LXR linux/fs/coredump.c

   1// SPDX-License-Identifier: GPL-2.0
   2#include <linux/slab.h>
   3#include <linux/file.h>
   4#include <linux/fdtable.h>
   5#include <linux/freezer.h>
   6#include <linux/mm.h>
   7#include <linux/stat.h>
   8#include <linux/fcntl.h>
   9#include <linux/swap.h>
  10#include <linux/ctype.h>
  11#include <linux/string.h>
  12#include <linux/init.h>
  13#include <linux/pagemap.h>
  14#include <linux/perf_event.h>
  15#include <linux/highmem.h>
  16#include <linux/spinlock.h>
  17#include <linux/key.h>
  18#include <linux/personality.h>
  19#include <linux/binfmts.h>
  20#include <linux/coredump.h>
  21#include <linux/sched/coredump.h>
  22#include <linux/sched/signal.h>
  23#include <linux/sched/task_stack.h>
  24#include <linux/utsname.h>
  25#include <linux/pid_namespace.h>
  26#include <linux/module.h>
  27#include <linux/namei.h>
  28#include <linux/mount.h>
  29#include <linux/security.h>
  30#include <linux/syscalls.h>
  31#include <linux/tsacct_kern.h>
  32#include <linux/cn_proc.h>
  33#include <linux/audit.h>
  34#include <linux/tracehook.h>
  35#include <linux/kmod.h>
  36#include <linux/fsnotify.h>
  37#include <linux/fs_struct.h>
  38#include <linux/pipe_fs_i.h>
  39#include <linux/oom.h>
  40#include <linux/compat.h>
  41#include <linux/fs.h>
  42#include <linux/path.h>
  43#include <linux/timekeeping.h>
  44
  45#include <linux/uaccess.h>
  46#include <asm/mmu_context.h>
  47#include <asm/tlb.h>
  48#include <asm/exec.h>
  49
  50#include <trace/events/task.h>
  51#include "internal.h"
  52
  53#include <trace/events/sched.h>
  54
  55int core_uses_pid;
  56unsigned int core_pipe_limit;
  57char core_pattern[CORENAME_MAX_SIZE] = "core";
  58static int core_name_size = CORENAME_MAX_SIZE;
  59
  60struct core_name {
  61        char *corename;
  62        int used, size;
  63};
  64
  65/* The maximal length of core_pattern is also specified in sysctl.c */
  66
  67static int expand_corename(struct core_name *cn, int size)
  68{
  69        char *corename = krealloc(cn->corename, size, GFP_KERNEL);
  70
  71        if (!corename)
  72                return -ENOMEM;
  73
  74        if (size > core_name_size) /* racy but harmless */
  75                core_name_size = size;
  76
  77        cn->size = ksize(corename);
  78        cn->corename = corename;
  79        return 0;
  80}
  81
  82static __printf(2, 0) int cn_vprintf(struct core_name *cn, const char *fmt,
  83                                     va_list arg)
  84{
  85        int free, need;
  86        va_list arg_copy;
  87
  88again:
  89        free = cn->size - cn->used;
  90
  91        va_copy(arg_copy, arg);
  92        need = vsnprintf(cn->corename + cn->used, free, fmt, arg_copy);
  93        va_end(arg_copy);
  94
  95        if (need < free) {
  96                cn->used += need;
  97                return 0;
  98        }
  99
 100        if (!expand_corename(cn, cn->size + need - free + 1))
 101                goto again;
 102
 103        return -ENOMEM;
 104}
 105
 106static __printf(2, 3) int cn_printf(struct core_name *cn, const char *fmt, ...)
 107{
 108        va_list arg;
 109        int ret;
 110
 111        va_start(arg, fmt);
 112        ret = cn_vprintf(cn, fmt, arg);
 113        va_end(arg);
 114
 115        return ret;
 116}
 117
 118static __printf(2, 3)
 119int cn_esc_printf(struct core_name *cn, const char *fmt, ...)
 120{
 121        int cur = cn->used;
 122        va_list arg;
 123        int ret;
 124
 125        va_start(arg, fmt);
 126        ret = cn_vprintf(cn, fmt, arg);
 127        va_end(arg);
 128
 129        if (ret == 0) {
 130                /*
 131                 * Ensure that this coredump name component can't cause the
 132                 * resulting corefile path to consist of a ".." or ".".
 133                 */
 134                if ((cn->used - cur == 1 && cn->corename[cur] == '.') ||
 135                                (cn->used - cur == 2 && cn->corename[cur] == '.'
 136                                && cn->corename[cur+1] == '.'))
 137                        cn->corename[cur] = '!';
 138
 139                /*
 140                 * Empty names are fishy and could be used to create a "//" in a
 141                 * corefile name, causing the coredump to happen one directory
 142                 * level too high. Enforce that all components of the core
 143                 * pattern are at least one character long.
 144                 */
 145                if (cn->used == cur)
 146                        ret = cn_printf(cn, "!");
 147        }
 148
 149        for (; cur < cn->used; ++cur) {
 150                if (cn->corename[cur] == '/')
 151                        cn->corename[cur] = '!';
 152        }
 153        return ret;
 154}
 155
 156static int cn_print_exe_file(struct core_name *cn)
 157{
 158        struct file *exe_file;
 159        char *pathbuf, *path;
 160        int ret;
 161
 162        exe_file = get_mm_exe_file(current->mm);
 163        if (!exe_file)
 164                return cn_esc_printf(cn, "%s (path unknown)", current->comm);
 165
 166        pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
 167        if (!pathbuf) {
 168                ret = -ENOMEM;
 169                goto put_exe_file;
 170        }
 171
 172        path = file_path(exe_file, pathbuf, PATH_MAX);
 173        if (IS_ERR(path)) {
 174                ret = PTR_ERR(path);
 175                goto free_buf;
 176        }
 177
 178        ret = cn_esc_printf(cn, "%s", path);
 179
 180free_buf:
 181        kfree(pathbuf);
 182put_exe_file:
 183        fput(exe_file);
 184        return ret;
 185}
 186
 187/* format_corename will inspect the pattern parameter, and output a
 188 * name into corename, which must have space for at least
 189 * CORENAME_MAX_SIZE bytes plus one byte for the zero terminator.
 190 */
 191static int format_corename(struct core_name *cn, struct coredump_params *cprm,
 192                           size_t **argv, int *argc)
 193{
 194        const struct cred *cred = current_cred();
 195        const char *pat_ptr = core_pattern;
 196        int ispipe = (*pat_ptr == '|');
 197        bool was_space = false;
 198        int pid_in_pattern = 0;
 199        int err = 0;
 200
 201        cn->used = 0;
 202        cn->corename = NULL;
 203        if (expand_corename(cn, core_name_size))
 204                return -ENOMEM;
 205        cn->corename[0] = '\0';
 206
 207        if (ispipe) {
 208                int argvs = sizeof(core_pattern) / 2;
 209                (*argv) = kmalloc_array(argvs, sizeof(**argv), GFP_KERNEL);
 210                if (!(*argv))
 211                        return -ENOMEM;
 212                (*argv)[(*argc)++] = 0;
 213                ++pat_ptr;
 214        }
 215
 216        /* Repeat as long as we have more pattern to process and more output
 217           space */
 218        while (*pat_ptr) {
 219                /*
 220                 * Split on spaces before doing template expansion so that
 221                 * %e and %E don't get split if they have spaces in them
 222                 */
 223                if (ispipe) {
 224                        if (isspace(*pat_ptr)) {
 225                                was_space = true;
 226                                pat_ptr++;
 227                                continue;
 228                        } else if (was_space) {
 229                                was_space = false;
 230                                err = cn_printf(cn, "%c", '\0');
 231                                if (err)
 232                                        return err;
 233                                (*argv)[(*argc)++] = cn->used;
 234                        }
 235                }
 236                if (*pat_ptr != '%') {
 237                        err = cn_printf(cn, "%c", *pat_ptr++);
 238                } else {
 239                        switch (*++pat_ptr) {
 240                        /* single % at the end, drop that */
 241                        case 0:
 242                                goto out;
 243                        /* Double percent, output one percent */
 244                        case '%':
 245                                err = cn_printf(cn, "%c", '%');
 246                                break;
 247                        /* pid */
 248                        case 'p':
 249                                pid_in_pattern = 1;
 250                                err = cn_printf(cn, "%d",
 251                                              task_tgid_vnr(current));
 252                                break;
 253                        /* global pid */
 254                        case 'P':
 255                                err = cn_printf(cn, "%d",
 256                                              task_tgid_nr(current));
 257                                break;
 258                        case 'i':
 259                                err = cn_printf(cn, "%d",
 260                                              task_pid_vnr(current));
 261                                break;
 262                        case 'I':
 263                                err = cn_printf(cn, "%d",
 264                                              task_pid_nr(current));
 265                                break;
 266                        /* uid */
 267                        case 'u':
 268                                err = cn_printf(cn, "%u",
 269                                                from_kuid(&init_user_ns,
 270                                                          cred->uid));
 271                                break;
 272                        /* gid */
 273                        case 'g':
 274                                err = cn_printf(cn, "%u",
 275                                                from_kgid(&init_user_ns,
 276                                                          cred->gid));
 277                                break;
 278                        case 'd':
 279                                err = cn_printf(cn, "%d",
 280                                        __get_dumpable(cprm->mm_flags));
 281                                break;
 282                        /* signal that caused the coredump */
 283                        case 's':
 284                                err = cn_printf(cn, "%d",
 285                                                cprm->siginfo->si_signo);
 286                                break;
 287                        /* UNIX time of coredump */
 288                        case 't': {
 289                                time64_t time;
 290
 291                                time = ktime_get_real_seconds();
 292                                err = cn_printf(cn, "%lld", time);
 293                                break;
 294                        }
 295                        /* hostname */
 296                        case 'h':
 297                                down_read(&uts_sem);
 298                                err = cn_esc_printf(cn, "%s",
 299                                              utsname()->nodename);
 300                                up_read(&uts_sem);
 301                                break;
 302                        /* executable */
 303                        case 'e':
 304                                err = cn_esc_printf(cn, "%s", current->comm);
 305                                break;
 306                        case 'E':
 307                                err = cn_print_exe_file(cn);
 308                                break;
 309                        /* core limit size */
 310                        case 'c':
 311                                err = cn_printf(cn, "%lu",
 312                                              rlimit(RLIMIT_CORE));
 313                                break;
 314                        default:
 315                                break;
 316                        }
 317                        ++pat_ptr;
 318                }
 319
 320                if (err)
 321                        return err;
 322        }
 323
 324out:
 325        /* Backward compatibility with core_uses_pid:
 326         *
 327         * If core_pattern does not include a %p (as is the default)
 328         * and core_uses_pid is set, then .%pid will be appended to
 329         * the filename. Do not do this for piped commands. */
 330        if (!ispipe && !pid_in_pattern && core_uses_pid) {
 331                err = cn_printf(cn, ".%d", task_tgid_vnr(current));
 332                if (err)
 333                        return err;
 334        }
 335        return ispipe;
 336}
 337
 338static int zap_process(struct task_struct *start, int exit_code, int flags)
 339{
 340        struct task_struct *t;
 341        int nr = 0;
 342
 343        /* ignore all signals except SIGKILL, see prepare_signal() */
 344        start->signal->flags = SIGNAL_GROUP_COREDUMP | flags;
 345        start->signal->group_exit_code = exit_code;
 346        start->signal->group_stop_count = 0;
 347
 348        for_each_thread(start, t) {
 349                task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK);
 350                if (t != current && t->mm) {
 351                        sigaddset(&t->pending.signal, SIGKILL);
 352                        signal_wake_up(t, 1);
 353                        nr++;
 354                }
 355        }
 356
 357        return nr;
 358}
 359
 360static int zap_threads(struct task_struct *tsk, struct mm_struct *mm,
 361                        struct core_state *core_state, int exit_code)
 362{
 363        struct task_struct *g, *p;
 364        unsigned long flags;
 365        int nr = -EAGAIN;
 366
 367        spin_lock_irq(&tsk->sighand->siglock);
 368        if (!signal_group_exit(tsk->signal)) {
 369                mm->core_state = core_state;
 370                tsk->signal->group_exit_task = tsk;
 371                nr = zap_process(tsk, exit_code, 0);
 372                clear_tsk_thread_flag(tsk, TIF_SIGPENDING);
 373        }
 374        spin_unlock_irq(&tsk->sighand->siglock);
 375        if (unlikely(nr < 0))
 376                return nr;
 377
 378        tsk->flags |= PF_DUMPCORE;
 379        if (atomic_read(&mm->mm_users) == nr + 1)
 380                goto done;
 381        /*
 382         * We should find and kill all tasks which use this mm, and we should
 383         * count them correctly into ->nr_threads. We don't take tasklist
 384         * lock, but this is safe wrt:
 385         *
 386         * fork:
 387         *      None of sub-threads can fork after zap_process(leader). All
 388         *      processes which were created before this point should be
 389         *      visible to zap_threads() because copy_process() adds the new
 390         *      process to the tail of init_task.tasks list, and lock/unlock
 391         *      of ->siglock provides a memory barrier.
 392         *
 393         * do_exit:
 394         *      The caller holds mm->mmap_sem. This means that the task which
 395         *      uses this mm can't pass exit_mm(), so it can't exit or clear
 396         *      its ->mm.
 397         *
 398         * de_thread:
 399         *      It does list_replace_rcu(&leader->tasks, &current->tasks),
 400         *      we must see either old or new leader, this does not matter.
 401         *      However, it can change p->sighand, so lock_task_sighand(p)
 402         *      must be used. Since p->mm != NULL and we hold ->mmap_sem
 403         *      it can't fail.
 404         *
 405         *      Note also that "g" can be the old leader with ->mm == NULL
 406         *      and already unhashed and thus removed from ->thread_group.
 407         *      This is OK, __unhash_process()->list_del_rcu() does not
 408         *      clear the ->next pointer, we will find the new leader via
 409         *      next_thread().
 410         */
 411        rcu_read_lock();
 412        for_each_process(g) {
 413                if (g == tsk->group_leader)
 414                        continue;
 415                if (g->flags & PF_KTHREAD)
 416                        continue;
 417
 418                for_each_thread(g, p) {
 419                        if (unlikely(!p->mm))
 420                                continue;
 421                        if (unlikely(p->mm == mm)) {
 422                                lock_task_sighand(p, &flags);
 423                                nr += zap_process(p, exit_code,
 424                                                        SIGNAL_GROUP_EXIT);
 425                                unlock_task_sighand(p, &flags);
 426                        }
 427                        break;
 428                }
 429        }
 430        rcu_read_unlock();
 431done:
 432        atomic_set(&core_state->nr_threads, nr);
 433        return nr;
 434}
 435
 436static int coredump_wait(int exit_code, struct core_state *core_state)
 437{
 438        struct task_struct *tsk = current;
 439        struct mm_struct *mm = tsk->mm;
 440        int core_waiters = -EBUSY;
 441
 442        init_completion(&core_state->startup);
 443        core_state->dumper.task = tsk;
 444        core_state->dumper.next = NULL;
 445
 446        if (down_write_killable(&mm->mmap_sem))
 447                return -EINTR;
 448
 449        if (!mm->core_state)
 450                core_waiters = zap_threads(tsk, mm, core_state, exit_code);
 451        up_write(&mm->mmap_sem);
 452
 453        if (core_waiters > 0) {
 454                struct core_thread *ptr;
 455
 456                freezer_do_not_count();
 457                wait_for_completion(&core_state->startup);
 458                freezer_count();
 459                /*
 460                 * Wait for all the threads to become inactive, so that
 461                 * all the thread context (extended register state, like
 462                 * fpu etc) gets copied to the memory.
 463                 */
 464                ptr = core_state->dumper.next;
 465                while (ptr != NULL) {
 466                        wait_task_inactive(ptr->task, 0);
 467                        ptr = ptr->next;
 468                }
 469        }
 470
 471        return core_waiters;
 472}
 473
 474static void coredump_finish(struct mm_struct *mm, bool core_dumped)
 475{
 476        struct core_thread *curr, *next;
 477        struct task_struct *task;
 478
 479        spin_lock_irq(&current->sighand->siglock);
 480        if (core_dumped && !__fatal_signal_pending(current))
 481                current->signal->group_exit_code |= 0x80;
 482        current->signal->group_exit_task = NULL;
 483        current->signal->flags = SIGNAL_GROUP_EXIT;
 484        spin_unlock_irq(&current->sighand->siglock);
 485
 486        next = mm->core_state->dumper.next;
 487        while ((curr = next) != NULL) {
 488                next = curr->next;
 489                task = curr->task;
 490                /*
 491                 * see exit_mm(), curr->task must not see
 492                 * ->task == NULL before we read ->next.
 493                 */
 494                smp_mb();
 495                curr->task = NULL;
 496                wake_up_process(task);
 497        }
 498
 499        mm->core_state = NULL;
 500}
 501
 502static bool dump_interrupted(void)
 503{
 504        /*
 505         * SIGKILL or freezing() interrupt the coredumping. Perhaps we
 506         * can do try_to_freeze() and check __fatal_signal_pending(),
 507         * but then we need to teach dump_write() to restart and clear
 508         * TIF_SIGPENDING.
 509         */
 510        return signal_pending(current);
 511}
 512
 513static void wait_for_dump_helpers(struct file *file)
 514{
 515        struct pipe_inode_info *pipe = file->private_data;
 516
 517        pipe_lock(pipe);
 518        pipe->readers++;
 519        pipe->writers--;
 520        wake_up_interruptible_sync(&pipe->wait);
 521        kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
 522        pipe_unlock(pipe);
 523
 524        /*
 525         * We actually want wait_event_freezable() but then we need
 526         * to clear TIF_SIGPENDING and improve dump_interrupted().
 527         */
 528        wait_event_interruptible(pipe->wait, pipe->readers == 1);
 529
 530        pipe_lock(pipe);
 531        pipe->readers--;
 532        pipe->writers++;
 533        pipe_unlock(pipe);
 534}
 535
 536/*
 537 * umh_pipe_setup
 538 * helper function to customize the process used
 539 * to collect the core in userspace.  Specifically
 540 * it sets up a pipe and installs it as fd 0 (stdin)
 541 * for the process.  Returns 0 on success, or
 542 * PTR_ERR on failure.
 543 * Note that it also sets the core limit to 1.  This
 544 * is a special value that we use to trap recursive
 545 * core dumps
 546 */
 547static int umh_pipe_setup(struct subprocess_info *info, struct cred *new)
 548{
 549        struct file *files[2];
 550        struct coredump_params *cp = (struct coredump_params *)info->data;
 551        int err = create_pipe_files(files, 0);
 552        if (err)
 553                return err;
 554
 555        cp->file = files[1];
 556
 557        err = replace_fd(0, files[0], 0);
 558        fput(files[0]);
 559        /* and disallow core files too */
 560        current->signal->rlim[RLIMIT_CORE] = (struct rlimit){1, 1};
 561
 562        return err;
 563}
 564
 565void do_coredump(const kernel_siginfo_t *siginfo)
 566{
 567        struct core_state core_state;
 568        struct core_name cn;
 569        struct mm_struct *mm = current->mm;
 570        struct linux_binfmt * binfmt;
 571        const struct cred *old_cred;
 572        struct cred *cred;
 573        int retval = 0;
 574        int ispipe;
 575        size_t *argv = NULL;
 576        int argc = 0;
 577        struct files_struct *displaced;
 578        /* require nonrelative corefile path and be extra careful */
 579        bool need_suid_safe = false;
 580        bool core_dumped = false;
 581        static atomic_t core_dump_count = ATOMIC_INIT(0);
 582        struct coredump_params cprm = {
 583                .siginfo = siginfo,
 584                .regs = signal_pt_regs(),
 585                .limit = rlimit(RLIMIT_CORE),
 586                /*
 587                 * We must use the same mm->flags while dumping core to avoid
 588                 * inconsistency of bit flags, since this flag is not protected
 589                 * by any locks.
 590                 */
 591                .mm_flags = mm->flags,
 592        };
 593
 594        audit_core_dumps(siginfo->si_signo);
 595
 596        binfmt = mm->binfmt;
 597        if (!binfmt || !binfmt->core_dump)
 598                goto fail;
 599        if (!__get_dumpable(cprm.mm_flags))
 600                goto fail;
 601
 602        cred = prepare_creds();
 603        if (!cred)
 604                goto fail;
 605        /*
 606         * We cannot trust fsuid as being the "true" uid of the process
 607         * nor do we know its entire history. We only know it was tainted
 608         * so we dump it as root in mode 2, and only into a controlled
 609         * environment (pipe handler or fully qualified path).
 610         */
 611        if (__get_dumpable(cprm.mm_flags) == SUID_DUMP_ROOT) {
 612                /* Setuid core dump mode */
 613                cred->fsuid = GLOBAL_ROOT_UID;  /* Dump root private */
 614                need_suid_safe = true;
 615        }
 616
 617        retval = coredump_wait(siginfo->si_signo, &core_state);
 618        if (retval < 0)
 619                goto fail_creds;
 620
 621        old_cred = override_creds(cred);
 622
 623        ispipe = format_corename(&cn, &cprm, &argv, &argc);
 624
 625        if (ispipe) {
 626                int argi;
 627                int dump_count;
 628                char **helper_argv;
 629                struct subprocess_info *sub_info;
 630
 631                if (ispipe < 0) {
 632                        printk(KERN_WARNING "format_corename failed\n");
 633                        printk(KERN_WARNING "Aborting core\n");
 634                        goto fail_unlock;
 635                }
 636
 637                if (cprm.limit == 1) {
 638                        /* See umh_pipe_setup() which sets RLIMIT_CORE = 1.
 639                         *
 640                         * Normally core limits are irrelevant to pipes, since
 641                         * we're not writing to the file system, but we use
 642                         * cprm.limit of 1 here as a special value, this is a
 643                         * consistent way to catch recursive crashes.
 644                         * We can still crash if the core_pattern binary sets
 645                         * RLIM_CORE = !1, but it runs as root, and can do
 646                         * lots of stupid things.
 647                         *
 648                         * Note that we use task_tgid_vnr here to grab the pid
 649                         * of the process group leader.  That way we get the
 650                         * right pid if a thread in a multi-threaded
 651                         * core_pattern process dies.
 652                         */
 653                        printk(KERN_WARNING
 654                                "Process %d(%s) has RLIMIT_CORE set to 1\n",
 655                                task_tgid_vnr(current), current->comm);
 656                        printk(KERN_WARNING "Aborting core\n");
 657                        goto fail_unlock;
 658                }
 659                cprm.limit = RLIM_INFINITY;
 660
 661                dump_count = atomic_inc_return(&core_dump_count);
 662                if (core_pipe_limit && (core_pipe_limit < dump_count)) {
 663                        printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
 664                               task_tgid_vnr(current), current->comm);
 665                        printk(KERN_WARNING "Skipping core dump\n");
 666                        goto fail_dropcount;
 667                }
 668
 669                helper_argv = kmalloc_array(argc + 1, sizeof(*helper_argv),
 670                                            GFP_KERNEL);
 671                if (!helper_argv) {
 672                        printk(KERN_WARNING "%s failed to allocate memory\n",
 673                               __func__);
 674                        goto fail_dropcount;
 675                }
 676                for (argi = 0; argi < argc; argi++)
 677                        helper_argv[argi] = cn.corename + argv[argi];
 678                helper_argv[argi] = NULL;
 679
 680                retval = -ENOMEM;
 681                sub_info = call_usermodehelper_setup(helper_argv[0],
 682                                                helper_argv, NULL, GFP_KERNEL,
 683                                                umh_pipe_setup, NULL, &cprm);
 684                if (sub_info)
 685                        retval = call_usermodehelper_exec(sub_info,
 686                                                          UMH_WAIT_EXEC);
 687
 688                kfree(helper_argv);
 689                if (retval) {
 690                        printk(KERN_INFO "Core dump to |%s pipe failed\n",
 691                               cn.corename);
 692                        goto close_fail;
 693                }
 694        } else {
 695                struct inode *inode;
 696                int open_flags = O_CREAT | O_RDWR | O_NOFOLLOW |
 697                                 O_LARGEFILE | O_EXCL;
 698
 699                if (cprm.limit < binfmt->min_coredump)
 700                        goto fail_unlock;
 701
 702                if (need_suid_safe && cn.corename[0] != '/') {
 703                        printk(KERN_WARNING "Pid %d(%s) can only dump core "\
 704                                "to fully qualified path!\n",
 705                                task_tgid_vnr(current), current->comm);
 706                        printk(KERN_WARNING "Skipping core dump\n");
 707                        goto fail_unlock;
 708                }
 709
 710                /*
 711                 * Unlink the file if it exists unless this is a SUID
 712                 * binary - in that case, we're running around with root
 713                 * privs and don't want to unlink another user's coredump.
 714                 */
 715                if (!need_suid_safe) {
 716                        /*
 717                         * If it doesn't exist, that's fine. If there's some
 718                         * other problem, we'll catch it at the filp_open().
 719                         */
 720                        do_unlinkat(AT_FDCWD, getname_kernel(cn.corename));
 721                }
 722
 723                /*
 724                 * There is a race between unlinking and creating the
 725                 * file, but if that causes an EEXIST here, that's
 726                 * fine - another process raced with us while creating
 727                 * the corefile, and the other process won. To userspace,
 728                 * what matters is that at least one of the two processes
 729                 * writes its coredump successfully, not which one.
 730                 */
 731                if (need_suid_safe) {
 732                        /*
 733                         * Using user namespaces, normal user tasks can change
 734                         * their current->fs->root to point to arbitrary
 735                         * directories. Since the intention of the "only dump
 736                         * with a fully qualified path" rule is to control where
 737                         * coredumps may be placed using root privileges,
 738                         * current->fs->root must not be used. Instead, use the
 739                         * root directory of init_task.
 740                         */
 741                        struct path root;
 742
 743                        task_lock(&init_task);
 744                        get_fs_root(init_task.fs, &root);
 745                        task_unlock(&init_task);
 746                        cprm.file = file_open_root(root.dentry, root.mnt,
 747                                cn.corename, open_flags, 0600);
 748                        path_put(&root);
 749                } else {
 750                        cprm.file = filp_open(cn.corename, open_flags, 0600);
 751                }
 752                if (IS_ERR(cprm.file))
 753                        goto fail_unlock;
 754
 755                inode = file_inode(cprm.file);
 756                if (inode->i_nlink > 1)
 757                        goto close_fail;
 758                if (d_unhashed(cprm.file->f_path.dentry))
 759                        goto close_fail;
 760                /*
 761                 * AK: actually i see no reason to not allow this for named
 762                 * pipes etc, but keep the previous behaviour for now.
 763                 */
 764                if (!S_ISREG(inode->i_mode))
 765                        goto close_fail;
 766                /*
 767                 * Don't dump core if the filesystem changed owner or mode
 768                 * of the file during file creation. This is an issue when
 769                 * a process dumps core while its cwd is e.g. on a vfat
 770                 * filesystem.
 771                 */
 772                if (!uid_eq(inode->i_uid, current_fsuid()))
 773                        goto close_fail;
 774                if ((inode->i_mode & 0677) != 0600)
 775                        goto close_fail;
 776                if (!(cprm.file->f_mode & FMODE_CAN_WRITE))
 777                        goto close_fail;
 778                if (do_truncate(cprm.file->f_path.dentry, 0, 0, cprm.file))
 779                        goto close_fail;
 780        }
 781
 782        /* get us an unshared descriptor table; almost always a no-op */
 783        retval = unshare_files(&displaced);
 784        if (retval)
 785                goto close_fail;
 786        if (displaced)
 787                put_files_struct(displaced);
 788        if (!dump_interrupted()) {
 789                file_start_write(cprm.file);
 790                core_dumped = binfmt->core_dump(&cprm);
 791                file_end_write(cprm.file);
 792        }
 793        if (ispipe && core_pipe_limit)
 794                wait_for_dump_helpers(cprm.file);
 795close_fail:
 796        if (cprm.file)
 797                filp_close(cprm.file, NULL);
 798fail_dropcount:
 799        if (ispipe)
 800                atomic_dec(&core_dump_count);
 801fail_unlock:
 802        kfree(argv);
 803        kfree(cn.corename);
 804        coredump_finish(mm, core_dumped);
 805        revert_creds(old_cred);
 806fail_creds:
 807        put_cred(cred);
 808fail:
 809        return;
 810}
 811
 812/*
 813 * Core dumping helper functions.  These are the only things you should
 814 * do on a core-file: use only these functions to write out all the
 815 * necessary info.
 816 */
 817int dump_emit(struct coredump_params *cprm, const void *addr, int nr)
 818{
 819        struct file *file = cprm->file;
 820        loff_t pos = file->f_pos;
 821        ssize_t n;
 822        if (cprm->written + nr > cprm->limit)
 823                return 0;
 824        while (nr) {
 825                if (dump_interrupted())
 826                        return 0;
 827                n = __kernel_write(file, addr, nr, &pos);
 828                if (n <= 0)
 829                        return 0;
 830                file->f_pos = pos;
 831                cprm->written += n;
 832                cprm->pos += n;
 833                nr -= n;
 834        }
 835        return 1;
 836}
 837EXPORT_SYMBOL(dump_emit);
 838
 839int dump_skip(struct coredump_params *cprm, size_t nr)
 840{
 841        static char zeroes[PAGE_SIZE];
 842        struct file *file = cprm->file;
 843        if (file->f_op->llseek && file->f_op->llseek != no_llseek) {
 844                if (dump_interrupted() ||
 845                    file->f_op->llseek(file, nr, SEEK_CUR) < 0)
 846                        return 0;
 847                cprm->pos += nr;
 848                return 1;
 849        } else {
 850                while (nr > PAGE_SIZE) {
 851                        if (!dump_emit(cprm, zeroes, PAGE_SIZE))
 852                                return 0;
 853                        nr -= PAGE_SIZE;
 854                }
 855                return dump_emit(cprm, zeroes, nr);
 856        }
 857}
 858EXPORT_SYMBOL(dump_skip);
 859
 860int dump_align(struct coredump_params *cprm, int align)
 861{
 862        unsigned mod = cprm->pos & (align - 1);
 863        if (align & (align - 1))
 864                return 0;
 865        return mod ? dump_skip(cprm, align - mod) : 1;
 866}
 867EXPORT_SYMBOL(dump_align);
 868
 869/*
 870 * Ensures that file size is big enough to contain the current file
 871 * postion. This prevents gdb from complaining about a truncated file
 872 * if the last "write" to the file was dump_skip.
 873 */
 874void dump_truncate(struct coredump_params *cprm)
 875{
 876        struct file *file = cprm->file;
 877        loff_t offset;
 878
 879        if (file->f_op->llseek && file->f_op->llseek != no_llseek) {
 880                offset = file->f_op->llseek(file, 0, SEEK_CUR);
 881                if (i_size_read(file->f_mapping->host) < offset)
 882                        do_truncate(file->f_path.dentry, offset, 0, file);
 883        }
 884}
 885EXPORT_SYMBOL(dump_truncate);
 886