Commit be619f7f authored by Eric W. Biederman's avatar Eric W. Biederman
Browse files

exec: Implement kernel_execve 

To allow the kernel not to play games with set_fs to call exec
implement kernel_execve.  The function kernel_execve takes pointers
into kernel memory and copies the values pointed to onto the new
userspace stack.

The calls with arguments from kernel space of do_execve are replaced
with calls to kernel_execve.

The calls do_execve and do_execveat are made static as there are now
no callers outside of exec.

The comments that mention do_execve are updated to refer to
kernel_execve or execve depending on the circumstances.  In addition
to correcting the comments, this makes it easy to grep for do_execve
and verify it is not used.

Inspired-by: https://lkml.kernel.org/r/20200627072704.2447163-1-hch@lst.de


Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Link: https://lkml.kernel.org/r/87wo365ikj.fsf@x220.int.ebiederm.org


Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
parent d8b9cd54

arch/x86/entry/entry_32.S

+1 −1
Original line number Diff line number Diff line
@@ -854,7 +854,7 @@ SYM_CODE_START(ret_from_fork) 
	CALL_NOSPEC ebx

	/*

	 * A kernel thread is allowed to return here after successfully

	 * calling do_execve().  Exit to userspace to complete the execve()

	 * calling kernel_execve().  Exit to userspace to complete the execve()

	 * syscall.

	 */

	movl	$0, PT_EAX(%esp)

arch/x86/entry/entry_64.S

+1 −1
Original line number Diff line number Diff line
@@ -293,7 +293,7 @@ SYM_CODE_START(ret_from_fork) 
	CALL_NOSPEC rbx

	/*

	 * A kernel thread is allowed to return here after successfully

	 * calling do_execve().  Exit to userspace to complete the execve()

	 * calling kernel_execve().  Exit to userspace to complete the execve()

	 * syscall.

	 */

	movq	$0, RAX(%rsp)

arch/x86/kernel/unwind_frame.c

+1 −1
Original line number Diff line number Diff line
@@ -275,7 +275,7 @@ bool unwind_next_frame(struct unwind_state *state) 
		 * This user_mode() check is slightly broader than a PF_KTHREAD

		 * check because it also catches the awkward situation where a

		 * newly forked kthread transitions into a user task by calling

		 * do_execve(), which eventually clears PF_KTHREAD.

		 * kernel_execve(), which eventually clears PF_KTHREAD.

		 */

		if (!user_mode(regs))

			goto the_end;

fs/exec.c

+86 −2
Original line number Diff line number Diff line
@@ -448,6 +448,23 @@ static int count(struct user_arg_ptr argv, int max) 
	return i;

}



static int count_strings_kernel(const char *const *argv)

{

	int i;



	if (!argv)

		return 0;



	for (i = 0; argv[i]; ++i) {

		if (i >= MAX_ARG_STRINGS)

			return -E2BIG;

		if (fatal_signal_pending(current))

			return -ERESTARTNOHAND;

		cond_resched();

	}

	return i;

}



static int bprm_stack_limits(struct linux_binprm *bprm)

{

	unsigned long limit, ptr_size;
@@ -624,6 +641,20 @@ int copy_string_kernel(const char *arg, struct linux_binprm *bprm) 
}

EXPORT_SYMBOL(copy_string_kernel);



static int copy_strings_kernel(int argc, const char *const *argv,

			       struct linux_binprm *bprm)

{

	while (argc-- > 0) {

		int ret = copy_string_kernel(argv[argc], bprm);

		if (ret < 0)

			return ret;

		if (fatal_signal_pending(current))

			return -ERESTARTNOHAND;

		cond_resched();

	}

	return 0;

}



#ifdef CONFIG_MMU



/*
@@ -1991,7 +2022,60 @@ out_ret: 
	return retval;

}



int do_execve(struct filename *filename,

int kernel_execve(const char *kernel_filename,

		  const char *const *argv, const char *const *envp)

{

	struct filename *filename;

	struct linux_binprm *bprm;

	int fd = AT_FDCWD;

	int retval;



	filename = getname_kernel(kernel_filename);

	if (IS_ERR(filename))

		return PTR_ERR(filename);



	bprm = alloc_bprm(fd, filename);

	if (IS_ERR(bprm)) {

		retval = PTR_ERR(bprm);

		goto out_ret;

	}



	retval = count_strings_kernel(argv);

	if (retval < 0)

		goto out_free;

	bprm->argc = retval;



	retval = count_strings_kernel(envp);

	if (retval < 0)

		goto out_free;

	bprm->envc = retval;



	retval = bprm_stack_limits(bprm);

	if (retval < 0)

		goto out_free;



	retval = copy_string_kernel(bprm->filename, bprm);

	if (retval < 0)

		goto out_free;

	bprm->exec = bprm->p;



	retval = copy_strings_kernel(bprm->envc, envp, bprm);

	if (retval < 0)

		goto out_free;



	retval = copy_strings_kernel(bprm->argc, argv, bprm);

	if (retval < 0)

		goto out_free;



	retval = bprm_execve(bprm, fd, filename, 0);

out_free:

	free_bprm(bprm);

out_ret:

	putname(filename);

	return retval;

}



static int do_execve(struct filename *filename,

	const char __user *const __user *__argv,

	const char __user *const __user *__envp)

{
@@ -2000,7 +2084,7 @@ int do_execve(struct filename *filename, 
	return do_execveat_common(AT_FDCWD, filename, argv, envp, 0);

}



int do_execveat(int fd, struct filename *filename,

static int do_execveat(int fd, struct filename *filename,

		const char __user *const __user *__argv,

		const char __user *const __user *__envp,

		int flags)

include/linux/binfmts.h

+2 −7
Original line number Diff line number Diff line
@@ -135,12 +135,7 @@ int copy_string_kernel(const char *arg, struct linux_binprm *bprm); 
extern void set_binfmt(struct linux_binfmt *new);

extern ssize_t read_code(struct file *, unsigned long, loff_t, size_t);



extern int do_execve(struct filename *,

		     const char __user * const __user *,

		     const char __user * const __user *);

extern int do_execveat(int, struct filename *,

		       const char __user * const __user *,

		       const char __user * const __user *,

		       int);

int kernel_execve(const char *filename,

		  const char *const *argv, const char *const *envp);



#endif /* _LINUX_BINFMTS_H */

CRA Git | Maintained and supported by SUSTech CRA and CCSE