmt_handler(i_binfmt_misc(inode), e);
785 785
786 inode_unlock(inode); 786 inode_unlock(inode);
787 break; 787 break;
788 default: 788 default:
789 return res; 789 return res;
790 } 790 }
791 791
792 return count; 792 return count;
793 } 793 }
794 794
795 static const struct file_operations bm_entry_o 795 static const struct file_operations bm_entry_operations = {
796 .read = bm_entry_read, 796 .read = bm_entry_read,
797 .write = bm_entry_write, 797 .write = bm_entry_write,
798 .llseek = default_llseek, 798 .llseek = default_llseek,
799 }; 799 };
800 800
801 /* /register */ 801 /* /register */
802 802
803 static ssize_t bm_register_write(struct file * 803 static ssize_t bm_register_write(struct file *file, const char __user *buffer,
804 size_t count, l 804 size_t count, loff_t *ppos)
805 { 805 {
806 Node *e; 806 Node *e;
807 struct inode *inode; 807 struct inode *inode;
808 struct super_block *sb = file_inode(fi 808 struct super_block *sb = file_inode(file)->i_sb;
809 struct dentry *root = sb->s_root, *den 809 struct dentry *root = sb->s_root, *dentry;
810 struct binfmt_misc *misc; 810 struct binfmt_misc *misc;
811 int err = 0; 811 int err = 0;
812 struct file *f = NULL; 812 struct file *f = NULL;
813 813
814 e = create_entry(buffer, count); 814 e = create_entry(buffer, count);
815 815
816 if (IS_ERR(e)) 816 if (IS_ERR(e))
817 return PTR_ERR(e); 817 return PTR_ERR(e);
818 818
819 if (e->flags & MISC_FMT_OPEN_FILE) { 819 if (e->flags & MISC_FMT_OPEN_FILE) {
820 const struct cred *old_cred; 820 const struct cred *old_cred;
821 821
822 /* 822 /*
823 * Now that we support unprivi 823 * Now that we support unprivileged binfmt_misc mounts make
824 * sure we use the credentials 824 * sure we use the credentials that the register @file was
825 * opened with to also open th 825 * opened with to also open the interpreter. Before that this
826 * didn't matter much as only 826 * didn't matter much as only a privileged process could open
827 * the register file. 827 * the register file.
828 */ 828 */
829 old_cred = override_creds(file 829 old_cred = override_creds(file->f_cred);
830 f = open_exec(e->interpreter); 830 f = open_exec(e->interpreter);
831 revert_creds(old_cred); 831 revert_creds(old_cred);
832 if (IS_ERR(f)) { 832 if (IS_ERR(f)) {
833 pr_notice("register: f 833 pr_notice("register: failed to install interpreter file %s\n",
834 e->interprete 834 e->interpreter);
835 kfree(e); 835 kfree(e);
836 return PTR_ERR(f); 836 return PTR_ERR(f);
837 } 837 }
838 e->interp_file = f; 838 e->interp_file = f;
839 } 839 }
840 840
841 inode_lock(d_inode(root)); 841 inode_lock(d_inode(root));
842 dentry = lookup_one_len(e->name, root, 842 dentry = lookup_one_len(e->name, root, strlen(e->name));
843 err = PTR_ERR(dentry); 843 err = PTR_ERR(dentry);
844 if (IS_ERR(dentry)) 844 if (IS_ERR(dentry))
845 goto out; 845 goto out;
846 846
847 err = -EEXIST; 847 err = -EEXIST;
848 if (d_really_is_positive(dentry)) 848 if (d_really_is_positive(dentry))
849 goto out2; 849 goto out2;
850 850
851 inode = bm_get_inode(sb, S_IFREG | 064 851 inode = bm_get_inode(sb, S_IFREG | 0644);
852 852
853 err = -ENOMEM; 853 err = -ENOMEM;
854 if (!inode) 854 if (!inode)
855 goto out2; 855 goto out2;
856 856
857 refcount_set(&e->users, 1); 857 refcount_set(&e->users, 1);
858 e->dentry = dget(dentry); 858 e->dentry = dget(dentry);
859 inode->i_private = e; 859 inode->i_private = e;
860 inode->i_fop = &bm_entry_operations; 860 inode->i_fop = &bm_entry_operations;
861 861
862 d_instantiate(dentry, inode); 862 d_instantiate(dentry, inode);
863 misc = i_binfmt_misc(inode); 863 misc = i_binfmt_misc(inode);
864 write_lock(&misc->entries_lock); 864 write_lock(&misc->entries_lock);
865 list_add(&e->list, &misc->entries); 865 list_add(&e->list, &misc->entries);
866 write_unlock(&misc->entries_lock); 866 write_unlock(&misc->entries_lock);
867 867
868 err = 0; 868 err = 0;
869 out2: 869 out2:
870 dput(dentry); 870 dput(dentry);
871 out: 871 out:
872 inode_unlock(d_inode(root)); 872 inode_unlock(d_inode(root));
873 873
874 if (err) { 874 if (err) {
875 if (f) 875 if (f)
876 filp_close(f, NULL); 876 filp_close(f, NULL);
877 kfree(e); 877 kfree(e);
878 return err; 878 return err;
879 } 879 }
880 return count; 880 return count;
881 } 881 }
882 882
883 static const struct file_operations bm_registe 883 static const struct file_operations bm_register_operations = {
884 .write = bm_register_write, 884 .write = bm_register_write,
885 .llseek = noop_llseek, 885 .llseek = noop_llseek,
886 }; 886 };
887 887
888 /* /status */ 888 /* /status */
889 889
890 static ssize_t 890 static ssize_t
891 bm_status_read(struct file *file, char __user 891 bm_status_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
892 { 892 {
893 struct binfmt_misc *misc; 893 struct binfmt_misc *misc;
894 char *s; 894 char *s;
895 895
896 misc = i_binfmt_misc(file_inode(file)) 896 misc = i_binfmt_misc(file_inode(file));
897 s = misc->enabled ? "enabled\n" : "dis 897 s = misc->enabled ? "enabled\n" : "disabled\n";
898 return simple_read_from_buffer(buf, nb 898 return simple_read_from_buffer(buf, nbytes, ppos, s, strlen(s));
899 } 899 }
900 900
901 static ssize_t bm_status_write(struct file *fi 901 static ssize_t bm_status_write(struct file *file, const char __user *buffer,
902 size_t count, loff_t *ppos) 902 size_t count, loff_t *ppos)
903 { 903 {
904 struct binfmt_misc *misc; 904 struct binfmt_misc *misc;
905 int res = parse_command(buffer, count) 905 int res = parse_command(buffer, count);
906 Node *e, *next; 906 Node *e, *next;
907 struct inode *inode; 907 struct inode *inode;
908 908
909 misc = i_binfmt_misc(file_inode(file)) 909 misc = i_binfmt_misc(file_inode(file));
910 switch (res) { 910 switch (res) {
911 case 1: 911 case 1:
912 /* Disable all handlers. */ 912 /* Disable all handlers. */
913 misc->enabled = false; 913 misc->enabled = false;
914 break; 914 break;
915 case 2: 915 case 2:
916 /* Enable all handlers. */ 916 /* Enable all handlers. */
917 misc->enabled = true; 917 misc->enabled = true;
918 break; 918 break;
919 case 3: 919 case 3:
920 /* Delete all handlers. */ 920 /* Delete all handlers. */
921 inode = d_inode(file_inode(fil 921 inode = d_inode(file_inode(file)->i_sb->s_root);
922 inode_lock(inode); 922 inode_lock(inode);
923 923
924 /* 924 /*
925 * In order to add new element 925 * In order to add new element or remove elements from the list
926 * via bm_{entry,register,stat 926 * via bm_{entry,register,status}_write() inode_lock() on the
927 * root inode must be held. 927 * root inode must be held.
928 * The lock is exclusive ensur 928 * The lock is exclusive ensuring that the list can't be
929 * modified. Only load_misc_bi 929 * modified. Only load_misc_binary() can access but does so
930 * read-only. So we only need 930 * read-only. So we only need to take the write lock when we
931 * actually remove the entry f 931 * actually remove the entry from the list.
932 */ 932 */
933 list_for_each_entry_safe(e, ne 933 list_for_each_entry_safe(e, next, &misc->entries, list)
934 remove_binfmt_handler( 934 remove_binfmt_handler(misc, e);
935 935
936 inode_unlock(inode); 936 inode_unlock(inode);
937 break; 937 break;
938 default: 938 default:
939 return res; 939 return res;
940 } 940 }
941 941
942 return count; 942 return count;
943 } 943 }
944 944
945 static const struct file_operations bm_status_ 945 static const struct file_operations bm_status_operations = {
946 .read = bm_status_read, 946 .read = bm_status_read,
947 .write = bm_status_write, 947 .write = bm_status_write,
948 .llseek = default_llseek, 948 .llseek = default_llseek,
949 }; 949 };
950 950
951 /* Superblock handling */ 951 /* Superblock handling */
952 952
953 static void bm_put_super(struct super_block *s 953 static void bm_put_super(struct super_block *sb)
954 { 954 {
955 struct user_namespace *user_ns = sb->s 955 struct user_namespace *user_ns = sb->s_fs_info;
956 956
957 sb->s_fs_info = NULL; 957 sb->s_fs_info = NULL;
958 put_user_ns(user_ns); 958 put_user_ns(user_ns);
959 } 959 }
960 960
961 static const struct super_operations s_ops = { 961 static const struct super_operations s_ops = {
962 .statfs = simple_statfs, 962 .statfs = simple_statfs,
963 .evict_inode = bm_evict_inode, 963 .evict_inode = bm_evict_inode,
964 .put_super = bm_put_super, 964 .put_super = bm_put_super,
965 }; 965 };
966 966
967 static int bm_fill_super(struct super_block *s 967 static int bm_fill_super(struct super_block *sb, struct fs_context *fc)
968 { 968 {
969 int err; 969 int err;
970 struct user_namespace *user_ns = sb->s 970 struct user_namespace *user_ns = sb->s_user_ns;
971 struct binfmt_misc *misc; 971 struct binfmt_misc *misc;
972 static const struct tree_descr bm_file 972 static const struct tree_descr bm_files[] = {
973 [2] = {"status", &bm_status_op 973 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
974 [3] = {"register", &bm_registe 974 [3] = {"register", &bm_register_operations, S_IWUSR},
975 /* last one */ {""} 975 /* last one */ {""}
976 }; 976 };
977 977
978 if (WARN_ON(user_ns != current_user_ns 978 if (WARN_ON(user_ns != current_user_ns()))
979 return -EINVAL; 979 return -EINVAL;
980 980
981 /* 981 /*
982 * Lazily allocate a new binfmt_misc i 982 * Lazily allocate a new binfmt_misc instance for this namespace, i.e.
983 * do it here during the first mount o 983 * do it here during the first mount of binfmt_misc. We don't need to
984 * waste memory for every user namespa 984 * waste memory for every user namespace allocation. It's likely much
985 * more common to not mount a separate 985 * more common to not mount a separate binfmt_misc instance than it is
986 * to mount one. 986 * to mount one.
987 * 987 *
988 * While multiple superblocks can exis 988 * While multiple superblocks can exist they are keyed by userns in
989 * s_fs_info for binfmt_misc. Hence, t 989 * s_fs_info for binfmt_misc. Hence, the vfs guarantees that
990 * bm_fill_super() is called exactly o 990 * bm_fill_super() is called exactly once whenever a binfmt_misc
991 * superblock for a userns is created. 991 * superblock for a userns is created. This in turn lets us conclude
992 * that when a binfmt_misc superblock 992 * that when a binfmt_misc superblock is created for the first time for
993 * a userns there's no one racing us. 993 * a userns there's no one racing us. Therefore we don't need any
994 * barriers when we dereference binfmt 994 * barriers when we dereference binfmt_misc.
995 */ 995 */
996 misc = user_ns->binfmt_misc; 996 misc = user_ns->binfmt_misc;
997 if (!misc) { 997 if (!misc) {
998 /* 998 /*
999 * If it turns out that most u 999 * If it turns out that most user namespaces actually want to
1000 * register their own binary 1000 * register their own binary type handler and therefore all
1001 * create their own separate 1001 * create their own separate binfm_misc mounts we should
1002 * consider turning this into 1002 * consider turning this into a kmem cache.
1003 */ 1003 */
1004 misc = kzalloc(sizeof(struct 1004 misc = kzalloc(sizeof(struct binfmt_misc), GFP_KERNEL);
1005 if (!misc) 1005 if (!misc)
1006 return -ENOMEM; 1006 return -ENOMEM;
1007 1007
1008 INIT_LIST_HEAD(&misc->entries 1008 INIT_LIST_HEAD(&misc->entries);
1009 rwlock_init(&misc->entries_lo 1009 rwlock_init(&misc->entries_lock);
1010 1010
1011 /* Pairs with smp_load_acquir 1011 /* Pairs with smp_load_acquire() in load_binfmt_misc(). */
1012 smp_store_release(&user_ns->b 1012 smp_store_release(&user_ns->binfmt_misc, misc);
1013 } 1013 }
1014 1014
1015 /* 1015 /*
1016 * When the binfmt_misc superblock fo 1016 * When the binfmt_misc superblock for this userns is shutdown
1017 * ->enabled might have been set to f 1017 * ->enabled might have been set to false and we don't reinitialize
1018 * ->enabled again in put_super() as 1018 * ->enabled again in put_super() as someone might already be mounting
1019 * binfmt_misc again. It also would b 1019 * binfmt_misc again. It also would be pointless since by the time
1020 * ->put_super() is called we know th 1020 * ->put_super() is called we know that the binary type list for this
1021 * bintfmt_misc mount is empty making 1021 * bintfmt_misc mount is empty making load_misc_binary() return
1022 * -ENOEXEC independent of whether -> 1022 * -ENOEXEC independent of whether ->enabled is true. Instead, if
1023 * someone mounts binfmt_misc for the 1023 * someone mounts binfmt_misc for the first time or again we simply
1024 * reset ->enabled to true. 1024 * reset ->enabled to true.
1025 */ 1025 */
1026 misc->enabled = true; 1026 misc->enabled = true;
1027 1027
1028 err = simple_fill_super(sb, BINFMTFS_ 1028 err = simple_fill_super(sb, BINFMTFS_MAGIC, bm_files);
1029 if (!err) 1029 if (!err)
1030 sb->s_op = &s_ops; 1030 sb->s_op = &s_ops;
1031 return err; 1031 return err;
1032 } 1032 }
1033 1033
1034 static void bm_free(struct fs_context *fc) 1034 static void bm_free(struct fs_context *fc)
1035 { 1035 {
1036 if (fc->s_fs_info) 1036 if (fc->s_fs_info)
1037 put_user_ns(fc->s_fs_info); 1037 put_user_ns(fc->s_fs_info);
1038 } 1038 }
1039 1039
1040 static int bm_get_tree(struct fs_context *fc) 1040 static int bm_get_tree(struct fs_context *fc)
1041 { 1041 {
1042 return get_tree_keyed(fc, bm_fill_sup 1042 return get_tree_keyed(fc, bm_fill_super, get_user_ns(fc->user_ns));
1043 } 1043 }
1044 1044
1045 static const struct fs_context_operations bm_ 1045 static const struct fs_context_operations bm_context_ops = {
1046 .free = bm_free, 1046 .free = bm_free,
1047 .get_tree = bm_get_tree, 1047 .get_tree = bm_get_tree,
1048 }; 1048 };
1049 1049
1050 static int bm_init_fs_context(struct fs_conte 1050 static int bm_init_fs_context(struct fs_context *fc)
1051 { 1051 {
1052 fc->ops = &bm_context_ops; 1052 fc->ops = &bm_context_ops;
1053 return 0; 1053 return 0;
1054 } 1054 }
1055 1055
1056 static struct linux_binfmt misc_format = { 1056 static struct linux_binfmt misc_format = {
1057 .module = THIS_MODULE, 1057 .module = THIS_MODULE,
1058 .load_binary = load_misc_binary, 1058 .load_binary = load_misc_binary,
1059 }; 1059 };
1060 1060
1061 static struct file_system_type bm_fs_type = { 1061 static struct file_system_type bm_fs_type = {
1062 .owner = THIS_MODULE, 1062 .owner = THIS_MODULE,
1063 .name = "binfmt_misc", 1063 .name = "binfmt_misc",
1064 .init_fs_context = bm_init_fs_context 1064 .init_fs_context = bm_init_fs_context,
1065 .fs_flags = FS_USERNS_MOUNT, 1065 .fs_flags = FS_USERNS_MOUNT,
1066 .kill_sb = kill_litter_super, 1066 .kill_sb = kill_litter_super,
1067 }; 1067 };
1068 MODULE_ALIAS_FS("binfmt_misc"); 1068 MODULE_ALIAS_FS("binfmt_misc");
1069 1069
1070 static int __init init_misc_binfmt(void) 1070 static int __init init_misc_binfmt(void)
1071 { 1071 {
1072 int err = register_filesystem(&bm_fs_ 1072 int err = register_filesystem(&bm_fs_type);
1073 if (!err) 1073 if (!err)
1074 insert_binfmt(&misc_format); 1074 insert_binfmt(&misc_format);
1075 return err; 1075 return err;
1076 } 1076 }
1077 1077
1078 static void __exit exit_misc_binfmt(void) 1078 static void __exit exit_misc_binfmt(void)
1079 { 1079 {
1080 unregister_binfmt(&misc_format); 1080 unregister_binfmt(&misc_format);
1081 unregister_filesystem(&bm_fs_type); 1081 unregister_filesystem(&bm_fs_type);
1082 } 1082 }
1083 1083
1084 core_initcall(init_misc_binfmt); 1084 core_initcall(init_misc_binfmt);
1085 module_exit(exit_misc_binfmt); 1085 module_exit(exit_misc_binfmt);
1086 MODULE_DESCRIPTION("Kernel support for miscel 1086 MODULE_DESCRIPTION("Kernel support for miscellaneous binaries");
1087 MODULE_LICENSE("GPL"); 1087 MODULE_LICENSE("GPL");
1088 1088
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.