1
2#include <linux/slab.h>
3#include <linux/file.h>
4#include <linux/fdtable.h>
5#include <linux/freezer.h>
6#include <linux/mm.h>
7#include <linux/stat.h>
8#include <linux/fcntl.h>
9#include <linux/swap.h>
10#include <linux/ctype.h>
11#include <linux/string.h>
12#include <linux/init.h>
13#include <linux/pagemap.h>
14#include <linux/perf_event.h>
15#include <linux/highmem.h>
16#include <linux/spinlock.h>
17#include <linux/key.h>
18#include <linux/personality.h>
19#include <linux/binfmts.h>
20#include <linux/coredump.h>
21#include <linux/sched/coredump.h>
22#include <linux/sched/signal.h>
23#include <linux/sched/task_stack.h>
24#include <linux/utsname.h>
25#include <linux/pid_namespace.h>
26#include <linux/module.h>
27#include <linux/namei.h>
28#include <linux/mount.h>
29#include <linux/security.h>
30#include <linux/syscalls.h>
31#include <linux/tsacct_kern.h>
32#include <linux/cn_proc.h>
33#include <linux/audit.h>
34#include <linux/tracehook.h>
35#include <linux/kmod.h>
36#include <linux/fsnotify.h>
37#include <linux/fs_struct.h>
38#include <linux/pipe_fs_i.h>
39#include <linux/oom.h>
40#include <linux/compat.h>
41#include <linux/fs.h>
42#include <linux/path.h>
43#include <linux/timekeeping.h>
44
45#include <linux/uaccess.h>
46#include <asm/mmu_context.h>
47#include <asm/tlb.h>
48#include <asm/exec.h>
49
50#include <trace/events/task.h>
51#include "internal.h"
52
53#include <trace/events/sched.h>
54
55int core_uses_pid;
56unsigned int core_pipe_limit;
57char core_pattern[CORENAME_MAX_SIZE] = "core";
58static int core_name_size = CORENAME_MAX_SIZE;
59
60struct core_name {
61 char *corename;
62 int used, size;
63};
64
65
66
67static int expand_corename(struct core_name *cn, int size)
68{
69 char *corename = krealloc(cn->corename, size, GFP_KERNEL);
70
71 if (!corename)
72 return -ENOMEM;
73
74 if (size > core_name_size)
75 core_name_size = size;
76
77 cn->size = ksize(corename);
78 cn->corename = corename;
79 return 0;
80}
81
82static __printf(2, 0) int cn_vprintf(struct core_name *cn, const char *fmt,
83 va_list arg)
84{
85 int free, need;
86 va_list arg_copy;
87
88again:
89 free = cn->size - cn->used;
90
91 va_copy(arg_copy, arg);
92 need = vsnprintf(cn->corename + cn->used, free, fmt, arg_copy);
93 va_end(arg_copy);
94
95 if (need < free) {
96 cn->used += need;
97 return 0;
98 }
99
100 if (!expand_corename(cn, cn->size + need - free + 1))
101 goto again;
102
103 return -ENOMEM;
104}
105
106static __printf(2, 3) int cn_printf(struct core_name *cn, const char *fmt, ...)
107{
108 va_list arg;
109 int ret;
110
111 va_start(arg, fmt);
112 ret = cn_vprintf(cn, fmt, arg);
113 va_end(arg);
114
115 return ret;
116}
117
118static __printf(2, 3)
119int cn_esc_printf(struct core_name *cn, const char *fmt, ...)
120{
121 int cur = cn->used;
122 va_list arg;
123 int ret;
124
125 va_start(arg, fmt);
126 ret = cn_vprintf(cn, fmt, arg);
127 va_end(arg);
128
129 if (ret == 0) {
130
131
132
133
134 if ((cn->used - cur == 1 && cn->corename[cur] == '.') ||
135 (cn->used - cur == 2 && cn->corename[cur] == '.'
136 && cn->corename[cur+1] == '.'))
137 cn->corename[cur] = '!';
138
139
140
141
142
143
144
145 if (cn->used == cur)
146 ret = cn_printf(cn, "!");
147 }
148
149 for (; cur < cn->used; ++cur) {
150 if (cn->corename[cur] == '/')
151 cn->corename[cur] = '!';
152 }
153 return ret;
154}
155
156static int cn_print_exe_file(struct core_name *cn, bool name_only)
157{
158 struct file *exe_file;
159 char *pathbuf, *path, *ptr;
160 int ret;
161
162 exe_file = get_mm_exe_file(current->mm);
163 if (!exe_file)
164 return cn_esc_printf(cn, "%s (path unknown)", current->comm);
165
166 pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
167 if (!pathbuf) {
168 ret = -ENOMEM;
169 goto put_exe_file;
170 }
171
172 path = file_path(exe_file, pathbuf, PATH_MAX);
173 if (IS_ERR(path)) {
174 ret = PTR_ERR(path);
175 goto free_buf;
176 }
177
178 if (name_only) {
179 ptr = strrchr(path, '/');
180 if (ptr)
181 path = ptr + 1;
182 }
183 ret = cn_esc_printf(cn, "%s", path);
184
185free_buf:
186 kfree(pathbuf);
187put_exe_file:
188 fput(exe_file);
189 return ret;
190}
191
192
193
194
195
196static int format_corename(struct core_name *cn, struct coredump_params *cprm,
197 size_t **argv, int *argc)
198{
199 const struct cred *cred = current_cred();
200 const char *pat_ptr = core_pattern;
201 int ispipe = (*pat_ptr == '|');
202 bool was_space = false;
203 int pid_in_pattern = 0;
204 int err = 0;
205
206 cn->used = 0;
207 cn->corename = NULL;
208 if (expand_corename(cn, core_name_size))
209 return -ENOMEM;
210 cn->corename[0] = '\0';
211
212 if (ispipe) {
213 int argvs = sizeof(core_pattern) / 2;
214 (*argv) = kmalloc_array(argvs, sizeof(**argv), GFP_KERNEL);
215 if (!(*argv))
216 return -ENOMEM;
217 (*argv)[(*argc)++] = 0;
218 ++pat_ptr;
219 if (!(*pat_ptr))
220 return -ENOMEM;
221 }
222
223
224
225 while (*pat_ptr) {
226
227
228
229
230 if (ispipe) {
231 if (isspace(*pat_ptr)) {
232 was_space = true;
233 pat_ptr++;
234 continue;
235 } else if (was_space) {
236 was_space = false;
237 err = cn_printf(cn, "%c", '\0');
238 if (err)
239 return err;
240 (*argv)[(*argc)++] = cn->used;
241 }
242 }
243 if (*pat_ptr != '%') {
244 err = cn_printf(cn, "%c", *pat_ptr++);
245 } else {
246 switch (*++pat_ptr) {
247
248 case 0:
249 goto out;
250
251 case '%':
252 err = cn_printf(cn, "%c", '%');
253 break;
254
255 case 'p':
256 pid_in_pattern = 1;
257 err = cn_printf(cn, "%d",
258 task_tgid_vnr(current));
259 break;
260
261 case 'P':
262 err = cn_printf(cn, "%d",
263 task_tgid_nr(current));
264 break;
265 case 'i':
266 err = cn_printf(cn, "%d",
267 task_pid_vnr(current));
268 break;
269 case 'I':
270 err = cn_printf(cn, "%d",
271 task_pid_nr(current));
272 break;
273
274 case 'u':
275 err = cn_printf(cn, "%u",
276 from_kuid(&init_user_ns,
277 cred->uid));
278 break;
279
280 case 'g':
281 err = cn_printf(cn, "%u",
282 from_kgid(&init_user_ns,
283 cred->gid));
284 break;
285 case 'd':
286 err = cn_printf(cn, "%d",
287 __get_dumpable(cprm->mm_flags));
288 break;
289
290 case 's':
291 err = cn_printf(cn, "%d",
292 cprm->siginfo->si_signo);
293 break;
294
295 case 't': {
296 time64_t time;
297
298 time = ktime_get_real_seconds();
299 err = cn_printf(cn, "%lld", time);
300 break;
301 }
302
303 case 'h':
304 down_read(&uts_sem);
305 err = cn_esc_printf(cn, "%s",
306 utsname()->nodename);
307 up_read(&uts_sem);
308 break;
309
310 case 'e':
311 err = cn_esc_printf(cn, "%s", current->comm);
312 break;
313
314 case 'f':
315 err = cn_print_exe_file(cn, true);
316 break;
317 case 'E':
318 err = cn_print_exe_file(cn, false);
319 break;
320
321 case 'c':
322 err = cn_printf(cn, "%lu",
323 rlimit(RLIMIT_CORE));
324 break;
325 default:
326 break;
327 }
328 ++pat_ptr;
329 }
330
331 if (err)
332 return err;
333 }
334
335out:
336
337
338
339
340
341 if (!ispipe && !pid_in_pattern && core_uses_pid) {
342 err = cn_printf(cn, ".%d", task_tgid_vnr(current));
343 if (err)
344 return err;
345 }
346 return ispipe;
347}
348
349static int zap_process(struct task_struct *start, int exit_code, int flags)
350{
351 struct task_struct *t;
352 int nr = 0;
353
354
355 start->signal->flags = SIGNAL_GROUP_COREDUMP | flags;
356 start->signal->group_exit_code = exit_code;
357 start->signal->group_stop_count = 0;
358
359 for_each_thread(start, t) {
360 task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK);
361 if (t != current && t->mm) {
362 sigaddset(&t->pending.signal, SIGKILL);
363 signal_wake_up(t, 1);
364 nr++;
365 }
366 }
367
368 return nr;
369}
370
371static int zap_threads(struct task_struct *tsk, struct mm_struct *mm,
372 struct core_state *core_state, int exit_code)
373{
374 struct task_struct *g, *p;
375 unsigned long flags;
376 int nr = -EAGAIN;
377
378 spin_lock_irq(&tsk->sighand->siglock);
379 if (!signal_group_exit(tsk->signal)) {
380 mm->core_state = core_state;
381 tsk->signal->group_exit_task = tsk;
382 nr = zap_process(tsk, exit_code, 0);
383 clear_tsk_thread_flag(tsk, TIF_SIGPENDING);
384 }
385 spin_unlock_irq(&tsk->sighand->siglock);
386 if (unlikely(nr < 0))
387 return nr;
388
389 tsk->flags |= PF_DUMPCORE;
390 if (atomic_read(&mm->mm_users) == nr + 1)
391 goto done;
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422 rcu_read_lock();
423 for_each_process(g) {
424 if (g == tsk->group_leader)
425 continue;
426 if (g->flags & PF_KTHREAD)
427 continue;
428
429 for_each_thread(g, p) {
430 if (unlikely(!p->mm))
431 continue;
432 if (unlikely(p->mm == mm)) {
433 lock_task_sighand(p, &flags);
434 nr += zap_process(p, exit_code,
435 SIGNAL_GROUP_EXIT);
436 unlock_task_sighand(p, &flags);
437 }
438 break;
439 }
440 }
441 rcu_read_unlock();
442done:
443 atomic_set(&core_state->nr_threads, nr);
444 return nr;
445}
446
447static int coredump_wait(int exit_code, struct core_state *core_state)
448{
449 struct task_struct *tsk = current;
450 struct mm_struct *mm = tsk->mm;
451 int core_waiters = -EBUSY;
452
453 init_completion(&core_state->startup);
454 core_state->dumper.task = tsk;
455 core_state->dumper.next = NULL;
456
457 if (mmap_write_lock_killable(mm))
458 return -EINTR;
459
460 if (!mm->core_state)
461 core_waiters = zap_threads(tsk, mm, core_state, exit_code);
462 mmap_write_unlock(mm);
463
464 if (core_waiters > 0) {
465 struct core_thread *ptr;
466
467 freezer_do_not_count();
468 wait_for_completion(&core_state->startup);
469 freezer_count();
470
471
472
473
474
475 ptr = core_state->dumper.next;
476 while (ptr != NULL) {
477 wait_task_inactive(ptr->task, 0);
478 ptr = ptr->next;
479 }
480 }
481
482 return core_waiters;
483}
484
485static void coredump_finish(struct mm_struct *mm, bool core_dumped)
486{
487 struct core_thread *curr, *next;
488 struct task_struct *task;
489
490 spin_lock_irq(¤t->sighand->siglock);
491 if (core_dumped && !__fatal_signal_pending(current))
492 current->signal->group_exit_code |= 0x80;
493 current->signal->group_exit_task = NULL;
494 current->signal->flags = SIGNAL_GROUP_EXIT;
495 spin_unlock_irq(¤t->sighand->siglock);
496
497 next = mm->core_state->dumper.next;
498 while ((curr = next) != NULL) {
499 next = curr->next;
500 task = curr->task;
501
502
503
504
505 smp_mb();
506 curr->task = NULL;
507 wake_up_process(task);
508 }
509
510 mm->core_state = NULL;
511}
512
513static bool dump_interrupted(void)
514{
515
516
517
518
519
520
521 return signal_pending(current);
522}
523
524static void wait_for_dump_helpers(struct file *file)
525{
526 struct pipe_inode_info *pipe = file->private_data;
527
528 pipe_lock(pipe);
529 pipe->readers++;
530 pipe->writers--;
531 wake_up_interruptible_sync(&pipe->rd_wait);
532 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
533 pipe_unlock(pipe);
534
535
536
537
538
539 wait_event_interruptible(pipe->rd_wait, pipe->readers == 1);
540
541 pipe_lock(pipe);
542 pipe->readers--;
543 pipe->writers++;
544 pipe_unlock(pipe);
545}
546
547
548
549
550
551
552
553
554
555
556
557
558static int umh_pipe_setup(struct subprocess_info *info, struct cred *new)
559{
560 struct file *files[2];
561 struct coredump_params *cp = (struct coredump_params *)info->data;
562 int err = create_pipe_files(files, 0);
563 if (err)
564 return err;
565
566 cp->file = files[1];
567
568 err = replace_fd(0, files[0], 0);
569 fput(files[0]);
570
571 current->signal->rlim[RLIMIT_CORE] = (struct rlimit){1, 1};
572
573 return err;
574}
575
576void do_coredump(const kernel_siginfo_t *siginfo)
577{
578 struct core_state core_state;
579 struct core_name cn;
580 struct mm_struct *mm = current->mm;
581 struct linux_binfmt * binfmt;
582 const struct cred *old_cred;
583 struct cred *cred;
584 int retval = 0;
585 int ispipe;
586 size_t *argv = NULL;
587 int argc = 0;
588 struct files_struct *displaced;
589
590 bool need_suid_safe = false;
591 bool core_dumped = false;
592 static atomic_t core_dump_count = ATOMIC_INIT(0);
593 struct coredump_params cprm = {
594 .siginfo = siginfo,
595 .regs = signal_pt_regs(),
596 .limit = rlimit(RLIMIT_CORE),
597
598
599
600
601
602 .mm_flags = mm->flags,
603 };
604
605 audit_core_dumps(siginfo->si_signo);
606
607 binfmt = mm->binfmt;
608 if (!binfmt || !binfmt->core_dump)
609 goto fail;
610 if (!__get_dumpable(cprm.mm_flags))
611 goto fail;
612
613 cred = prepare_creds();
614 if (!cred)
615 goto fail;
616
617
618
619
620
621
622 if (__get_dumpable(cprm.mm_flags) == SUID_DUMP_ROOT) {
623
624 cred->fsuid = GLOBAL_ROOT_UID;
625 need_suid_safe = true;
626 }
627
628 retval = coredump_wait(siginfo->si_signo, &core_state);
629 if (retval < 0)
630 goto fail_creds;
631
632 old_cred = override_creds(cred);
633
634 ispipe = format_corename(&cn, &cprm, &argv, &argc);
635
636 if (ispipe) {
637 int argi;
638 int dump_count;
639 char **helper_argv;
640 struct subprocess_info *sub_info;
641
642 if (ispipe < 0) {
643 printk(KERN_WARNING "format_corename failed\n");
644 printk(KERN_WARNING "Aborting core\n");
645 goto fail_unlock;
646 }
647
648 if (cprm.limit == 1) {
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664 printk(KERN_WARNING
665 "Process %d(%s) has RLIMIT_CORE set to 1\n",
666 task_tgid_vnr(current), current->comm);
667 printk(KERN_WARNING "Aborting core\n");
668 goto fail_unlock;
669 }
670 cprm.limit = RLIM_INFINITY;
671
672 dump_count = atomic_inc_return(&core_dump_count);
673 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
674 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
675 task_tgid_vnr(current), current->comm);
676 printk(KERN_WARNING "Skipping core dump\n");
677 goto fail_dropcount;
678 }
679
680 helper_argv = kmalloc_array(argc + 1, sizeof(*helper_argv),
681 GFP_KERNEL);
682 if (!helper_argv) {
683 printk(KERN_WARNING "%s failed to allocate memory\n",
684 __func__);
685 goto fail_dropcount;
686 }
687 for (argi = 0; argi < argc; argi++)
688 helper_argv[argi] = cn.corename + argv[argi];
689 helper_argv[argi] = NULL;
690
691 retval = -ENOMEM;
692 sub_info = call_usermodehelper_setup(helper_argv[0],
693 helper_argv, NULL, GFP_KERNEL,
694 umh_pipe_setup, NULL, &cprm);
695 if (sub_info)
696 retval = call_usermodehelper_exec(sub_info,
697 UMH_WAIT_EXEC);
698
699 kfree(helper_argv);
700 if (retval) {
701 printk(KERN_INFO "Core dump to |%s pipe failed\n",
702 cn.corename);
703 goto close_fail;
704 }
705 } else {
706 struct inode *inode;
707 int open_flags = O_CREAT | O_RDWR | O_NOFOLLOW |
708 O_LARGEFILE | O_EXCL;
709
710 if (cprm.limit < binfmt->min_coredump)
711 goto fail_unlock;
712
713 if (need_suid_safe && cn.corename[0] != '/') {
714 printk(KERN_WARNING "Pid %d(%s) can only dump core "\
715 "to fully qualified path!\n",
716 task_tgid_vnr(current), current->comm);
717 printk(KERN_WARNING "Skipping core dump\n");
718 goto fail_unlock;
719 }
720
721
722
723
724
725
726 if (!need_suid_safe) {
727
728
729
730
731 do_unlinkat(AT_FDCWD, getname_kernel(cn.corename));
732 }
733
734
735
736
737
738
739
740
741
742 if (need_suid_safe) {
743
744
745
746
747
748
749
750
751
752 struct path root;
753
754 task_lock(&init_task);
755 get_fs_root(init_task.fs, &root);
756 task_unlock(&init_task);
757 cprm.file = file_open_root(root.dentry, root.mnt,
758 cn.corename, open_flags, 0600);
759 path_put(&root);
760 } else {
761 cprm.file = filp_open(cn.corename, open_flags, 0600);
762 }
763 if (IS_ERR(cprm.file))
764 goto fail_unlock;
765
766 inode = file_inode(cprm.file);
767 if (inode->i_nlink > 1)
768 goto close_fail;
769 if (d_unhashed(cprm.file->f_path.dentry))
770 goto close_fail;
771
772
773
774
775 if (!S_ISREG(inode->i_mode))
776 goto close_fail;
777
778
779
780
781
782
783 if (!uid_eq(inode->i_uid, current_fsuid()))
784 goto close_fail;
785 if ((inode->i_mode & 0677) != 0600)
786 goto close_fail;
787 if (!(cprm.file->f_mode & FMODE_CAN_WRITE))
788 goto close_fail;
789 if (do_truncate(cprm.file->f_path.dentry, 0, 0, cprm.file))
790 goto close_fail;
791 }
792
793
794 retval = unshare_files(&displaced);
795 if (retval)
796 goto close_fail;
797 if (displaced)
798 put_files_struct(displaced);
799 if (!dump_interrupted()) {
800
801
802
803
804 if (!cprm.file) {
805 pr_info("Core dump to |%s disabled\n", cn.corename);
806 goto close_fail;
807 }
808 file_start_write(cprm.file);
809 core_dumped = binfmt->core_dump(&cprm);
810 file_end_write(cprm.file);
811 }
812 if (ispipe && core_pipe_limit)
813 wait_for_dump_helpers(cprm.file);
814close_fail:
815 if (cprm.file)
816 filp_close(cprm.file, NULL);
817fail_dropcount:
818 if (ispipe)
819 atomic_dec(&core_dump_count);
820fail_unlock:
821 kfree(argv);
822 kfree(cn.corename);
823 coredump_finish(mm, core_dumped);
824 revert_creds(old_cred);
825fail_creds:
826 put_cred(cred);
827fail:
828 return;
829}
830
831
832
833
834
835
836int dump_emit(struct coredump_params *cprm, const void *addr, int nr)
837{
838 struct file *file = cprm->file;
839 loff_t pos = file->f_pos;
840 ssize_t n;
841 if (cprm->written + nr > cprm->limit)
842 return 0;
843 while (nr) {
844 if (dump_interrupted())
845 return 0;
846 n = __kernel_write(file, addr, nr, &pos);
847 if (n <= 0)
848 return 0;
849 file->f_pos = pos;
850 cprm->written += n;
851 cprm->pos += n;
852 nr -= n;
853 }
854 return 1;
855}
856EXPORT_SYMBOL(dump_emit);
857
858int dump_skip(struct coredump_params *cprm, size_t nr)
859{
860 static char zeroes[PAGE_SIZE];
861 struct file *file = cprm->file;
862 if (file->f_op->llseek && file->f_op->llseek != no_llseek) {
863 if (dump_interrupted() ||
864 file->f_op->llseek(file, nr, SEEK_CUR) < 0)
865 return 0;
866 cprm->pos += nr;
867 return 1;
868 } else {
869 while (nr > PAGE_SIZE) {
870 if (!dump_emit(cprm, zeroes, PAGE_SIZE))
871 return 0;
872 nr -= PAGE_SIZE;
873 }
874 return dump_emit(cprm, zeroes, nr);
875 }
876}
877EXPORT_SYMBOL(dump_skip);
878
879int dump_align(struct coredump_params *cprm, int align)
880{
881 unsigned mod = cprm->pos & (align - 1);
882 if (align & (align - 1))
883 return 0;
884 return mod ? dump_skip(cprm, align - mod) : 1;
885}
886EXPORT_SYMBOL(dump_align);
887
888
889
890
891
892
893void dump_truncate(struct coredump_params *cprm)
894{
895 struct file *file = cprm->file;
896 loff_t offset;
897
898 if (file->f_op->llseek && file->f_op->llseek != no_llseek) {
899 offset = file->f_op->llseek(file, 0, SEEK_CUR);
900 if (i_size_read(file->f_mapping->host) < offset)
901 do_truncate(file->f_path.dentry, offset, 0, file);
902 }
903}
904EXPORT_SYMBOL(dump_truncate);
905
