1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 1989, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */ 27 /* All Rights Reserved */ 28 /* 29 * Copyright 2019, Joyent, Inc. 30 * Copyright 2022 Oxide Computer Company 31 */ 32 33 #include <sys/types.h> 34 #include <sys/param.h> 35 #include <sys/thread.h> 36 #include <sys/sysmacros.h> 37 #include <sys/signal.h> 38 #include <sys/cred.h> 39 #include <sys/user.h> 40 #include <sys/errno.h> 41 #include <sys/vnode.h> 42 #include <sys/mman.h> 43 #include <sys/kmem.h> 44 #include <sys/proc.h> 45 #include <sys/pathname.h> 46 #include <sys/policy.h> 47 #include <sys/cmn_err.h> 48 #include <sys/systm.h> 49 #include <sys/elf.h> 50 #include <sys/vmsystm.h> 51 #include <sys/debug.h> 52 #include <sys/auxv.h> 53 #include <sys/exec.h> 54 #include <sys/prsystm.h> 55 #include <vm/as.h> 56 #include <vm/rm.h> 57 #include <vm/seg.h> 58 #include <vm/seg_vn.h> 59 #include <sys/modctl.h> 60 #include <sys/systeminfo.h> 61 #include <sys/vmparam.h> 62 #include <sys/machelf.h> 63 #include <sys/shm_impl.h> 64 #include <sys/archsystm.h> 65 #include <sys/fasttrap.h> 66 #include <sys/brand.h> 67 #include "elf_impl.h" 68 #include <sys/sdt.h> 69 #include <sys/siginfo.h> 70 #include <sys/random.h> 71 72 #include <core_shstrtab.h> 73 74 #if defined(__x86) 75 #include <sys/comm_page_util.h> 76 #include <sys/fp.h> 77 #endif /* defined(__x86) */ 78 79 80 extern int at_flags; 81 extern volatile size_t aslr_max_brk_skew; 82 83 #define ORIGIN_STR "ORIGIN" 84 #define ORIGIN_STR_SIZE 6 85 86 static int getelfhead(vnode_t *, cred_t *, Ehdr *, uint_t *, uint_t *, 87 uint_t *); 88 static int getelfphdr(vnode_t *, cred_t *, const Ehdr *, uint_t, caddr_t *, 89 size_t *); 90 static int getelfshdr(vnode_t *, cred_t *, const Ehdr *, uint_t, uint_t, 91 caddr_t *, size_t *, caddr_t *, size_t *); 92 static size_t elfsize(const Ehdr *, uint_t, const caddr_t, uintptr_t *); 93 static int mapelfexec(vnode_t *, Ehdr *, uint_t, caddr_t, Phdr **, Phdr **, 94 Phdr **, Phdr **, Phdr *, caddr_t *, caddr_t *, intptr_t *, uintptr_t *, 95 size_t, size_t *, size_t *); 96 97 98 #ifdef _ELF32_COMPAT 99 /* Link against the non-compat instances when compiling the 32-bit version. */ 100 extern size_t elf_datasz_max; 101 extern size_t elf_zeropg_sz; 102 extern void elf_ctx_resize_scratch(elf_core_ctx_t *, size_t); 103 extern uint_t elf_nphdr_max; 104 extern uint_t elf_nshdr_max; 105 extern size_t elf_shstrtab_max; 106 #else 107 size_t elf_datasz_max = 1 * 1024 * 1024; 108 size_t elf_zeropg_sz = 4 * 1024; 109 uint_t elf_nphdr_max = 1000; 110 uint_t elf_nshdr_max = 10000; 111 size_t elf_shstrtab_max = 100 * 1024; 112 #endif 113 114 static int 115 dtrace_safe_phdr(Phdr *phdrp, struct uarg *args, uintptr_t base) 116 { 117 ASSERT(phdrp->p_type == PT_SUNWDTRACE); 118 119 /* 120 * See the comment in fasttrap.h for information on how to safely 121 * update this program header. 122 */ 123 if (phdrp->p_memsz < PT_SUNWDTRACE_SIZE || 124 (phdrp->p_flags & (PF_R | PF_W | PF_X)) != (PF_R | PF_W | PF_X)) 125 return (-1); 126 127 args->thrptr = phdrp->p_vaddr + base; 128 129 return (0); 130 } 131 132 static int 133 handle_secflag_dt(proc_t *p, uint_t dt, uint_t val) 134 { 135 uint_t flag; 136 137 switch (dt) { 138 case DT_SUNW_ASLR: 139 flag = PROC_SEC_ASLR; 140 break; 141 default: 142 return (EINVAL); 143 } 144 145 if (val == 0) { 146 if (secflag_isset(p->p_secflags.psf_lower, flag)) 147 return (EPERM); 148 if ((secpolicy_psecflags(CRED(), p, p) != 0) && 149 secflag_isset(p->p_secflags.psf_inherit, flag)) 150 return (EPERM); 151 152 secflag_clear(&p->p_secflags.psf_effective, flag); 153 } else { 154 if (!secflag_isset(p->p_secflags.psf_upper, flag)) 155 return (EPERM); 156 157 if ((secpolicy_psecflags(CRED(), p, p) != 0) && 158 !secflag_isset(p->p_secflags.psf_inherit, flag)) 159 return (EPERM); 160 161 secflag_set(&p->p_secflags.psf_effective, flag); 162 } 163 164 return (0); 165 } 166 167 #ifndef _ELF32_COMPAT 168 void 169 elf_ctx_resize_scratch(elf_core_ctx_t *ctx, size_t sz) 170 { 171 size_t target = MIN(sz, elf_datasz_max); 172 173 if (target > ctx->ecc_bufsz) { 174 if (ctx->ecc_buf != NULL) { 175 kmem_free(ctx->ecc_buf, ctx->ecc_bufsz); 176 } 177 ctx->ecc_buf = kmem_alloc(target, KM_SLEEP); 178 ctx->ecc_bufsz = target; 179 } 180 } 181 #endif /* _ELF32_COMPAT */ 182 183 /* 184 * Map in the executable pointed to by vp. Returns 0 on success. 185 */ 186 int 187 mapexec_brand(vnode_t *vp, uarg_t *args, Ehdr *ehdr, Addr *uphdr_vaddr, 188 intptr_t *voffset, caddr_t exec_file, int *interp, caddr_t *bssbase, 189 caddr_t *brkbase, size_t *brksize, uintptr_t *lddatap) 190 { 191 size_t len, phdrsize; 192 struct vattr vat; 193 caddr_t phdrbase = NULL; 194 uint_t nshdrs, shstrndx, nphdrs; 195 int error = 0; 196 Phdr *uphdr = NULL; 197 Phdr *junk = NULL; 198 Phdr *dynphdr = NULL; 199 Phdr *dtrphdr = NULL; 200 uintptr_t lddata, minaddr; 201 size_t execsz; 202 203 if (lddatap != NULL) 204 *lddatap = 0; 205 206 if (error = execpermissions(vp, &vat, args)) { 207 uprintf("%s: Cannot execute %s\n", exec_file, args->pathname); 208 return (error); 209 } 210 211 if ((error = getelfhead(vp, CRED(), ehdr, &nshdrs, &shstrndx, 212 &nphdrs)) != 0 || 213 (error = getelfphdr(vp, CRED(), ehdr, nphdrs, &phdrbase, 214 &phdrsize)) != 0) { 215 uprintf("%s: Cannot read %s\n", exec_file, args->pathname); 216 return (error); 217 } 218 219 if ((len = elfsize(ehdr, nphdrs, phdrbase, &lddata)) == 0) { 220 uprintf("%s: Nothing to load in %s", exec_file, args->pathname); 221 kmem_free(phdrbase, phdrsize); 222 return (ENOEXEC); 223 } 224 if (lddatap != NULL) 225 *lddatap = lddata; 226 227 if (error = mapelfexec(vp, ehdr, nphdrs, phdrbase, &uphdr, &dynphdr, 228 &junk, &dtrphdr, NULL, bssbase, brkbase, voffset, &minaddr, 229 len, &execsz, brksize)) { 230 uprintf("%s: Cannot map %s\n", exec_file, args->pathname); 231 if (uphdr != NULL && uphdr->p_flags == 0) 232 kmem_free(uphdr, sizeof (Phdr)); 233 kmem_free(phdrbase, phdrsize); 234 return (error); 235 } 236 237 /* 238 * Inform our caller if the executable needs an interpreter. 239 */ 240 *interp = (dynphdr == NULL) ? 0 : 1; 241 242 /* 243 * If this is a statically linked executable, voffset should indicate 244 * the address of the executable itself (it normally holds the address 245 * of the interpreter). 246 */ 247 if (ehdr->e_type == ET_EXEC && *interp == 0) 248 *voffset = minaddr; 249 250 if (uphdr != NULL) { 251 *uphdr_vaddr = uphdr->p_vaddr; 252 253 if (uphdr->p_flags == 0) 254 kmem_free(uphdr, sizeof (Phdr)); 255 } else { 256 *uphdr_vaddr = (Addr)-1; 257 } 258 259 kmem_free(phdrbase, phdrsize); 260 return (error); 261 } 262 263 int 264 elfexec(vnode_t *vp, execa_t *uap, uarg_t *args, intpdata_t *idatap, 265 int level, size_t *execsz, int setid, caddr_t exec_file, cred_t *cred, 266 int brand_action) 267 { 268 caddr_t phdrbase = NULL; 269 caddr_t bssbase = 0; 270 caddr_t brkbase = 0; 271 size_t brksize = 0; 272 size_t dlnsize; 273 aux_entry_t *aux; 274 int error; 275 ssize_t resid; 276 int fd = -1; 277 intptr_t voffset; 278 Phdr *intphdr = NULL; 279 Phdr *dynamicphdr = NULL; 280 Phdr *stphdr = NULL; 281 Phdr *uphdr = NULL; 282 Phdr *junk = NULL; 283 size_t len; 284 size_t postfixsize = 0; 285 size_t i; 286 Phdr *phdrp; 287 Phdr *dataphdrp = NULL; 288 Phdr *dtrphdr; 289 Phdr *capphdr = NULL; 290 Cap *cap = NULL; 291 size_t capsize; 292 int hasu = 0; 293 int hasauxv = 0; 294 int hasintp = 0; 295 int branded = 0; 296 boolean_t dynuphdr = B_FALSE; 297 298 struct proc *p = ttoproc(curthread); 299 struct user *up = PTOU(p); 300 struct bigwad { 301 Ehdr ehdr; 302 aux_entry_t elfargs[__KERN_NAUXV_IMPL]; 303 char dl_name[MAXPATHLEN]; 304 char pathbuf[MAXPATHLEN]; 305 struct vattr vattr; 306 struct execenv exenv; 307 } *bigwad; /* kmem_alloc this behemoth so we don't blow stack */ 308 Ehdr *ehdrp; 309 uint_t nshdrs, shstrndx, nphdrs; 310 size_t phdrsize; 311 char *dlnp; 312 char *pathbufp; 313 rlim64_t limit; 314 rlim64_t roundlimit; 315 316 ASSERT(p->p_model == DATAMODEL_ILP32 || p->p_model == DATAMODEL_LP64); 317 318 bigwad = kmem_alloc(sizeof (struct bigwad), KM_SLEEP); 319 ehdrp = &bigwad->ehdr; 320 dlnp = bigwad->dl_name; 321 pathbufp = bigwad->pathbuf; 322 323 /* 324 * Obtain ELF and program header information. 325 */ 326 if ((error = getelfhead(vp, CRED(), ehdrp, &nshdrs, &shstrndx, 327 &nphdrs)) != 0 || 328 (error = getelfphdr(vp, CRED(), ehdrp, nphdrs, &phdrbase, 329 &phdrsize)) != 0) 330 goto out; 331 332 /* 333 * Prevent executing an ELF file that has no entry point. 334 */ 335 if (ehdrp->e_entry == 0) { 336 uprintf("%s: Bad entry point\n", exec_file); 337 goto bad; 338 } 339 340 /* 341 * Put data model that we're exec-ing to into the args passed to 342 * exec_args(), so it will know what it is copying to on new stack. 343 * Now that we know whether we are exec-ing a 32-bit or 64-bit 344 * executable, we can set execsz with the appropriate NCARGS. 345 */ 346 #ifdef _LP64 347 if (ehdrp->e_ident[EI_CLASS] == ELFCLASS32) { 348 args->to_model = DATAMODEL_ILP32; 349 *execsz = btopr(SINCR) + btopr(SSIZE) + btopr(NCARGS32-1); 350 } else { 351 args->to_model = DATAMODEL_LP64; 352 args->stk_prot &= ~PROT_EXEC; 353 #if defined(__x86) 354 args->dat_prot &= ~PROT_EXEC; 355 #endif 356 *execsz = btopr(SINCR) + btopr(SSIZE) + btopr(NCARGS64-1); 357 } 358 #else /* _LP64 */ 359 args->to_model = DATAMODEL_ILP32; 360 *execsz = btopr(SINCR) + btopr(SSIZE) + btopr(NCARGS-1); 361 #endif /* _LP64 */ 362 363 /* 364 * We delay invoking the brand callback until we've figured out 365 * what kind of elf binary we're trying to run, 32-bit or 64-bit. 366 * We do this because now the brand library can just check 367 * args->to_model to see if the target is 32-bit or 64-bit without 368 * having do duplicate all the code above. 369 * 370 * The level checks associated with brand handling below are used to 371 * prevent a loop since the brand elfexec function typically comes back 372 * through this function. We must check <= here since the nested 373 * handling in the #! interpreter code will increment the level before 374 * calling gexec to run the final elfexec interpreter. 375 */ 376 if ((level <= INTP_MAXDEPTH) && 377 (brand_action != EBA_NATIVE) && (PROC_IS_BRANDED(p))) { 378 error = BROP(p)->b_elfexec(vp, uap, args, 379 idatap, level + 1, execsz, setid, exec_file, cred, 380 brand_action); 381 goto out; 382 } 383 384 /* 385 * Determine aux size now so that stack can be built 386 * in one shot (except actual copyout of aux image), 387 * determine any non-default stack protections, 388 * and still have this code be machine independent. 389 */ 390 const uint_t hsize = ehdrp->e_phentsize; 391 phdrp = (Phdr *)phdrbase; 392 for (i = nphdrs; i > 0; i--) { 393 switch (phdrp->p_type) { 394 case PT_INTERP: 395 hasauxv = hasintp = 1; 396 break; 397 case PT_PHDR: 398 hasu = 1; 399 break; 400 case PT_SUNWSTACK: 401 args->stk_prot = PROT_USER; 402 if (phdrp->p_flags & PF_R) 403 args->stk_prot |= PROT_READ; 404 if (phdrp->p_flags & PF_W) 405 args->stk_prot |= PROT_WRITE; 406 if (phdrp->p_flags & PF_X) 407 args->stk_prot |= PROT_EXEC; 408 break; 409 case PT_LOAD: 410 dataphdrp = phdrp; 411 break; 412 case PT_SUNWCAP: 413 capphdr = phdrp; 414 break; 415 case PT_DYNAMIC: 416 dynamicphdr = phdrp; 417 break; 418 } 419 phdrp = (Phdr *)((caddr_t)phdrp + hsize); 420 } 421 422 if (ehdrp->e_type != ET_EXEC) { 423 dataphdrp = NULL; 424 hasauxv = 1; 425 } 426 427 /* Copy BSS permissions to args->dat_prot */ 428 if (dataphdrp != NULL) { 429 args->dat_prot = PROT_USER; 430 if (dataphdrp->p_flags & PF_R) 431 args->dat_prot |= PROT_READ; 432 if (dataphdrp->p_flags & PF_W) 433 args->dat_prot |= PROT_WRITE; 434 if (dataphdrp->p_flags & PF_X) 435 args->dat_prot |= PROT_EXEC; 436 } 437 438 /* 439 * If a auxvector will be required - reserve the space for 440 * it now. This may be increased by exec_args if there are 441 * ISA-specific types (included in __KERN_NAUXV_IMPL). 442 */ 443 if (hasauxv) { 444 /* 445 * If a AUX vector is being built - the base AUX 446 * entries are: 447 * 448 * AT_BASE 449 * AT_FLAGS 450 * AT_PAGESZ 451 * AT_SUN_AUXFLAGS 452 * AT_SUN_HWCAP 453 * AT_SUN_HWCAP2 454 * AT_SUN_HWCAP3 455 * AT_SUN_PLATFORM (added in stk_copyout) 456 * AT_SUN_EXECNAME (added in stk_copyout) 457 * AT_NULL 458 * 459 * total == 10 460 */ 461 if (hasintp && hasu) { 462 /* 463 * Has PT_INTERP & PT_PHDR - the auxvectors that 464 * will be built are: 465 * 466 * AT_PHDR 467 * AT_PHENT 468 * AT_PHNUM 469 * AT_ENTRY 470 * AT_LDDATA 471 * 472 * total = 5 473 */ 474 args->auxsize = (10 + 5) * sizeof (aux_entry_t); 475 } else if (hasintp) { 476 /* 477 * Has PT_INTERP but no PT_PHDR 478 * 479 * AT_EXECFD 480 * AT_LDDATA 481 * 482 * total = 2 483 */ 484 args->auxsize = (10 + 2) * sizeof (aux_entry_t); 485 } else { 486 args->auxsize = 10 * sizeof (aux_entry_t); 487 } 488 } else { 489 args->auxsize = 0; 490 } 491 492 /* 493 * If this binary is using an emulator, we need to add an 494 * AT_SUN_EMULATOR aux entry. 495 */ 496 if (args->emulator != NULL) 497 args->auxsize += sizeof (aux_entry_t); 498 499 /* 500 * On supported kernels (x86_64) make room in the auxv for the 501 * AT_SUN_COMMPAGE entry. This will go unpopulated on i86xpv systems 502 * which do not provide such functionality. 503 * 504 * Additionally cover the floating point information AT_SUN_FPSIZE and 505 * AT_SUN_FPTYPE. 506 */ 507 #if defined(__amd64) 508 args->auxsize += 3 * sizeof (aux_entry_t); 509 #endif /* defined(__amd64) */ 510 511 if ((brand_action != EBA_NATIVE) && (PROC_IS_BRANDED(p))) { 512 branded = 1; 513 /* 514 * We will be adding 4 entries to the aux vectors. One for 515 * the the brandname and 3 for the brand specific aux vectors. 516 */ 517 args->auxsize += 4 * sizeof (aux_entry_t); 518 } 519 520 /* If the binary has an explicit ASLR flag, it must be honoured */ 521 if ((dynamicphdr != NULL) && (dynamicphdr->p_filesz > 0)) { 522 const size_t dynfilesz = dynamicphdr->p_filesz; 523 const size_t dynoffset = dynamicphdr->p_offset; 524 Dyn *dyn, *dp; 525 526 if (dynoffset > MAXOFFSET_T || 527 dynfilesz > MAXOFFSET_T || 528 dynoffset + dynfilesz > MAXOFFSET_T) { 529 uprintf("%s: cannot read full .dynamic section\n", 530 exec_file); 531 error = EINVAL; 532 goto out; 533 } 534 535 #define DYN_STRIDE 100 536 for (i = 0; i < dynfilesz; i += sizeof (*dyn) * DYN_STRIDE) { 537 const size_t remdyns = (dynfilesz - i) / sizeof (*dyn); 538 const size_t ndyns = MIN(DYN_STRIDE, remdyns); 539 const size_t dynsize = ndyns * sizeof (*dyn); 540 541 dyn = kmem_alloc(dynsize, KM_SLEEP); 542 543 if ((error = vn_rdwr(UIO_READ, vp, (caddr_t)dyn, 544 (ssize_t)dynsize, (offset_t)(dynoffset + i), 545 UIO_SYSSPACE, 0, (rlim64_t)0, 546 CRED(), NULL)) != 0) { 547 uprintf("%s: cannot read .dynamic section\n", 548 exec_file); 549 goto out; 550 } 551 552 for (dp = dyn; dp < (dyn + ndyns); dp++) { 553 if (dp->d_tag == DT_SUNW_ASLR) { 554 if ((error = handle_secflag_dt(p, 555 DT_SUNW_ASLR, 556 dp->d_un.d_val)) != 0) { 557 uprintf("%s: error setting " 558 "security-flag from " 559 "DT_SUNW_ASLR: %d\n", 560 exec_file, error); 561 goto out; 562 } 563 } 564 } 565 566 kmem_free(dyn, dynsize); 567 } 568 } 569 570 /* Hardware/Software capabilities */ 571 if (capphdr != NULL && 572 (capsize = capphdr->p_filesz) > 0 && 573 capsize <= 16 * sizeof (*cap)) { 574 const uint_t ncaps = capsize / sizeof (*cap); 575 Cap *cp; 576 577 cap = kmem_alloc(capsize, KM_SLEEP); 578 if ((error = vn_rdwr(UIO_READ, vp, (caddr_t)cap, 579 (ssize_t)capsize, (offset_t)capphdr->p_offset, 580 UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), NULL)) != 0) { 581 uprintf("%s: Cannot read capabilities section\n", 582 exec_file); 583 goto out; 584 } 585 for (cp = cap; cp < cap + ncaps; cp++) { 586 if (cp->c_tag == CA_SUNW_SF_1 && 587 (cp->c_un.c_val & SF1_SUNW_ADDR32)) { 588 if (args->to_model == DATAMODEL_LP64) 589 args->addr32 = 1; 590 break; 591 } 592 } 593 } 594 595 aux = bigwad->elfargs; 596 /* 597 * Move args to the user's stack. 598 * This can fill in the AT_SUN_PLATFORM and AT_SUN_EXECNAME aux entries. 599 */ 600 if ((error = exec_args(uap, args, idatap, (void **)&aux)) != 0) { 601 if (error == -1) { 602 error = ENOEXEC; 603 goto bad; 604 } 605 goto out; 606 } 607 /* we're single threaded after this point */ 608 609 /* 610 * If this is an ET_DYN executable (shared object), 611 * determine its memory size so that mapelfexec() can load it. 612 */ 613 if (ehdrp->e_type == ET_DYN) 614 len = elfsize(ehdrp, nphdrs, phdrbase, NULL); 615 else 616 len = 0; 617 618 dtrphdr = NULL; 619 620 error = mapelfexec(vp, ehdrp, nphdrs, phdrbase, &uphdr, &intphdr, 621 &stphdr, &dtrphdr, dataphdrp, &bssbase, &brkbase, &voffset, NULL, 622 len, execsz, &brksize); 623 624 /* 625 * Our uphdr has been dynamically allocated if (and only if) its 626 * program header flags are clear. To avoid leaks, this must be 627 * checked regardless of whether mapelfexec() emitted an error. 628 */ 629 dynuphdr = (uphdr != NULL && uphdr->p_flags == 0); 630 631 if (error != 0) 632 goto bad; 633 634 if (uphdr != NULL && intphdr == NULL) 635 goto bad; 636 637 if (dtrphdr != NULL && dtrace_safe_phdr(dtrphdr, args, voffset) != 0) { 638 uprintf("%s: Bad DTrace phdr in %s\n", exec_file, exec_file); 639 goto bad; 640 } 641 642 if (intphdr != NULL) { 643 size_t len; 644 uintptr_t lddata; 645 char *p; 646 struct vnode *nvp; 647 648 dlnsize = intphdr->p_filesz; 649 650 /* 651 * Make sure none of the component pieces of dlnsize result in 652 * an oversized or zeroed result. 653 */ 654 if (intphdr->p_filesz > MAXPATHLEN || dlnsize > MAXPATHLEN || 655 dlnsize == 0 || dlnsize < intphdr->p_filesz) { 656 goto bad; 657 } 658 659 /* 660 * Read in "interpreter" pathname. 661 */ 662 if ((error = vn_rdwr(UIO_READ, vp, dlnp, 663 (ssize_t)intphdr->p_filesz, (offset_t)intphdr->p_offset, 664 UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid)) != 0) { 665 uprintf("%s: Cannot obtain interpreter pathname\n", 666 exec_file); 667 goto bad; 668 } 669 670 if (resid != 0 || dlnp[dlnsize - 1] != '\0') 671 goto bad; 672 673 /* 674 * Search for '$ORIGIN' token in interpreter path. 675 * If found, expand it. 676 */ 677 for (p = dlnp; p = strchr(p, '$'); ) { 678 uint_t len, curlen; 679 char *_ptr; 680 681 if (strncmp(++p, ORIGIN_STR, ORIGIN_STR_SIZE)) 682 continue; 683 684 /* 685 * We don't support $ORIGIN on setid programs to close 686 * a potential attack vector. 687 */ 688 if ((setid & EXECSETID_SETID) != 0) { 689 error = ENOEXEC; 690 goto bad; 691 } 692 693 curlen = 0; 694 len = p - dlnp - 1; 695 if (len) { 696 bcopy(dlnp, pathbufp, len); 697 curlen += len; 698 } 699 if (_ptr = strrchr(args->pathname, '/')) { 700 len = _ptr - args->pathname; 701 if ((curlen + len) > MAXPATHLEN) 702 break; 703 704 bcopy(args->pathname, &pathbufp[curlen], len); 705 curlen += len; 706 } else { 707 /* 708 * executable is a basename found in the 709 * current directory. So - just substitue 710 * '.' for ORIGIN. 711 */ 712 pathbufp[curlen] = '.'; 713 curlen++; 714 } 715 p += ORIGIN_STR_SIZE; 716 len = strlen(p); 717 718 if ((curlen + len) > MAXPATHLEN) 719 break; 720 bcopy(p, &pathbufp[curlen], len); 721 curlen += len; 722 pathbufp[curlen++] = '\0'; 723 bcopy(pathbufp, dlnp, curlen); 724 } 725 726 /* 727 * /usr/lib/ld.so.1 is known to be a symlink to /lib/ld.so.1 728 * (and /usr/lib/64/ld.so.1 is a symlink to /lib/64/ld.so.1). 729 * Just in case /usr is not mounted, change it now. 730 */ 731 if (strcmp(dlnp, USR_LIB_RTLD) == 0) 732 dlnp += 4; 733 error = lookupname(dlnp, UIO_SYSSPACE, FOLLOW, NULLVPP, &nvp); 734 if (error && dlnp != bigwad->dl_name) { 735 /* new kernel, old user-level */ 736 error = lookupname(dlnp -= 4, UIO_SYSSPACE, FOLLOW, 737 NULLVPP, &nvp); 738 } 739 if (error) { 740 uprintf("%s: Cannot find %s\n", exec_file, dlnp); 741 goto bad; 742 } 743 744 /* 745 * Setup the "aux" vector. 746 */ 747 if (uphdr) { 748 if (ehdrp->e_type == ET_DYN) { 749 /* don't use the first page */ 750 bigwad->exenv.ex_brkbase = (caddr_t)PAGESIZE; 751 bigwad->exenv.ex_bssbase = (caddr_t)PAGESIZE; 752 } else { 753 bigwad->exenv.ex_bssbase = bssbase; 754 bigwad->exenv.ex_brkbase = brkbase; 755 } 756 bigwad->exenv.ex_brksize = brksize; 757 bigwad->exenv.ex_magic = elfmagic; 758 bigwad->exenv.ex_vp = vp; 759 setexecenv(&bigwad->exenv); 760 761 ADDAUX(aux, AT_PHDR, uphdr->p_vaddr + voffset) 762 ADDAUX(aux, AT_PHENT, ehdrp->e_phentsize) 763 ADDAUX(aux, AT_PHNUM, nphdrs) 764 ADDAUX(aux, AT_ENTRY, ehdrp->e_entry + voffset) 765 } else { 766 if ((error = execopen(&vp, &fd)) != 0) { 767 VN_RELE(nvp); 768 goto bad; 769 } 770 771 ADDAUX(aux, AT_EXECFD, fd) 772 } 773 774 if ((error = execpermissions(nvp, &bigwad->vattr, args)) != 0) { 775 VN_RELE(nvp); 776 uprintf("%s: Cannot execute %s\n", exec_file, dlnp); 777 goto bad; 778 } 779 780 /* 781 * Now obtain the ELF header along with the entire program 782 * header contained in "nvp". 783 */ 784 kmem_free(phdrbase, phdrsize); 785 phdrbase = NULL; 786 if ((error = getelfhead(nvp, CRED(), ehdrp, &nshdrs, 787 &shstrndx, &nphdrs)) != 0 || 788 (error = getelfphdr(nvp, CRED(), ehdrp, nphdrs, &phdrbase, 789 &phdrsize)) != 0) { 790 VN_RELE(nvp); 791 uprintf("%s: Cannot read %s\n", exec_file, dlnp); 792 goto bad; 793 } 794 795 /* 796 * Determine memory size of the "interpreter's" loadable 797 * sections. This size is then used to obtain the virtual 798 * address of a hole, in the user's address space, large 799 * enough to map the "interpreter". 800 */ 801 if ((len = elfsize(ehdrp, nphdrs, phdrbase, &lddata)) == 0) { 802 VN_RELE(nvp); 803 uprintf("%s: Nothing to load in %s\n", exec_file, dlnp); 804 goto bad; 805 } 806 807 dtrphdr = NULL; 808 809 error = mapelfexec(nvp, ehdrp, nphdrs, phdrbase, NULL, &junk, 810 &junk, &dtrphdr, NULL, NULL, NULL, &voffset, NULL, len, 811 execsz, NULL); 812 813 if (error || junk != NULL) { 814 VN_RELE(nvp); 815 uprintf("%s: Cannot map %s\n", exec_file, dlnp); 816 goto bad; 817 } 818 819 /* 820 * We use the DTrace program header to initialize the 821 * architecture-specific user per-LWP location. The dtrace 822 * fasttrap provider requires ready access to per-LWP scratch 823 * space. We assume that there is only one such program header 824 * in the interpreter. 825 */ 826 if (dtrphdr != NULL && 827 dtrace_safe_phdr(dtrphdr, args, voffset) != 0) { 828 VN_RELE(nvp); 829 uprintf("%s: Bad DTrace phdr in %s\n", exec_file, dlnp); 830 goto bad; 831 } 832 833 VN_RELE(nvp); 834 ADDAUX(aux, AT_SUN_LDDATA, voffset + lddata) 835 } 836 837 if (hasauxv) { 838 int auxf = AF_SUN_HWCAPVERIFY; 839 #if defined(__amd64) 840 size_t fpsize; 841 int fptype; 842 #endif /* defined(__amd64) */ 843 844 /* 845 * Note: AT_SUN_PLATFORM and AT_SUN_EXECNAME were filled in via 846 * exec_args() 847 */ 848 ADDAUX(aux, AT_BASE, voffset) 849 ADDAUX(aux, AT_FLAGS, at_flags) 850 ADDAUX(aux, AT_PAGESZ, PAGESIZE) 851 /* 852 * Linker flags. (security) 853 * p_flag not yet set at this time. 854 * We rely on gexec() to provide us with the information. 855 * If the application is set-uid but this is not reflected 856 * in a mismatch between real/effective uids/gids, then 857 * don't treat this as a set-uid exec. So we care about 858 * the EXECSETID_UGIDS flag but not the ...SETID flag. 859 */ 860 if ((setid &= ~EXECSETID_SETID) != 0) 861 auxf |= AF_SUN_SETUGID; 862 863 /* 864 * If we're running a native process from within a branded 865 * zone under pfexec then we clear the AF_SUN_SETUGID flag so 866 * that the native ld.so.1 is able to link with the native 867 * libraries instead of using the brand libraries that are 868 * installed in the zone. We only do this for processes 869 * which we trust because we see they are already running 870 * under pfexec (where uid != euid). This prevents a 871 * malicious user within the zone from crafting a wrapper to 872 * run native suid commands with unsecure libraries interposed. 873 */ 874 if ((brand_action == EBA_NATIVE) && (PROC_IS_BRANDED(p) && 875 (setid &= ~EXECSETID_SETID) != 0)) 876 auxf &= ~AF_SUN_SETUGID; 877 878 /* 879 * Record the user addr of the auxflags aux vector entry 880 * since brands may optionally want to manipulate this field. 881 */ 882 args->auxp_auxflags = 883 (char *)((char *)args->stackend + 884 ((char *)&aux->a_type - 885 (char *)bigwad->elfargs)); 886 ADDAUX(aux, AT_SUN_AUXFLAGS, auxf); 887 888 /* 889 * Hardware capability flag word (performance hints) 890 * Used for choosing faster library routines. 891 * (Potentially different between 32-bit and 64-bit ABIs) 892 */ 893 if (args->to_model == DATAMODEL_NATIVE) { 894 ADDAUX(aux, AT_SUN_HWCAP, auxv_hwcap) 895 ADDAUX(aux, AT_SUN_HWCAP2, auxv_hwcap_2) 896 ADDAUX(aux, AT_SUN_HWCAP3, auxv_hwcap_3) 897 } else { 898 ADDAUX(aux, AT_SUN_HWCAP, auxv_hwcap32) 899 ADDAUX(aux, AT_SUN_HWCAP2, auxv_hwcap32_2) 900 ADDAUX(aux, AT_SUN_HWCAP3, auxv_hwcap32_3) 901 } 902 903 if (branded) { 904 /* 905 * Reserve space for the brand-private aux vectors, 906 * and record the user addr of that space. 907 */ 908 args->auxp_brand = 909 (char *)((char *)args->stackend + 910 ((char *)&aux->a_type - 911 (char *)bigwad->elfargs)); 912 ADDAUX(aux, AT_SUN_BRAND_AUX1, 0) 913 ADDAUX(aux, AT_SUN_BRAND_AUX2, 0) 914 ADDAUX(aux, AT_SUN_BRAND_AUX3, 0) 915 } 916 917 /* 918 * Add the comm page auxv entry, mapping it in if needed. Also 919 * take care of the FPU entries. 920 */ 921 #if defined(__amd64) 922 if (args->commpage != (uintptr_t)NULL || 923 (args->commpage = (uintptr_t)comm_page_mapin()) != 924 (uintptr_t)NULL) { 925 ADDAUX(aux, AT_SUN_COMMPAGE, args->commpage) 926 } else { 927 /* 928 * If the comm page cannot be mapped, pad out the auxv 929 * to satisfy later size checks. 930 */ 931 ADDAUX(aux, AT_NULL, 0) 932 } 933 934 fptype = AT_386_FPINFO_NONE; 935 fpu_auxv_info(&fptype, &fpsize); 936 if (fptype != AT_386_FPINFO_NONE) { 937 ADDAUX(aux, AT_SUN_FPTYPE, fptype) 938 ADDAUX(aux, AT_SUN_FPSIZE, fpsize) 939 } else { 940 ADDAUX(aux, AT_NULL, 0) 941 ADDAUX(aux, AT_NULL, 0) 942 } 943 #endif /* defined(__amd64) */ 944 945 ADDAUX(aux, AT_NULL, 0) 946 postfixsize = (uintptr_t)aux - (uintptr_t)bigwad->elfargs; 947 948 /* 949 * We make assumptions above when we determine how many aux 950 * vector entries we will be adding. However, if we have an 951 * invalid elf file, it is possible that mapelfexec might 952 * behave differently (but not return an error), in which case 953 * the number of aux entries we actually add will be different. 954 * We detect that now and error out. 955 */ 956 if (postfixsize != args->auxsize) { 957 DTRACE_PROBE2(elfexec_badaux, size_t, postfixsize, 958 size_t, args->auxsize); 959 goto bad; 960 } 961 ASSERT(postfixsize <= __KERN_NAUXV_IMPL * sizeof (aux_entry_t)); 962 } 963 964 /* 965 * For the 64-bit kernel, the limit is big enough that rounding it up 966 * to a page can overflow the 64-bit limit, so we check for btopr() 967 * overflowing here by comparing it with the unrounded limit in pages. 968 * If it hasn't overflowed, compare the exec size with the rounded up 969 * limit in pages. Otherwise, just compare with the unrounded limit. 970 */ 971 limit = btop(p->p_vmem_ctl); 972 roundlimit = btopr(p->p_vmem_ctl); 973 if ((roundlimit > limit && *execsz > roundlimit) || 974 (roundlimit < limit && *execsz > limit)) { 975 mutex_enter(&p->p_lock); 976 (void) rctl_action(rctlproc_legacy[RLIMIT_VMEM], p->p_rctls, p, 977 RCA_SAFE); 978 mutex_exit(&p->p_lock); 979 error = ENOMEM; 980 goto bad; 981 } 982 983 bzero(up->u_auxv, sizeof (up->u_auxv)); 984 up->u_commpagep = args->commpage; 985 if (postfixsize) { 986 size_t num_auxv; 987 988 /* 989 * Copy the aux vector to the user stack. 990 */ 991 error = execpoststack(args, bigwad->elfargs, postfixsize); 992 if (error) 993 goto bad; 994 995 /* 996 * Copy auxv to the process's user structure for use by /proc. 997 * If this is a branded process, the brand's exec routine will 998 * copy it's private entries to the user structure later. It 999 * relies on the fact that the blank entries are at the end. 1000 */ 1001 num_auxv = postfixsize / sizeof (aux_entry_t); 1002 ASSERT(num_auxv <= sizeof (up->u_auxv) / sizeof (auxv_t)); 1003 aux = bigwad->elfargs; 1004 for (i = 0; i < num_auxv; i++) { 1005 up->u_auxv[i].a_type = aux[i].a_type; 1006 up->u_auxv[i].a_un.a_val = (aux_val_t)aux[i].a_un.a_val; 1007 } 1008 } 1009 1010 /* 1011 * Pass back the starting address so we can set the program counter. 1012 */ 1013 args->entry = (uintptr_t)(ehdrp->e_entry + voffset); 1014 1015 if (!uphdr) { 1016 if (ehdrp->e_type == ET_DYN) { 1017 /* 1018 * If we are executing a shared library which doesn't 1019 * have a interpreter (probably ld.so.1) then 1020 * we don't set the brkbase now. Instead we 1021 * delay it's setting until the first call 1022 * via grow.c::brk(). This permits ld.so.1 to 1023 * initialize brkbase to the tail of the executable it 1024 * loads (which is where it needs to be). 1025 */ 1026 bigwad->exenv.ex_brkbase = (caddr_t)0; 1027 bigwad->exenv.ex_bssbase = (caddr_t)0; 1028 bigwad->exenv.ex_brksize = 0; 1029 } else { 1030 bigwad->exenv.ex_brkbase = brkbase; 1031 bigwad->exenv.ex_bssbase = bssbase; 1032 bigwad->exenv.ex_brksize = brksize; 1033 } 1034 bigwad->exenv.ex_magic = elfmagic; 1035 bigwad->exenv.ex_vp = vp; 1036 setexecenv(&bigwad->exenv); 1037 } 1038 1039 ASSERT(error == 0); 1040 goto out; 1041 1042 bad: 1043 if (fd != -1) /* did we open the a.out yet */ 1044 (void) execclose(fd); 1045 1046 psignal(p, SIGKILL); 1047 1048 if (error == 0) 1049 error = ENOEXEC; 1050 out: 1051 if (dynuphdr) 1052 kmem_free(uphdr, sizeof (Phdr)); 1053 if (phdrbase != NULL) 1054 kmem_free(phdrbase, phdrsize); 1055 if (cap != NULL) 1056 kmem_free(cap, capsize); 1057 kmem_free(bigwad, sizeof (struct bigwad)); 1058 return (error); 1059 } 1060 1061 /* 1062 * Compute the memory size requirement for the ELF file. 1063 */ 1064 static size_t 1065 elfsize(const Ehdr *ehdrp, uint_t nphdrs, const caddr_t phdrbase, 1066 uintptr_t *lddata) 1067 { 1068 const Phdr *phdrp = (Phdr *)phdrbase; 1069 const uint_t hsize = ehdrp->e_phentsize; 1070 boolean_t dfirst = B_TRUE; 1071 uintptr_t loaddr = UINTPTR_MAX; 1072 uintptr_t hiaddr = 0; 1073 uint_t i; 1074 1075 for (i = nphdrs; i > 0; i--) { 1076 if (phdrp->p_type == PT_LOAD) { 1077 const uintptr_t lo = phdrp->p_vaddr; 1078 const uintptr_t hi = lo + phdrp->p_memsz; 1079 1080 loaddr = MIN(lo, loaddr); 1081 hiaddr = MAX(hi, hiaddr); 1082 1083 /* 1084 * save the address of the first data segment 1085 * of a object - used for the AT_SUNW_LDDATA 1086 * aux entry. 1087 */ 1088 if ((lddata != NULL) && dfirst && 1089 (phdrp->p_flags & PF_W)) { 1090 *lddata = lo; 1091 dfirst = B_FALSE; 1092 } 1093 } 1094 phdrp = (Phdr *)((caddr_t)phdrp + hsize); 1095 } 1096 1097 if (hiaddr <= loaddr) { 1098 /* No non-zero PT_LOAD segment found */ 1099 return (0); 1100 } 1101 1102 return (roundup(hiaddr - (loaddr & PAGEMASK), PAGESIZE)); 1103 } 1104 1105 /* 1106 * Read in the ELF header and program header table. 1107 * SUSV3 requires: 1108 * ENOEXEC File format is not recognized 1109 * EINVAL Format recognized but execution not supported 1110 */ 1111 static int 1112 getelfhead(vnode_t *vp, cred_t *credp, Ehdr *ehdr, uint_t *nshdrs, 1113 uint_t *shstrndx, uint_t *nphdrs) 1114 { 1115 int error; 1116 ssize_t resid; 1117 1118 /* 1119 * We got here by the first two bytes in ident, 1120 * now read the entire ELF header. 1121 */ 1122 if ((error = vn_rdwr(UIO_READ, vp, (caddr_t)ehdr, 1123 sizeof (Ehdr), (offset_t)0, UIO_SYSSPACE, 0, 1124 (rlim64_t)0, credp, &resid)) != 0) 1125 return (error); 1126 1127 /* 1128 * Since a separate version is compiled for handling 32-bit and 1129 * 64-bit ELF executables on a 64-bit kernel, the 64-bit version 1130 * doesn't need to be able to deal with 32-bit ELF files. 1131 */ 1132 if (resid != 0 || 1133 ehdr->e_ident[EI_MAG2] != ELFMAG2 || 1134 ehdr->e_ident[EI_MAG3] != ELFMAG3) 1135 return (ENOEXEC); 1136 1137 if ((ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN) || 1138 #if defined(_ILP32) || defined(_ELF32_COMPAT) 1139 ehdr->e_ident[EI_CLASS] != ELFCLASS32 || 1140 #else 1141 ehdr->e_ident[EI_CLASS] != ELFCLASS64 || 1142 #endif 1143 !elfheadcheck(ehdr->e_ident[EI_DATA], ehdr->e_machine, 1144 ehdr->e_flags)) 1145 return (EINVAL); 1146 1147 *nshdrs = ehdr->e_shnum; 1148 *shstrndx = ehdr->e_shstrndx; 1149 *nphdrs = ehdr->e_phnum; 1150 1151 /* 1152 * If e_shnum, e_shstrndx, or e_phnum is its sentinel value, we need 1153 * to read in the section header at index zero to access the true 1154 * values for those fields. 1155 */ 1156 if ((*nshdrs == 0 && ehdr->e_shoff != 0) || 1157 *shstrndx == SHN_XINDEX || *nphdrs == PN_XNUM) { 1158 Shdr shdr; 1159 1160 if (ehdr->e_shoff == 0) 1161 return (EINVAL); 1162 1163 if ((error = vn_rdwr(UIO_READ, vp, (caddr_t)&shdr, 1164 sizeof (shdr), (offset_t)ehdr->e_shoff, UIO_SYSSPACE, 0, 1165 (rlim64_t)0, credp, NULL)) != 0) { 1166 return (error); 1167 } 1168 1169 if (*nshdrs == 0) 1170 *nshdrs = shdr.sh_size; 1171 if (*shstrndx == SHN_XINDEX) 1172 *shstrndx = shdr.sh_link; 1173 if (*nphdrs == PN_XNUM && shdr.sh_info != 0) 1174 *nphdrs = shdr.sh_info; 1175 } 1176 1177 return (0); 1178 } 1179 1180 /* 1181 * We use members through p_flags on 32-bit files and p_memsz on 64-bit files, 1182 * so e_phentsize must be at least large enough to include those members. 1183 */ 1184 #if !defined(_LP64) || defined(_ELF32_COMPAT) 1185 #define MINPHENTSZ (offsetof(Phdr, p_flags) + \ 1186 sizeof (((Phdr *)NULL)->p_flags)) 1187 #else 1188 #define MINPHENTSZ (offsetof(Phdr, p_memsz) + \ 1189 sizeof (((Phdr *)NULL)->p_memsz)) 1190 #endif 1191 1192 static int 1193 getelfphdr(vnode_t *vp, cred_t *credp, const Ehdr *ehdr, uint_t nphdrs, 1194 caddr_t *phbasep, size_t *phsizep) 1195 { 1196 int err; 1197 1198 /* 1199 * Ensure that e_phentsize is large enough for required fields to be 1200 * accessible and will maintain 8-byte alignment. 1201 */ 1202 if (ehdr->e_phentsize < MINPHENTSZ || (ehdr->e_phentsize & 3)) 1203 return (EINVAL); 1204 1205 *phsizep = nphdrs * ehdr->e_phentsize; 1206 1207 if (*phsizep > sizeof (Phdr) * elf_nphdr_max) { 1208 if ((*phbasep = kmem_alloc(*phsizep, KM_NOSLEEP)) == NULL) 1209 return (ENOMEM); 1210 } else { 1211 *phbasep = kmem_alloc(*phsizep, KM_SLEEP); 1212 } 1213 1214 if ((err = vn_rdwr(UIO_READ, vp, *phbasep, (ssize_t)*phsizep, 1215 (offset_t)ehdr->e_phoff, UIO_SYSSPACE, 0, (rlim64_t)0, 1216 credp, NULL)) != 0) { 1217 kmem_free(*phbasep, *phsizep); 1218 *phbasep = NULL; 1219 return (err); 1220 } 1221 1222 return (0); 1223 } 1224 1225 #define MINSHDRSZ (offsetof(Shdr, sh_entsize) + \ 1226 sizeof (((Shdr *)NULL)->sh_entsize)) 1227 1228 static int 1229 getelfshdr(vnode_t *vp, cred_t *credp, const Ehdr *ehdr, uint_t nshdrs, 1230 uint_t shstrndx, caddr_t *shbasep, size_t *shsizep, char **shstrbasep, 1231 size_t *shstrsizep) 1232 { 1233 int err; 1234 Shdr *shdr; 1235 1236 /* 1237 * Since we're going to be using e_shentsize to iterate down the 1238 * array of section headers, it must be 8-byte aligned or else 1239 * a we might cause a misaligned access. We use all members through 1240 * sh_entsize (on both 32- and 64-bit ELF files) so e_shentsize 1241 * must be at least large enough to include that member. The index 1242 * of the string table section must also be valid. 1243 */ 1244 if (ehdr->e_shentsize < MINSHDRSZ || (ehdr->e_shentsize & 3) || 1245 nshdrs == 0 || shstrndx >= nshdrs) { 1246 return (EINVAL); 1247 } 1248 1249 *shsizep = nshdrs * ehdr->e_shentsize; 1250 1251 if (*shsizep > sizeof (Shdr) * elf_nshdr_max) { 1252 if ((*shbasep = kmem_alloc(*shsizep, KM_NOSLEEP)) == NULL) 1253 return (ENOMEM); 1254 } else { 1255 *shbasep = kmem_alloc(*shsizep, KM_SLEEP); 1256 } 1257 1258 if ((err = vn_rdwr(UIO_READ, vp, *shbasep, (ssize_t)*shsizep, 1259 (offset_t)ehdr->e_shoff, UIO_SYSSPACE, 0, (rlim64_t)0, 1260 credp, NULL)) != 0) { 1261 kmem_free(*shbasep, *shsizep); 1262 return (err); 1263 } 1264 1265 /* 1266 * Grab the section string table. Walking through the shdrs is 1267 * pointless if their names cannot be interrogated. 1268 */ 1269 shdr = (Shdr *)(*shbasep + shstrndx * ehdr->e_shentsize); 1270 if ((*shstrsizep = shdr->sh_size) == 0) { 1271 kmem_free(*shbasep, *shsizep); 1272 return (EINVAL); 1273 } 1274 1275 if (*shstrsizep > elf_shstrtab_max) { 1276 if ((*shstrbasep = kmem_alloc(*shstrsizep, 1277 KM_NOSLEEP)) == NULL) { 1278 kmem_free(*shbasep, *shsizep); 1279 return (ENOMEM); 1280 } 1281 } else { 1282 *shstrbasep = kmem_alloc(*shstrsizep, KM_SLEEP); 1283 } 1284 1285 if ((err = vn_rdwr(UIO_READ, vp, *shstrbasep, (ssize_t)*shstrsizep, 1286 (offset_t)shdr->sh_offset, UIO_SYSSPACE, 0, (rlim64_t)0, 1287 credp, NULL)) != 0) { 1288 kmem_free(*shbasep, *shsizep); 1289 kmem_free(*shstrbasep, *shstrsizep); 1290 return (err); 1291 } 1292 1293 /* 1294 * Make sure the strtab is null-terminated to make sure we 1295 * don't run off the end of the table. 1296 */ 1297 (*shstrbasep)[*shstrsizep - 1] = '\0'; 1298 1299 return (0); 1300 } 1301 1302 int 1303 elfreadhdr(vnode_t *vp, cred_t *credp, Ehdr *ehdrp, uint_t *nphdrs, 1304 caddr_t *phbasep, size_t *phsizep) 1305 { 1306 int error; 1307 uint_t nshdrs, shstrndx; 1308 1309 if ((error = getelfhead(vp, credp, ehdrp, &nshdrs, &shstrndx, 1310 nphdrs)) != 0 || 1311 (error = getelfphdr(vp, credp, ehdrp, *nphdrs, phbasep, 1312 phsizep)) != 0) { 1313 return (error); 1314 } 1315 return (0); 1316 } 1317 1318 static int 1319 mapelfexec( 1320 vnode_t *vp, 1321 Ehdr *ehdr, 1322 uint_t nphdrs, 1323 caddr_t phdrbase, 1324 Phdr **uphdr, 1325 Phdr **intphdr, 1326 Phdr **stphdr, 1327 Phdr **dtphdr, 1328 Phdr *dataphdrp, 1329 caddr_t *bssbase, 1330 caddr_t *brkbase, 1331 intptr_t *voffset, 1332 uintptr_t *minaddrp, 1333 size_t len, 1334 size_t *execsz, 1335 size_t *brksize) 1336 { 1337 Phdr *phdr; 1338 int error, page, prot; 1339 caddr_t addr = NULL; 1340 caddr_t minaddr = (caddr_t)UINTPTR_MAX; 1341 uint_t i; 1342 size_t zfodsz, memsz; 1343 boolean_t ptload = B_FALSE; 1344 off_t offset; 1345 const uint_t hsize = ehdr->e_phentsize; 1346 extern int use_brk_lpg; 1347 1348 if (ehdr->e_type == ET_DYN) { 1349 secflagset_t flags = 0; 1350 /* 1351 * Obtain the virtual address of a hole in the 1352 * address space to map the "interpreter". 1353 */ 1354 if (secflag_enabled(curproc, PROC_SEC_ASLR)) 1355 flags |= _MAP_RANDOMIZE; 1356 1357 map_addr(&addr, len, (offset_t)0, 1, flags); 1358 if (addr == NULL) 1359 return (ENOMEM); 1360 *voffset = (intptr_t)addr; 1361 1362 /* 1363 * Calculate the minimum vaddr so it can be subtracted out. 1364 * According to the ELF specification, since PT_LOAD sections 1365 * must be sorted by increasing p_vaddr values, this is 1366 * guaranteed to be the first PT_LOAD section. 1367 */ 1368 phdr = (Phdr *)phdrbase; 1369 for (i = nphdrs; i > 0; i--) { 1370 if (phdr->p_type == PT_LOAD) { 1371 *voffset -= (uintptr_t)phdr->p_vaddr; 1372 break; 1373 } 1374 phdr = (Phdr *)((caddr_t)phdr + hsize); 1375 } 1376 1377 } else { 1378 *voffset = 0; 1379 } 1380 1381 phdr = (Phdr *)phdrbase; 1382 for (i = nphdrs; i > 0; i--) { 1383 switch (phdr->p_type) { 1384 case PT_LOAD: 1385 ptload = B_TRUE; 1386 prot = PROT_USER; 1387 if (phdr->p_flags & PF_R) 1388 prot |= PROT_READ; 1389 if (phdr->p_flags & PF_W) 1390 prot |= PROT_WRITE; 1391 if (phdr->p_flags & PF_X) 1392 prot |= PROT_EXEC; 1393 1394 addr = (caddr_t)((uintptr_t)phdr->p_vaddr + *voffset); 1395 1396 if (*intphdr != NULL && uphdr != NULL && 1397 *uphdr == NULL) { 1398 /* 1399 * The PT_PHDR program header is, strictly 1400 * speaking, optional. If we find that this 1401 * is missing, we will determine the location 1402 * of the program headers based on the address 1403 * of the lowest PT_LOAD segment (namely, this 1404 * one): we subtract the p_offset to get to 1405 * the ELF header and then add back the program 1406 * header offset to get to the program headers. 1407 * We then cons up a Phdr that corresponds to 1408 * the (missing) PT_PHDR, setting the flags 1409 * to 0 to denote that this is artificial and 1410 * should (must) be freed by the caller. 1411 */ 1412 Phdr *cons; 1413 1414 cons = kmem_zalloc(sizeof (Phdr), KM_SLEEP); 1415 1416 cons->p_flags = 0; 1417 cons->p_type = PT_PHDR; 1418 cons->p_vaddr = ((uintptr_t)addr - 1419 phdr->p_offset) + ehdr->e_phoff; 1420 1421 *uphdr = cons; 1422 } 1423 1424 /* 1425 * The ELF spec dictates that p_filesz may not be 1426 * larger than p_memsz in PT_LOAD segments. 1427 */ 1428 if (phdr->p_filesz > phdr->p_memsz) { 1429 error = EINVAL; 1430 goto bad; 1431 } 1432 1433 /* 1434 * Keep track of the segment with the lowest starting 1435 * address. 1436 */ 1437 if (addr < minaddr) 1438 minaddr = addr; 1439 1440 zfodsz = (size_t)phdr->p_memsz - phdr->p_filesz; 1441 1442 offset = phdr->p_offset; 1443 if (((uintptr_t)offset & PAGEOFFSET) == 1444 ((uintptr_t)addr & PAGEOFFSET) && 1445 (!(vp->v_flag & VNOMAP))) { 1446 page = 1; 1447 } else { 1448 page = 0; 1449 } 1450 1451 /* 1452 * Set the heap pagesize for OOB when the bss size 1453 * is known and use_brk_lpg is not 0. 1454 */ 1455 if (brksize != NULL && use_brk_lpg && 1456 zfodsz != 0 && phdr == dataphdrp && 1457 (prot & PROT_WRITE)) { 1458 const size_t tlen = P2NPHASE((uintptr_t)addr + 1459 phdr->p_filesz, PAGESIZE); 1460 1461 if (zfodsz > tlen) { 1462 const caddr_t taddr = addr + 1463 phdr->p_filesz + tlen; 1464 1465 /* 1466 * Since a hole in the AS large enough 1467 * for this object as calculated by 1468 * elfsize() is available, we do not 1469 * need to fear overflow for 'taddr'. 1470 */ 1471 curproc->p_brkpageszc = 1472 page_szc(map_pgsz(MAPPGSZ_HEAP, 1473 curproc, taddr, zfodsz - tlen, 0)); 1474 } 1475 } 1476 1477 if (curproc->p_brkpageszc != 0 && phdr == dataphdrp && 1478 (prot & PROT_WRITE)) { 1479 uint_t szc = curproc->p_brkpageszc; 1480 size_t pgsz = page_get_pagesize(szc); 1481 caddr_t ebss = addr + phdr->p_memsz; 1482 /* 1483 * If we need extra space to keep the BSS an 1484 * integral number of pages in size, some of 1485 * that space may fall beyond p_brkbase, so we 1486 * need to set p_brksize to account for it 1487 * being (logically) part of the brk. 1488 */ 1489 size_t extra_zfodsz; 1490 1491 ASSERT(pgsz > PAGESIZE); 1492 1493 extra_zfodsz = P2NPHASE((uintptr_t)ebss, pgsz); 1494 1495 if (error = execmap(vp, addr, phdr->p_filesz, 1496 zfodsz + extra_zfodsz, phdr->p_offset, 1497 prot, page, szc)) 1498 goto bad; 1499 if (brksize != NULL) 1500 *brksize = extra_zfodsz; 1501 } else { 1502 if (error = execmap(vp, addr, phdr->p_filesz, 1503 zfodsz, phdr->p_offset, prot, page, 0)) 1504 goto bad; 1505 } 1506 1507 if (bssbase != NULL && addr >= *bssbase && 1508 phdr == dataphdrp) { 1509 *bssbase = addr + phdr->p_filesz; 1510 } 1511 if (brkbase != NULL && addr >= *brkbase) { 1512 *brkbase = addr + phdr->p_memsz; 1513 } 1514 1515 memsz = btopr(phdr->p_memsz); 1516 if ((*execsz + memsz) < *execsz) { 1517 error = ENOMEM; 1518 goto bad; 1519 } 1520 *execsz += memsz; 1521 break; 1522 1523 case PT_INTERP: 1524 if (ptload) 1525 goto bad; 1526 *intphdr = phdr; 1527 break; 1528 1529 case PT_SHLIB: 1530 *stphdr = phdr; 1531 break; 1532 1533 case PT_PHDR: 1534 if (ptload || phdr->p_flags == 0) 1535 goto bad; 1536 1537 if (uphdr != NULL) 1538 *uphdr = phdr; 1539 1540 break; 1541 1542 case PT_NULL: 1543 case PT_DYNAMIC: 1544 case PT_NOTE: 1545 break; 1546 1547 case PT_SUNWDTRACE: 1548 if (dtphdr != NULL) 1549 *dtphdr = phdr; 1550 break; 1551 1552 default: 1553 break; 1554 } 1555 phdr = (Phdr *)((caddr_t)phdr + hsize); 1556 } 1557 1558 if (minaddrp != NULL) { 1559 ASSERT(minaddr != (caddr_t)UINTPTR_MAX); 1560 *minaddrp = (uintptr_t)minaddr; 1561 } 1562 1563 if (brkbase != NULL && secflag_enabled(curproc, PROC_SEC_ASLR)) { 1564 size_t off; 1565 uintptr_t base = (uintptr_t)*brkbase; 1566 uintptr_t oend = base + *brksize; 1567 1568 ASSERT(ISP2(aslr_max_brk_skew)); 1569 1570 (void) random_get_pseudo_bytes((uint8_t *)&off, sizeof (off)); 1571 base += P2PHASE(off, aslr_max_brk_skew); 1572 base = P2ROUNDUP(base, PAGESIZE); 1573 *brkbase = (caddr_t)base; 1574 /* 1575 * Above, we set *brksize to account for the possibility we 1576 * had to grow the 'brk' in padding out the BSS to a page 1577 * boundary. 1578 * 1579 * We now need to adjust that based on where we now are 1580 * actually putting the brk. 1581 */ 1582 if (oend > base) 1583 *brksize = oend - base; 1584 else 1585 *brksize = 0; 1586 } 1587 1588 return (0); 1589 bad: 1590 if (error == 0) 1591 error = EINVAL; 1592 return (error); 1593 } 1594 1595 int 1596 elfnote(vnode_t *vp, offset_t *offsetp, int type, int descsz, void *desc, 1597 rlim64_t rlimit, cred_t *credp) 1598 { 1599 Note note; 1600 int error; 1601 1602 bzero(¬e, sizeof (note)); 1603 bcopy("CORE", note.name, 4); 1604 note.nhdr.n_type = type; 1605 /* 1606 * The System V ABI states that n_namesz must be the length of the 1607 * string that follows the Nhdr structure including the terminating 1608 * null. The ABI also specifies that sufficient padding should be 1609 * included so that the description that follows the name string 1610 * begins on a 4- or 8-byte boundary for 32- and 64-bit binaries 1611 * respectively. However, since this change was not made correctly 1612 * at the time of the 64-bit port, both 32- and 64-bit binaries 1613 * descriptions are only guaranteed to begin on a 4-byte boundary. 1614 */ 1615 note.nhdr.n_namesz = 5; 1616 note.nhdr.n_descsz = roundup(descsz, sizeof (Word)); 1617 1618 if (error = core_write(vp, UIO_SYSSPACE, *offsetp, ¬e, 1619 sizeof (note), rlimit, credp)) 1620 return (error); 1621 1622 *offsetp += sizeof (note); 1623 1624 if (error = core_write(vp, UIO_SYSSPACE, *offsetp, desc, 1625 note.nhdr.n_descsz, rlimit, credp)) 1626 return (error); 1627 1628 *offsetp += note.nhdr.n_descsz; 1629 return (0); 1630 } 1631 1632 /* 1633 * Copy the section data from one vnode to the section of another vnode. 1634 */ 1635 static void 1636 elf_copy_scn(elf_core_ctx_t *ctx, const Shdr *src, vnode_t *src_vp, Shdr *dst) 1637 { 1638 size_t n = src->sh_size; 1639 u_offset_t off = 0; 1640 const u_offset_t soff = src->sh_offset; 1641 const u_offset_t doff = ctx->ecc_doffset; 1642 void *buf = ctx->ecc_buf; 1643 vnode_t *dst_vp = ctx->ecc_vp; 1644 cred_t *credp = ctx->ecc_credp; 1645 1646 /* Protect the copy loop below from overflow on the offsets */ 1647 if (n > OFF_MAX || (n + soff) > OFF_MAX || (n + doff) > OFF_MAX || 1648 (n + soff) < n || (n + doff) < n) { 1649 dst->sh_size = 0; 1650 dst->sh_offset = 0; 1651 return; 1652 } 1653 1654 while (n != 0) { 1655 const size_t len = MIN(ctx->ecc_bufsz, n); 1656 ssize_t resid; 1657 1658 if (vn_rdwr(UIO_READ, src_vp, buf, (ssize_t)len, 1659 (offset_t)(soff + off), 1660 UIO_SYSSPACE, 0, (rlim64_t)0, credp, &resid) != 0 || 1661 resid >= len || resid < 0 || 1662 core_write(dst_vp, UIO_SYSSPACE, (offset_t)(doff + off), 1663 buf, len - resid, ctx->ecc_rlimit, credp) != 0) { 1664 dst->sh_size = 0; 1665 dst->sh_offset = 0; 1666 return; 1667 } 1668 1669 ASSERT(n >= len - resid); 1670 1671 n -= len - resid; 1672 off += len - resid; 1673 } 1674 1675 ctx->ecc_doffset += src->sh_size; 1676 } 1677 1678 /* 1679 * Walk sections for a given ELF object, counting (or copying) those of 1680 * interest (CTF, symtab, strtab, .debug_*). 1681 */ 1682 static int 1683 elf_process_obj_scns(elf_core_ctx_t *ctx, vnode_t *mvp, caddr_t saddr, 1684 Shdr *v, uint_t idx, uint_t remain, shstrtab_t *shstrtab, uint_t *countp) 1685 { 1686 Ehdr ehdr; 1687 const core_content_t content = ctx->ecc_content; 1688 cred_t *credp = ctx->ecc_credp; 1689 Shdr *ctf = NULL, *symtab = NULL, *strtab = NULL; 1690 uintptr_t off = 0; 1691 uint_t nshdrs, shstrndx, nphdrs, count = 0; 1692 u_offset_t *doffp = &ctx->ecc_doffset; 1693 boolean_t ctf_link = B_FALSE; 1694 caddr_t shbase; 1695 size_t shsize, shstrsize; 1696 char *shstrbase; 1697 int error = 0; 1698 const boolean_t justcounting = v == NULL; 1699 1700 *countp = 0; 1701 1702 if ((content & 1703 (CC_CONTENT_CTF | CC_CONTENT_SYMTAB | CC_CONTENT_DEBUG)) == 0) { 1704 return (0); 1705 } 1706 1707 if (getelfhead(mvp, credp, &ehdr, &nshdrs, &shstrndx, &nphdrs) != 0 || 1708 getelfshdr(mvp, credp, &ehdr, nshdrs, shstrndx, &shbase, &shsize, 1709 &shstrbase, &shstrsize) != 0) { 1710 return (0); 1711 } 1712 1713 /* Starting at index 1 skips SHT_NULL which is expected at index 0 */ 1714 off = ehdr.e_shentsize; 1715 for (uint_t i = 1; i < nshdrs; i++, off += ehdr.e_shentsize) { 1716 Shdr *shdr, *symchk = NULL, *strchk; 1717 const char *name; 1718 1719 shdr = (Shdr *)(shbase + off); 1720 if (shdr->sh_name >= shstrsize || shdr->sh_type == SHT_NULL) 1721 continue; 1722 1723 name = shstrbase + shdr->sh_name; 1724 1725 if (ctf == NULL && 1726 (content & CC_CONTENT_CTF) != 0 && 1727 strcmp(name, shstrtab_data[STR_CTF]) == 0) { 1728 ctf = shdr; 1729 if (ctf->sh_link != 0 && ctf->sh_link < nshdrs) { 1730 /* check linked symtab below */ 1731 symchk = (Shdr *)(shbase + 1732 shdr->sh_link * ehdr.e_shentsize); 1733 ctf_link = B_TRUE; 1734 } else { 1735 continue; 1736 } 1737 } else if (symtab == NULL && 1738 (content & CC_CONTENT_SYMTAB) != 0 && 1739 strcmp(name, shstrtab_data[STR_SYMTAB]) == 0) { 1740 symchk = shdr; 1741 } else if ((content & CC_CONTENT_DEBUG) != 0 && 1742 strncmp(name, ".debug_", strlen(".debug_")) == 0) { 1743 /* 1744 * The design of the above check is intentional. In 1745 * particular, we want to capture any sections that 1746 * begin with '.debug_' for a few reasons: 1747 * 1748 * 1) Various revisions to the DWARF spec end up 1749 * changing the set of section headers that exist. This 1750 * ensures that we don't need to change the kernel to 1751 * get a new version. 1752 * 1753 * 2) Other software uses .debug_ sections for things 1754 * which aren't DWARF. This allows them to be captured 1755 * as well. 1756 */ 1757 count++; 1758 1759 if (!justcounting) { 1760 if (count > remain) { 1761 error = ENOMEM; 1762 goto done; 1763 } 1764 1765 elf_ctx_resize_scratch(ctx, shdr->sh_size); 1766 1767 if (!shstrtab_ndx(shstrtab, 1768 name, &v[idx].sh_name)) { 1769 error = ENOMEM; 1770 goto done; 1771 } 1772 1773 v[idx].sh_addr = (Addr)(uintptr_t)saddr; 1774 v[idx].sh_type = shdr->sh_type; 1775 v[idx].sh_addralign = shdr->sh_addralign; 1776 *doffp = roundup(*doffp, v[idx].sh_addralign); 1777 v[idx].sh_offset = *doffp; 1778 v[idx].sh_size = shdr->sh_size; 1779 v[idx].sh_link = 0; 1780 v[idx].sh_entsize = shdr->sh_entsize; 1781 v[idx].sh_info = shdr->sh_info; 1782 1783 elf_copy_scn(ctx, shdr, mvp, &v[idx]); 1784 idx++; 1785 } 1786 1787 continue; 1788 } else { 1789 continue; 1790 } 1791 1792 ASSERT(symchk != NULL); 1793 if ((symchk->sh_type != SHT_DYNSYM && 1794 symchk->sh_type != SHT_SYMTAB) || 1795 symchk->sh_link == 0 || symchk->sh_link >= nshdrs) { 1796 ctf_link = B_FALSE; 1797 continue; 1798 } 1799 strchk = (Shdr *)(shbase + symchk->sh_link * ehdr.e_shentsize); 1800 if (strchk->sh_type != SHT_STRTAB) { 1801 ctf_link = B_FALSE; 1802 continue; 1803 } 1804 symtab = symchk; 1805 strtab = strchk; 1806 1807 if (symtab != NULL && ctf != NULL && 1808 (content & CC_CONTENT_DEBUG) == 0) { 1809 /* No other shdrs are of interest at this point */ 1810 break; 1811 } 1812 } 1813 1814 if (ctf != NULL) 1815 count += 1; 1816 if (symtab != NULL) 1817 count += 2; 1818 1819 if (count > remain) { 1820 count = remain; 1821 if (!justcounting) 1822 error = ENOMEM; 1823 goto done; 1824 } 1825 1826 if (justcounting) 1827 goto done; 1828 1829 /* output CTF section */ 1830 if (ctf != NULL) { 1831 elf_ctx_resize_scratch(ctx, ctf->sh_size); 1832 1833 if (!shstrtab_ndx(shstrtab, 1834 shstrtab_data[STR_CTF], &v[idx].sh_name)) { 1835 error = ENOMEM; 1836 goto done; 1837 } 1838 v[idx].sh_addr = (Addr)(uintptr_t)saddr; 1839 v[idx].sh_type = SHT_PROGBITS; 1840 v[idx].sh_addralign = 4; 1841 *doffp = roundup(*doffp, v[idx].sh_addralign); 1842 v[idx].sh_offset = *doffp; 1843 v[idx].sh_size = ctf->sh_size; 1844 1845 if (ctf_link) { 1846 /* 1847 * The linked symtab (and strtab) will be output 1848 * immediately after this CTF section. Its shdr index 1849 * directly follows this one. 1850 */ 1851 v[idx].sh_link = idx + 1; 1852 ASSERT(symtab != NULL); 1853 } else { 1854 v[idx].sh_link = 0; 1855 } 1856 elf_copy_scn(ctx, ctf, mvp, &v[idx]); 1857 idx++; 1858 } 1859 1860 /* output SYMTAB/STRTAB sections */ 1861 if (symtab != NULL) { 1862 shstrtype_t symtab_type, strtab_type; 1863 uint_t symtab_name, strtab_name; 1864 1865 elf_ctx_resize_scratch(ctx, 1866 MAX(symtab->sh_size, strtab->sh_size)); 1867 1868 if (symtab->sh_type == SHT_DYNSYM) { 1869 symtab_type = STR_DYNSYM; 1870 strtab_type = STR_DYNSTR; 1871 } else { 1872 symtab_type = STR_SYMTAB; 1873 strtab_type = STR_STRTAB; 1874 } 1875 1876 if (!shstrtab_ndx(shstrtab, 1877 shstrtab_data[symtab_type], &symtab_name)) { 1878 error = ENOMEM; 1879 goto done; 1880 } 1881 if (!shstrtab_ndx(shstrtab, 1882 shstrtab_data[strtab_type], &strtab_name)) { 1883 error = ENOMEM; 1884 goto done; 1885 } 1886 1887 v[idx].sh_name = symtab_name; 1888 v[idx].sh_type = symtab->sh_type; 1889 v[idx].sh_addr = symtab->sh_addr; 1890 if (ehdr.e_type == ET_DYN || v[idx].sh_addr == 0) 1891 v[idx].sh_addr += (Addr)(uintptr_t)saddr; 1892 v[idx].sh_addralign = symtab->sh_addralign; 1893 *doffp = roundup(*doffp, v[idx].sh_addralign); 1894 v[idx].sh_offset = *doffp; 1895 v[idx].sh_size = symtab->sh_size; 1896 v[idx].sh_link = idx + 1; 1897 v[idx].sh_entsize = symtab->sh_entsize; 1898 v[idx].sh_info = symtab->sh_info; 1899 1900 elf_copy_scn(ctx, symtab, mvp, &v[idx]); 1901 idx++; 1902 1903 v[idx].sh_name = strtab_name; 1904 v[idx].sh_type = SHT_STRTAB; 1905 v[idx].sh_flags = SHF_STRINGS; 1906 v[idx].sh_addr = strtab->sh_addr; 1907 if (ehdr.e_type == ET_DYN || v[idx].sh_addr == 0) 1908 v[idx].sh_addr += (Addr)(uintptr_t)saddr; 1909 v[idx].sh_addralign = strtab->sh_addralign; 1910 *doffp = roundup(*doffp, v[idx].sh_addralign); 1911 v[idx].sh_offset = *doffp; 1912 v[idx].sh_size = strtab->sh_size; 1913 1914 elf_copy_scn(ctx, strtab, mvp, &v[idx]); 1915 idx++; 1916 } 1917 1918 done: 1919 kmem_free(shstrbase, shstrsize); 1920 kmem_free(shbase, shsize); 1921 1922 if (error == 0) 1923 *countp = count; 1924 1925 return (error); 1926 } 1927 1928 /* 1929 * Walk mappings in process address space, examining those which correspond to 1930 * loaded objects. It is called twice from elfcore: Once to simply count 1931 * relevant sections, and again later to copy those sections once an adequate 1932 * buffer has been allocated for the shdr details. 1933 */ 1934 static int 1935 elf_process_scns(elf_core_ctx_t *ctx, Shdr *v, uint_t nv, uint_t *nshdrsp) 1936 { 1937 vnode_t *lastvp = NULL; 1938 struct seg *seg; 1939 uint_t idx = 0, remain; 1940 shstrtab_t shstrtab; 1941 struct as *as = ctx->ecc_p->p_as; 1942 int error = 0; 1943 1944 ASSERT(AS_WRITE_HELD(as)); 1945 1946 if (v != NULL) { 1947 ASSERT(nv != 0); 1948 1949 if (!shstrtab_init(&shstrtab)) 1950 return (ENOMEM); 1951 remain = nv; 1952 } else { 1953 ASSERT(nv == 0); 1954 1955 /* 1956 * The shdrs are being counted, rather than outputting them 1957 * into a buffer. Leave room for two entries: the SHT_NULL at 1958 * index 0 and the shstrtab at the end. 1959 */ 1960 remain = UINT_MAX - 2; 1961 } 1962 1963 /* Per the ELF spec, shdr index 0 is reserved. */ 1964 idx = 1; 1965 for (seg = AS_SEGFIRST(as); seg != NULL; seg = AS_SEGNEXT(as, seg)) { 1966 vnode_t *mvp; 1967 void *tmp = NULL; 1968 caddr_t saddr = seg->s_base, naddr, eaddr; 1969 size_t segsize; 1970 uint_t count, prot; 1971 1972 /* 1973 * Since we're just looking for text segments of load 1974 * objects, we only care about the protection bits; we don't 1975 * care about the actual size of the segment so we use the 1976 * reserved size. If the segment's size is zero, there's 1977 * something fishy going on so we ignore this segment. 1978 */ 1979 if (seg->s_ops != &segvn_ops || 1980 SEGOP_GETVP(seg, seg->s_base, &mvp) != 0 || 1981 mvp == lastvp || mvp == NULL || mvp->v_type != VREG || 1982 (segsize = pr_getsegsize(seg, 1)) == 0) 1983 continue; 1984 1985 eaddr = saddr + segsize; 1986 prot = pr_getprot(seg, 1, &tmp, &saddr, &naddr, eaddr); 1987 pr_getprot_done(&tmp); 1988 1989 /* 1990 * Skip this segment unless the protection bits look like 1991 * what we'd expect for a text segment. 1992 */ 1993 if ((prot & (PROT_WRITE | PROT_EXEC)) != PROT_EXEC) 1994 continue; 1995 1996 error = elf_process_obj_scns(ctx, mvp, saddr, v, idx, remain, 1997 &shstrtab, &count); 1998 if (error != 0) 1999 goto done; 2000 2001 ASSERT(count <= remain); 2002 ASSERT(v == NULL || (idx + count) < nv); 2003 2004 remain -= count; 2005 idx += count; 2006 lastvp = mvp; 2007 } 2008 2009 if (v == NULL) { 2010 if (idx == 1) { 2011 *nshdrsp = 0; 2012 } else { 2013 /* Include room for the shrstrtab at the end */ 2014 *nshdrsp = idx + 1; 2015 } 2016 return (0); 2017 } 2018 2019 if (idx != nv - 1) { 2020 cmn_err(CE_WARN, "elfcore: core dump failed for " 2021 "process %d; address space is changing", 2022 ctx->ecc_p->p_pid); 2023 error = EIO; 2024 goto done; 2025 } 2026 2027 if (!shstrtab_ndx(&shstrtab, shstrtab_data[STR_SHSTRTAB], 2028 &v[idx].sh_name)) { 2029 error = ENOMEM; 2030 goto done; 2031 } 2032 v[idx].sh_size = shstrtab_size(&shstrtab); 2033 v[idx].sh_addralign = 1; 2034 v[idx].sh_offset = ctx->ecc_doffset; 2035 v[idx].sh_flags = SHF_STRINGS; 2036 v[idx].sh_type = SHT_STRTAB; 2037 2038 elf_ctx_resize_scratch(ctx, v[idx].sh_size); 2039 VERIFY3U(ctx->ecc_bufsz, >=, v[idx].sh_size); 2040 shstrtab_dump(&shstrtab, ctx->ecc_buf); 2041 2042 error = core_write(ctx->ecc_vp, UIO_SYSSPACE, ctx->ecc_doffset, 2043 ctx->ecc_buf, v[idx].sh_size, ctx->ecc_rlimit, ctx->ecc_credp); 2044 if (error == 0) { 2045 ctx->ecc_doffset += v[idx].sh_size; 2046 } 2047 2048 done: 2049 if (v != NULL) 2050 shstrtab_fini(&shstrtab); 2051 2052 return (error); 2053 } 2054 2055 int 2056 elfcore(vnode_t *vp, proc_t *p, cred_t *credp, rlim64_t rlimit, int sig, 2057 core_content_t content) 2058 { 2059 u_offset_t poffset, soffset, doffset; 2060 int error; 2061 uint_t i, nphdrs, nshdrs; 2062 struct seg *seg; 2063 struct as *as = p->p_as; 2064 void *bigwad, *zeropg = NULL; 2065 size_t bigsize, phdrsz, shdrsz; 2066 Ehdr *ehdr; 2067 Phdr *phdr; 2068 Shdr shdr0; 2069 caddr_t brkbase, stkbase; 2070 size_t brksize, stksize; 2071 boolean_t overflowed = B_FALSE, retried = B_FALSE; 2072 klwp_t *lwp = ttolwp(curthread); 2073 elf_core_ctx_t ctx = { 2074 .ecc_vp = vp, 2075 .ecc_p = p, 2076 .ecc_credp = credp, 2077 .ecc_rlimit = rlimit, 2078 .ecc_content = content, 2079 .ecc_doffset = 0, 2080 .ecc_buf = NULL, 2081 .ecc_bufsz = 0 2082 }; 2083 2084 top: 2085 /* 2086 * Make sure we have everything we need (registers, etc.). 2087 * All other lwps have already stopped and are in an orderly state. 2088 */ 2089 ASSERT(p == ttoproc(curthread)); 2090 prstop(0, 0); 2091 2092 AS_LOCK_ENTER(as, RW_WRITER); 2093 nphdrs = prnsegs(as, 0) + 2; /* two CORE note sections */ 2094 2095 /* 2096 * Count the number of section headers we're going to need. 2097 */ 2098 nshdrs = 0; 2099 if (content & (CC_CONTENT_CTF | CC_CONTENT_SYMTAB | CC_CONTENT_DEBUG)) { 2100 VERIFY0(elf_process_scns(&ctx, NULL, 0, &nshdrs)); 2101 } 2102 AS_LOCK_EXIT(as); 2103 2104 /* 2105 * The core file contents may require zero section headers, but if 2106 * we overflow the 16 bits allotted to the program header count in 2107 * the ELF header, we'll need that program header at index zero. 2108 */ 2109 if (nshdrs == 0 && nphdrs >= PN_XNUM) 2110 nshdrs = 1; 2111 2112 /* 2113 * Allocate a buffer which is sized adequately to hold the ehdr, phdrs 2114 * or shdrs needed to produce the core file. It is used for the three 2115 * tasks sequentially, not simultaneously, so it does not need space 2116 * for all three data at once, only the largest one. 2117 */ 2118 VERIFY(nphdrs >= 2); 2119 phdrsz = nphdrs * sizeof (Phdr); 2120 shdrsz = nshdrs * sizeof (Shdr); 2121 bigsize = MAX(sizeof (Ehdr), MAX(phdrsz, shdrsz)); 2122 bigwad = kmem_alloc(bigsize, KM_SLEEP); 2123 2124 ehdr = (Ehdr *)bigwad; 2125 bzero(ehdr, sizeof (*ehdr)); 2126 2127 ehdr->e_ident[EI_MAG0] = ELFMAG0; 2128 ehdr->e_ident[EI_MAG1] = ELFMAG1; 2129 ehdr->e_ident[EI_MAG2] = ELFMAG2; 2130 ehdr->e_ident[EI_MAG3] = ELFMAG3; 2131 ehdr->e_ident[EI_CLASS] = ELFCLASS; 2132 ehdr->e_type = ET_CORE; 2133 2134 #if !defined(_LP64) || defined(_ELF32_COMPAT) 2135 2136 #if defined(__sparc) 2137 ehdr->e_ident[EI_DATA] = ELFDATA2MSB; 2138 ehdr->e_machine = EM_SPARC; 2139 #elif defined(__i386_COMPAT) 2140 ehdr->e_ident[EI_DATA] = ELFDATA2LSB; 2141 ehdr->e_machine = EM_386; 2142 #else 2143 #error "no recognized machine type is defined" 2144 #endif 2145 2146 #else /* !defined(_LP64) || defined(_ELF32_COMPAT) */ 2147 2148 #if defined(__sparc) 2149 ehdr->e_ident[EI_DATA] = ELFDATA2MSB; 2150 ehdr->e_machine = EM_SPARCV9; 2151 #elif defined(__amd64) 2152 ehdr->e_ident[EI_DATA] = ELFDATA2LSB; 2153 ehdr->e_machine = EM_AMD64; 2154 #else 2155 #error "no recognized 64-bit machine type is defined" 2156 #endif 2157 2158 #endif /* !defined(_LP64) || defined(_ELF32_COMPAT) */ 2159 2160 poffset = sizeof (Ehdr); 2161 soffset = sizeof (Ehdr) + phdrsz; 2162 doffset = sizeof (Ehdr) + phdrsz + shdrsz; 2163 bzero(&shdr0, sizeof (shdr0)); 2164 2165 /* 2166 * If the count of program headers or section headers or the index 2167 * of the section string table can't fit in the mere 16 bits 2168 * shortsightedly allotted to them in the ELF header, we use the 2169 * extended formats and put the real values in the section header 2170 * as index 0. 2171 */ 2172 if (nphdrs >= PN_XNUM) { 2173 ehdr->e_phnum = PN_XNUM; 2174 shdr0.sh_info = nphdrs; 2175 } else { 2176 ehdr->e_phnum = (unsigned short)nphdrs; 2177 } 2178 2179 if (nshdrs > 0) { 2180 if (nshdrs >= SHN_LORESERVE) { 2181 ehdr->e_shnum = 0; 2182 shdr0.sh_size = nshdrs; 2183 } else { 2184 ehdr->e_shnum = (unsigned short)nshdrs; 2185 } 2186 2187 if (nshdrs - 1 >= SHN_LORESERVE) { 2188 ehdr->e_shstrndx = SHN_XINDEX; 2189 shdr0.sh_link = nshdrs - 1; 2190 } else { 2191 ehdr->e_shstrndx = (unsigned short)(nshdrs - 1); 2192 } 2193 2194 ehdr->e_shoff = soffset; 2195 ehdr->e_shentsize = sizeof (Shdr); 2196 } 2197 2198 ehdr->e_ident[EI_VERSION] = EV_CURRENT; 2199 ehdr->e_version = EV_CURRENT; 2200 ehdr->e_ehsize = sizeof (Ehdr); 2201 ehdr->e_phoff = poffset; 2202 ehdr->e_phentsize = sizeof (Phdr); 2203 2204 if (error = core_write(vp, UIO_SYSSPACE, (offset_t)0, ehdr, 2205 sizeof (Ehdr), rlimit, credp)) { 2206 goto done; 2207 } 2208 2209 phdr = (Phdr *)bigwad; 2210 bzero(phdr, phdrsz); 2211 2212 setup_old_note_header(&phdr[0], p); 2213 phdr[0].p_offset = doffset = roundup(doffset, sizeof (Word)); 2214 doffset += phdr[0].p_filesz; 2215 2216 setup_note_header(&phdr[1], p); 2217 phdr[1].p_offset = doffset = roundup(doffset, sizeof (Word)); 2218 doffset += phdr[1].p_filesz; 2219 2220 mutex_enter(&p->p_lock); 2221 2222 brkbase = p->p_brkbase; 2223 brksize = p->p_brksize; 2224 2225 stkbase = p->p_usrstack - p->p_stksize; 2226 stksize = p->p_stksize; 2227 2228 mutex_exit(&p->p_lock); 2229 2230 AS_LOCK_ENTER(as, RW_WRITER); 2231 i = 2; 2232 for (seg = AS_SEGFIRST(as); seg != NULL; seg = AS_SEGNEXT(as, seg)) { 2233 caddr_t eaddr = seg->s_base + pr_getsegsize(seg, 0); 2234 caddr_t saddr, naddr; 2235 void *tmp = NULL; 2236 extern struct seg_ops segspt_shmops; 2237 2238 if ((seg->s_flags & S_HOLE) != 0) { 2239 continue; 2240 } 2241 2242 for (saddr = seg->s_base; saddr < eaddr; saddr = naddr) { 2243 uint_t prot; 2244 size_t size; 2245 int type; 2246 vnode_t *mvp; 2247 2248 prot = pr_getprot(seg, 0, &tmp, &saddr, &naddr, eaddr); 2249 prot &= PROT_READ | PROT_WRITE | PROT_EXEC; 2250 if ((size = (size_t)(naddr - saddr)) == 0) { 2251 ASSERT(tmp == NULL); 2252 continue; 2253 } else if (i == nphdrs) { 2254 pr_getprot_done(&tmp); 2255 overflowed = B_TRUE; 2256 break; 2257 } 2258 phdr[i].p_type = PT_LOAD; 2259 phdr[i].p_vaddr = (Addr)(uintptr_t)saddr; 2260 phdr[i].p_memsz = size; 2261 if (prot & PROT_READ) 2262 phdr[i].p_flags |= PF_R; 2263 if (prot & PROT_WRITE) 2264 phdr[i].p_flags |= PF_W; 2265 if (prot & PROT_EXEC) 2266 phdr[i].p_flags |= PF_X; 2267 2268 /* 2269 * Figure out which mappings to include in the core. 2270 */ 2271 type = SEGOP_GETTYPE(seg, saddr); 2272 2273 if (saddr == stkbase && size == stksize) { 2274 if (!(content & CC_CONTENT_STACK)) 2275 goto exclude; 2276 2277 } else if (saddr == brkbase && size == brksize) { 2278 if (!(content & CC_CONTENT_HEAP)) 2279 goto exclude; 2280 2281 } else if (seg->s_ops == &segspt_shmops) { 2282 if (type & MAP_NORESERVE) { 2283 if (!(content & CC_CONTENT_DISM)) 2284 goto exclude; 2285 } else { 2286 if (!(content & CC_CONTENT_ISM)) 2287 goto exclude; 2288 } 2289 2290 } else if (seg->s_ops != &segvn_ops) { 2291 goto exclude; 2292 2293 } else if (type & MAP_SHARED) { 2294 if (shmgetid(p, saddr) != SHMID_NONE) { 2295 if (!(content & CC_CONTENT_SHM)) 2296 goto exclude; 2297 2298 } else if (SEGOP_GETVP(seg, seg->s_base, 2299 &mvp) != 0 || mvp == NULL || 2300 mvp->v_type != VREG) { 2301 if (!(content & CC_CONTENT_SHANON)) 2302 goto exclude; 2303 2304 } else { 2305 if (!(content & CC_CONTENT_SHFILE)) 2306 goto exclude; 2307 } 2308 2309 } else if (SEGOP_GETVP(seg, seg->s_base, &mvp) != 0 || 2310 mvp == NULL || mvp->v_type != VREG) { 2311 if (!(content & CC_CONTENT_ANON)) 2312 goto exclude; 2313 2314 } else if (prot == (PROT_READ | PROT_EXEC)) { 2315 if (!(content & CC_CONTENT_TEXT)) 2316 goto exclude; 2317 2318 } else if (prot == PROT_READ) { 2319 if (!(content & CC_CONTENT_RODATA)) 2320 goto exclude; 2321 2322 } else { 2323 if (!(content & CC_CONTENT_DATA)) 2324 goto exclude; 2325 } 2326 2327 doffset = roundup(doffset, sizeof (Word)); 2328 phdr[i].p_offset = doffset; 2329 phdr[i].p_filesz = size; 2330 doffset += size; 2331 exclude: 2332 i++; 2333 } 2334 VERIFY(tmp == NULL); 2335 if (overflowed) 2336 break; 2337 } 2338 AS_LOCK_EXIT(as); 2339 2340 if (overflowed || i != nphdrs) { 2341 if (!retried) { 2342 retried = B_TRUE; 2343 overflowed = B_FALSE; 2344 kmem_free(bigwad, bigsize); 2345 goto top; 2346 } 2347 cmn_err(CE_WARN, "elfcore: core dump failed for " 2348 "process %d; address space is changing", p->p_pid); 2349 error = EIO; 2350 goto done; 2351 } 2352 2353 if ((error = core_write(vp, UIO_SYSSPACE, poffset, 2354 phdr, phdrsz, rlimit, credp)) != 0) { 2355 goto done; 2356 } 2357 2358 if ((error = write_old_elfnotes(p, sig, vp, phdr[0].p_offset, rlimit, 2359 credp)) != 0) { 2360 goto done; 2361 } 2362 if ((error = write_elfnotes(p, sig, vp, phdr[1].p_offset, rlimit, 2363 credp, content)) != 0) { 2364 goto done; 2365 } 2366 2367 for (i = 2; i < nphdrs; i++) { 2368 prkillinfo_t killinfo; 2369 sigqueue_t *sq; 2370 int sig, j; 2371 2372 if (phdr[i].p_filesz == 0) 2373 continue; 2374 2375 /* 2376 * If we hit a region that was mapped PROT_NONE then we cannot 2377 * continue dumping this normally as the kernel would be unable 2378 * to read from the page and that would result in us failing to 2379 * dump the page. As such, any region mapped PROT_NONE, we dump 2380 * as a zero-filled page such that this is still represented in 2381 * the map. 2382 * 2383 * If dumping out this segment fails, rather than failing 2384 * the core dump entirely, we reset the size of the mapping 2385 * to zero to indicate that the data is absent from the core 2386 * file and or in the PF_SUNW_FAILURE flag to differentiate 2387 * this from mappings that were excluded due to the core file 2388 * content settings. 2389 */ 2390 if ((phdr[i].p_flags & (PF_R | PF_W | PF_X)) == 0) { 2391 size_t towrite = phdr[i].p_filesz; 2392 size_t curoff = 0; 2393 2394 if (zeropg == NULL) { 2395 zeropg = kmem_zalloc(elf_zeropg_sz, KM_SLEEP); 2396 } 2397 2398 error = 0; 2399 while (towrite != 0) { 2400 size_t len = MIN(towrite, elf_zeropg_sz); 2401 2402 error = core_write(vp, UIO_SYSSPACE, 2403 phdr[i].p_offset + curoff, zeropg, len, 2404 rlimit, credp); 2405 if (error != 0) 2406 break; 2407 2408 towrite -= len; 2409 curoff += len; 2410 } 2411 } else { 2412 error = core_seg(p, vp, phdr[i].p_offset, 2413 (caddr_t)(uintptr_t)phdr[i].p_vaddr, 2414 phdr[i].p_filesz, rlimit, credp); 2415 } 2416 if (error == 0) 2417 continue; 2418 2419 if ((sig = lwp->lwp_cursig) == 0) { 2420 /* 2421 * We failed due to something other than a signal. 2422 * Since the space reserved for the segment is now 2423 * unused, we stash the errno in the first four 2424 * bytes. This undocumented interface will let us 2425 * understand the nature of the failure. 2426 */ 2427 (void) core_write(vp, UIO_SYSSPACE, phdr[i].p_offset, 2428 &error, sizeof (error), rlimit, credp); 2429 2430 phdr[i].p_filesz = 0; 2431 phdr[i].p_flags |= PF_SUNW_FAILURE; 2432 if ((error = core_write(vp, UIO_SYSSPACE, 2433 poffset + sizeof (Phdr) * i, &phdr[i], 2434 sizeof (Phdr), rlimit, credp)) != 0) 2435 goto done; 2436 2437 continue; 2438 } 2439 2440 /* 2441 * We took a signal. We want to abort the dump entirely, but 2442 * we also want to indicate what failed and why. We therefore 2443 * use the space reserved for the first failing segment to 2444 * write our error (which, for purposes of compatability with 2445 * older core dump readers, we set to EINTR) followed by any 2446 * siginfo associated with the signal. 2447 */ 2448 bzero(&killinfo, sizeof (killinfo)); 2449 killinfo.prk_error = EINTR; 2450 2451 sq = sig == SIGKILL ? curproc->p_killsqp : lwp->lwp_curinfo; 2452 2453 if (sq != NULL) { 2454 bcopy(&sq->sq_info, &killinfo.prk_info, 2455 sizeof (sq->sq_info)); 2456 } else { 2457 killinfo.prk_info.si_signo = lwp->lwp_cursig; 2458 killinfo.prk_info.si_code = SI_NOINFO; 2459 } 2460 2461 #if (defined(_SYSCALL32_IMPL) || defined(_LP64)) 2462 /* 2463 * If this is a 32-bit process, we need to translate from the 2464 * native siginfo to the 32-bit variant. (Core readers must 2465 * always have the same data model as their target or must 2466 * be aware of -- and compensate for -- data model differences.) 2467 */ 2468 if (curproc->p_model == DATAMODEL_ILP32) { 2469 siginfo32_t si32; 2470 2471 siginfo_kto32((k_siginfo_t *)&killinfo.prk_info, &si32); 2472 bcopy(&si32, &killinfo.prk_info, sizeof (si32)); 2473 } 2474 #endif 2475 2476 (void) core_write(vp, UIO_SYSSPACE, phdr[i].p_offset, 2477 &killinfo, sizeof (killinfo), rlimit, credp); 2478 2479 /* 2480 * For the segment on which we took the signal, indicate that 2481 * its data now refers to a siginfo. 2482 */ 2483 phdr[i].p_filesz = 0; 2484 phdr[i].p_flags |= PF_SUNW_FAILURE | PF_SUNW_KILLED | 2485 PF_SUNW_SIGINFO; 2486 2487 /* 2488 * And for every other segment, indicate that its absence 2489 * is due to a signal. 2490 */ 2491 for (j = i + 1; j < nphdrs; j++) { 2492 phdr[j].p_filesz = 0; 2493 phdr[j].p_flags |= PF_SUNW_FAILURE | PF_SUNW_KILLED; 2494 } 2495 2496 /* 2497 * Finally, write out our modified program headers. 2498 */ 2499 if ((error = core_write(vp, UIO_SYSSPACE, 2500 poffset + sizeof (Phdr) * i, &phdr[i], 2501 sizeof (Phdr) * (nphdrs - i), rlimit, credp)) != 0) { 2502 goto done; 2503 } 2504 2505 break; 2506 } 2507 2508 if (nshdrs > 0) { 2509 Shdr *shdr = (Shdr *)bigwad; 2510 2511 bzero(shdr, shdrsz); 2512 if (nshdrs > 1) { 2513 ctx.ecc_doffset = doffset; 2514 AS_LOCK_ENTER(as, RW_WRITER); 2515 error = elf_process_scns(&ctx, shdr, nshdrs, NULL); 2516 AS_LOCK_EXIT(as); 2517 if (error != 0) { 2518 goto done; 2519 } 2520 } 2521 /* Copy any extended format data destined for the first shdr */ 2522 bcopy(&shdr0, shdr, sizeof (shdr0)); 2523 2524 error = core_write(vp, UIO_SYSSPACE, soffset, shdr, shdrsz, 2525 rlimit, credp); 2526 } 2527 2528 done: 2529 if (zeropg != NULL) 2530 kmem_free(zeropg, elf_zeropg_sz); 2531 if (ctx.ecc_bufsz != 0) 2532 kmem_free(ctx.ecc_buf, ctx.ecc_bufsz); 2533 kmem_free(bigwad, bigsize); 2534 return (error); 2535 } 2536 2537 #ifndef _ELF32_COMPAT 2538 2539 static struct execsw esw = { 2540 #ifdef _LP64 2541 elf64magicstr, 2542 #else /* _LP64 */ 2543 elf32magicstr, 2544 #endif /* _LP64 */ 2545 0, 2546 5, 2547 elfexec, 2548 elfcore 2549 }; 2550 2551 static struct modlexec modlexec = { 2552 &mod_execops, "exec module for elf", &esw 2553 }; 2554 2555 #ifdef _LP64 2556 extern int elf32exec(vnode_t *vp, execa_t *uap, uarg_t *args, 2557 intpdata_t *idatap, int level, size_t *execsz, 2558 int setid, caddr_t exec_file, cred_t *cred, 2559 int brand_action); 2560 extern int elf32core(vnode_t *vp, proc_t *p, cred_t *credp, 2561 rlim64_t rlimit, int sig, core_content_t content); 2562 2563 static struct execsw esw32 = { 2564 elf32magicstr, 2565 0, 2566 5, 2567 elf32exec, 2568 elf32core 2569 }; 2570 2571 static struct modlexec modlexec32 = { 2572 &mod_execops, "32-bit exec module for elf", &esw32 2573 }; 2574 #endif /* _LP64 */ 2575 2576 static struct modlinkage modlinkage = { 2577 MODREV_1, 2578 (void *)&modlexec, 2579 #ifdef _LP64 2580 (void *)&modlexec32, 2581 #endif /* _LP64 */ 2582 NULL 2583 }; 2584 2585 int 2586 _init(void) 2587 { 2588 return (mod_install(&modlinkage)); 2589 } 2590 2591 int 2592 _fini(void) 2593 { 2594 return (mod_remove(&modlinkage)); 2595 } 2596 2597 int 2598 _info(struct modinfo *modinfop) 2599 { 2600 return (mod_info(&modlinkage, modinfop)); 2601 } 2602 2603 #endif /* !_ELF32_COMPAT */ 2604