usr/src/uts/common/exec/elf/elf.c

root/usr/src/uts/common/exec/elf/elf.c
/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright (c) 1989, 2010, Oracle and/or its affiliates. All rights reserved.
 */

/*      Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */
/*         All Rights Reserved  */
/*
 * Copyright 2019, Joyent, Inc.
 * Copyright 2023 Oxide Computer Company
 */

#include <sys/types.h>
#include <sys/param.h>
#include <sys/thread.h>
#include <sys/sysmacros.h>
#include <sys/signal.h>
#include <sys/cred.h>
#include <sys/user.h>
#include <sys/errno.h>
#include <sys/vnode.h>
#include <sys/mman.h>
#include <sys/kmem.h>
#include <sys/proc.h>
#include <sys/pathname.h>
#include <sys/policy.h>
#include <sys/cmn_err.h>
#include <sys/systm.h>
#include <sys/elf.h>
#include <sys/vmsystm.h>
#include <sys/debug.h>
#include <sys/auxv.h>
#include <sys/exec.h>
#include <sys/prsystm.h>
#include <vm/as.h>
#include <vm/rm.h>
#include <vm/seg.h>
#include <vm/seg_vn.h>
#include <sys/modctl.h>
#include <sys/systeminfo.h>
#include <sys/vmparam.h>
#include <sys/machelf.h>
#include <sys/shm_impl.h>
#include <sys/archsystm.h>
#include <sys/fasttrap.h>
#include <sys/brand.h>
#include "elf_impl.h"
#include <sys/sdt.h>
#include <sys/siginfo.h>
#include <sys/random.h>

#include <core_shstrtab.h>

#if defined(__x86)
#include <sys/comm_page_util.h>
#include <sys/fp.h>
#endif /* defined(__x86) */


extern int at_flags;
extern volatile size_t aslr_max_brk_skew;

#define ORIGIN_STR      "ORIGIN"
#define ORIGIN_STR_SIZE 6

static int getelfhead(vnode_t *, cred_t *, Ehdr *, uint_t *, uint_t *,
    uint_t *);
static int getelfphdr(vnode_t *, cred_t *, const Ehdr *, uint_t, caddr_t *,
    size_t *);
static int getelfshdr(vnode_t *, cred_t *, const Ehdr *, uint_t, uint_t,
    caddr_t *, size_t *, caddr_t *, size_t *);
static size_t elfsize(const Ehdr *, uint_t, const caddr_t, uintptr_t *);
static int mapelfexec(vnode_t *, Ehdr *, uint_t, caddr_t, Phdr **, Phdr **,
    Phdr **, Phdr **, Phdr *, caddr_t *, caddr_t *, intptr_t *, uintptr_t *,
    size_t, size_t *, size_t *);


#ifdef _ELF32_COMPAT
/* Link against the non-compat instances when compiling the 32-bit version. */
extern size_t elf_datasz_max;
extern size_t elf_zeropg_sz;
extern void elf_ctx_resize_scratch(elf_core_ctx_t *, size_t);
extern uint_t elf_nphdr_max;
extern uint_t elf_nshdr_max;
extern size_t elf_shstrtab_max;
#else
size_t elf_datasz_max = 1 * 1024 * 1024;
size_t elf_zeropg_sz = 4 * 1024;
uint_t elf_nphdr_max = 1000;
uint_t elf_nshdr_max = 10000;
size_t elf_shstrtab_max = 100 * 1024;
#endif

static int
dtrace_safe_phdr(Phdr *phdrp, struct uarg *args, uintptr_t base)
{
        ASSERT(phdrp->p_type == PT_SUNWDTRACE);

        /*
         * See the comment in fasttrap.h for information on how to safely
         * update this program header.
         */
        if (phdrp->p_memsz < PT_SUNWDTRACE_SIZE ||
            (phdrp->p_flags & (PF_R | PF_W | PF_X)) != (PF_R | PF_W | PF_X))
                return (-1);

        args->thrptr = phdrp->p_vaddr + base;

        return (0);
}

static int
handle_secflag_dt(proc_t *p, uint_t dt, uint_t val)
{
        uint_t flag;

        switch (dt) {
        case DT_SUNW_ASLR:
                flag = PROC_SEC_ASLR;
                break;
        default:
                return (EINVAL);
        }

        if (val == 0) {
                if (secflag_isset(p->p_secflags.psf_lower, flag))
                        return (EPERM);
                if ((secpolicy_psecflags(CRED(), p, p) != 0) &&
                    secflag_isset(p->p_secflags.psf_inherit, flag))
                        return (EPERM);

                secflag_clear(&p->p_secflags.psf_effective, flag);
        } else {
                if (!secflag_isset(p->p_secflags.psf_upper, flag))
                        return (EPERM);

                if ((secpolicy_psecflags(CRED(), p, p) != 0) &&
                    !secflag_isset(p->p_secflags.psf_inherit, flag))
                        return (EPERM);

                secflag_set(&p->p_secflags.psf_effective, flag);
        }

        return (0);
}

#ifndef _ELF32_COMPAT
void
elf_ctx_resize_scratch(elf_core_ctx_t *ctx, size_t sz)
{
        size_t target = MIN(sz, elf_datasz_max);

        if (target > ctx->ecc_bufsz) {
                if (ctx->ecc_buf != NULL) {
                        kmem_free(ctx->ecc_buf, ctx->ecc_bufsz);
                }
                ctx->ecc_buf = kmem_alloc(target, KM_SLEEP);
                ctx->ecc_bufsz = target;
        }
}
#endif /* _ELF32_COMPAT */

/*
 * Map in the executable pointed to by vp. Returns 0 on success.
 */
int
mapexec_brand(vnode_t *vp, uarg_t *args, Ehdr *ehdr, Addr *uphdr_vaddr,
    intptr_t *voffset, caddr_t exec_file, int *interp, caddr_t *bssbase,
    caddr_t *brkbase, size_t *brksize, uintptr_t *lddatap)
{
        size_t          len, phdrsize;
        struct vattr    vat;
        caddr_t         phdrbase = NULL;
        uint_t          nshdrs, shstrndx, nphdrs;
        int             error = 0;
        Phdr            *uphdr = NULL;
        Phdr            *junk = NULL;
        Phdr            *dynphdr = NULL;
        Phdr            *dtrphdr = NULL;
        uintptr_t       lddata, minaddr;
        size_t          execsz;

        if (lddatap != NULL)
                *lddatap = 0;

        if (error = execpermissions(vp, &vat, args)) {
                uprintf("%s: Cannot execute %s\n", exec_file, args->pathname);
                return (error);
        }

        if ((error = getelfhead(vp, CRED(), ehdr, &nshdrs, &shstrndx,
            &nphdrs)) != 0 ||
            (error = getelfphdr(vp, CRED(), ehdr, nphdrs, &phdrbase,
            &phdrsize)) != 0) {
                uprintf("%s: Cannot read %s\n", exec_file, args->pathname);
                return (error);
        }

        if ((len = elfsize(ehdr, nphdrs, phdrbase, &lddata)) == 0) {
                uprintf("%s: Nothing to load in %s", exec_file, args->pathname);
                kmem_free(phdrbase, phdrsize);
                return (ENOEXEC);
        }
        if (lddatap != NULL)
                *lddatap = lddata;

        if (error = mapelfexec(vp, ehdr, nphdrs, phdrbase, &uphdr, &dynphdr,
            &junk, &dtrphdr, NULL, bssbase, brkbase, voffset, &minaddr,
            len, &execsz, brksize)) {
                uprintf("%s: Cannot map %s\n", exec_file, args->pathname);
                if (uphdr != NULL && uphdr->p_flags == 0)
                        kmem_free(uphdr, sizeof (Phdr));
                kmem_free(phdrbase, phdrsize);
                return (error);
        }

        /*
         * Inform our caller if the executable needs an interpreter.
         */
        *interp = (dynphdr == NULL) ? 0 : 1;

        /*
         * If this is a statically linked executable, voffset should indicate
         * the address of the executable itself (it normally holds the address
         * of the interpreter).
         */
        if (ehdr->e_type == ET_EXEC && *interp == 0)
                *voffset = minaddr;

        if (uphdr != NULL) {
                *uphdr_vaddr = uphdr->p_vaddr;

                if (uphdr->p_flags == 0)
                        kmem_free(uphdr, sizeof (Phdr));
        } else {
                *uphdr_vaddr = (Addr)-1;
        }

        kmem_free(phdrbase, phdrsize);
        return (error);
}

int
elfexec(vnode_t *vp, execa_t *uap, uarg_t *args, intpdata_t *idatap,
    int level, size_t *execsz, int setid, caddr_t exec_file, cred_t *cred,
    int brand_action)
{
        caddr_t         phdrbase = NULL;
        caddr_t         bssbase = 0;
        caddr_t         brkbase = 0;
        size_t          brksize = 0;
        size_t          dlnsize;
        aux_entry_t     *aux;
        int             error;
        ssize_t         resid;
        int             fd = -1;
        intptr_t        voffset;
        Phdr            *intphdr = NULL;
        Phdr            *dynamicphdr = NULL;
        Phdr            *stphdr = NULL;
        Phdr            *uphdr = NULL;
        Phdr            *junk = NULL;
        size_t          len;
        size_t          postfixsize = 0;
        size_t          i;
        Phdr            *phdrp;
        Phdr            *dataphdrp = NULL;
        Phdr            *dtrphdr;
        Phdr            *capphdr = NULL;
        Cap             *cap = NULL;
        size_t          capsize;
        int             hasu = 0;
        int             hasauxv = 0;
        int             hasintp = 0;
        int             branded = 0;
        boolean_t       dynuphdr = B_FALSE;

        struct proc *p = ttoproc(curthread);
        struct user *up = PTOU(p);
        struct bigwad {
                Ehdr    ehdr;
                aux_entry_t     elfargs[__KERN_NAUXV_IMPL];
                char            dl_name[MAXPATHLEN];
                char            pathbuf[MAXPATHLEN];
                struct vattr    vattr;
                struct execenv  exenv;
        } *bigwad;      /* kmem_alloc this behemoth so we don't blow stack */
        Ehdr            *ehdrp;
        uint_t          nshdrs, shstrndx, nphdrs;
        size_t          phdrsize;
        char            *dlnp;
        char            *pathbufp;
        rlim64_t        limit;
        rlim64_t        roundlimit;

        ASSERT(p->p_model == DATAMODEL_ILP32 || p->p_model == DATAMODEL_LP64);

        bigwad = kmem_alloc(sizeof (struct bigwad), KM_SLEEP);
        ehdrp = &bigwad->ehdr;
        dlnp = bigwad->dl_name;
        pathbufp = bigwad->pathbuf;

        /*
         * Obtain ELF and program header information.
         */
        if ((error = getelfhead(vp, CRED(), ehdrp, &nshdrs, &shstrndx,
            &nphdrs)) != 0 ||
            (error = getelfphdr(vp, CRED(), ehdrp, nphdrs, &phdrbase,
            &phdrsize)) != 0)
                goto out;

        /*
         * Prevent executing an ELF file that has no entry point.
         */
        if (ehdrp->e_entry == 0) {
                uprintf("%s: Bad entry point\n", exec_file);
                goto bad;
        }

        /*
         * Put data model that we're exec-ing to into the args passed to
         * exec_args(), so it will know what it is copying to on new stack.
         * Now that we know whether we are exec-ing a 32-bit or 64-bit
         * executable, we can set execsz with the appropriate NCARGS.
         */
#ifdef  _LP64
        if (ehdrp->e_ident[EI_CLASS] == ELFCLASS32) {
                args->to_model = DATAMODEL_ILP32;
                *execsz = btopr(SINCR) + btopr(SSIZE) + btopr(NCARGS32-1);
        } else {
                args->to_model = DATAMODEL_LP64;
                args->stk_prot &= ~PROT_EXEC;
#if defined(__x86)
                args->dat_prot &= ~PROT_EXEC;
#endif
                *execsz = btopr(SINCR) + btopr(SSIZE) + btopr(NCARGS64-1);
        }
#else   /* _LP64 */
        args->to_model = DATAMODEL_ILP32;
        *execsz = btopr(SINCR) + btopr(SSIZE) + btopr(NCARGS-1);
#endif  /* _LP64 */

        /*
         * We delay invoking the brand callback until we've figured out
         * what kind of elf binary we're trying to run, 32-bit or 64-bit.
         * We do this because now the brand library can just check
         * args->to_model to see if the target is 32-bit or 64-bit without
         * having do duplicate all the code above.
         *
         * The level checks associated with brand handling below are used to
         * prevent a loop since the brand elfexec function typically comes back
         * through this function. We must check <= here since the nested
         * handling in the #! interpreter code will increment the level before
         * calling gexec to run the final elfexec interpreter.
         */
        if ((level <= INTP_MAXDEPTH) &&
            (brand_action != EBA_NATIVE) && (PROC_IS_BRANDED(p))) {
                error = BROP(p)->b_elfexec(vp, uap, args,
                    idatap, level + 1, execsz, setid, exec_file, cred,
                    brand_action);
                goto out;
        }

        /*
         * Determine aux size now so that stack can be built
         * in one shot (except actual copyout of aux image),
         * determine any non-default stack protections,
         * and still have this code be machine independent.
         */
        const uint_t hsize = ehdrp->e_phentsize;
        phdrp = (Phdr *)phdrbase;
        for (i = nphdrs; i > 0; i--) {
                switch (phdrp->p_type) {
                case PT_INTERP:
                        hasauxv = hasintp = 1;
                        break;
                case PT_PHDR:
                        hasu = 1;
                        break;
                case PT_SUNWSTACK:
                        args->stk_prot = PROT_USER;
                        if (phdrp->p_flags & PF_R)
                                args->stk_prot |= PROT_READ;
                        if (phdrp->p_flags & PF_W)
                                args->stk_prot |= PROT_WRITE;
                        if (phdrp->p_flags & PF_X)
                                args->stk_prot |= PROT_EXEC;
                        break;
                case PT_LOAD:
                        dataphdrp = phdrp;
                        break;
                case PT_SUNWCAP:
                        capphdr = phdrp;
                        break;
                case PT_DYNAMIC:
                        dynamicphdr = phdrp;
                        break;
                }
                phdrp = (Phdr *)((caddr_t)phdrp + hsize);
        }

        if (ehdrp->e_type != ET_EXEC) {
                dataphdrp = NULL;
                hasauxv = 1;
        }

        /* Copy BSS permissions to args->dat_prot */
        if (dataphdrp != NULL) {
                args->dat_prot = PROT_USER;
                if (dataphdrp->p_flags & PF_R)
                        args->dat_prot |= PROT_READ;
                if (dataphdrp->p_flags & PF_W)
                        args->dat_prot |= PROT_WRITE;
                if (dataphdrp->p_flags & PF_X)
                        args->dat_prot |= PROT_EXEC;
        }

        /*
         * If a auxvector will be required - reserve the space for
         * it now.  This may be increased by exec_args if there are
         * ISA-specific types (included in __KERN_NAUXV_IMPL).
         */
        if (hasauxv) {
                /*
                 * If a AUX vector is being built - the base AUX
                 * entries are:
                 *
                 *      AT_BASE
                 *      AT_FLAGS
                 *      AT_PAGESZ
                 *      AT_SUN_AUXFLAGS
                 *      AT_SUN_HWCAP
                 *      AT_SUN_HWCAP2
                 *      AT_SUN_HWCAP3
                 *      AT_SUN_PLATFORM (added in stk_copyout)
                 *      AT_SUN_EXECNAME (added in stk_copyout)
                 *      AT_NULL
                 *
                 * total == 10
                 */
                if (hasintp && hasu) {
                        /*
                         * Has PT_INTERP & PT_PHDR - the auxvectors that
                         * will be built are:
                         *
                         *      AT_PHDR
                         *      AT_PHENT
                         *      AT_PHNUM
                         *      AT_ENTRY
                         *      AT_LDDATA
                         *
                         * total = 5
                         */
                        args->auxsize = (10 + 5) * sizeof (aux_entry_t);
                } else if (hasintp) {
                        /*
                         * Has PT_INTERP but no PT_PHDR
                         *
                         *      AT_EXECFD
                         *      AT_LDDATA
                         *
                         * total = 2
                         */
                        args->auxsize = (10 + 2) * sizeof (aux_entry_t);
                } else {
                        args->auxsize = 10 * sizeof (aux_entry_t);
                }
        } else {
                args->auxsize = 0;
        }

        /*
         * If this binary is using an emulator, we need to add an
         * AT_SUN_EMULATOR aux entry.
         */
        if (args->emulator != NULL)
                args->auxsize += sizeof (aux_entry_t);

        /*
         * On supported kernels (x86_64) make room in the auxv for the
         * AT_SUN_COMMPAGE entry.  This will go unpopulated on i86xpv systems
         * which do not provide such functionality.
         *
         * Additionally cover the floating point information AT_SUN_FPSIZE and
         * AT_SUN_FPTYPE.
         */
#if defined(__amd64)
        args->auxsize += 3 * sizeof (aux_entry_t);
#endif /* defined(__amd64) */

        if ((brand_action != EBA_NATIVE) && (PROC_IS_BRANDED(p))) {
                branded = 1;
                /*
                 * We will be adding 4 entries to the aux vectors.  One for
                 * the the brandname and 3 for the brand specific aux vectors.
                 */
                args->auxsize += 4 * sizeof (aux_entry_t);
        }

        /* If the binary has an explicit ASLR flag, it must be honoured */
        if ((dynamicphdr != NULL) && (dynamicphdr->p_filesz > 0)) {
                const size_t dynfilesz = dynamicphdr->p_filesz;
                const size_t dynoffset = dynamicphdr->p_offset;
                Dyn *dyn, *dp;

                if (dynoffset > MAXOFFSET_T ||
                    dynfilesz > MAXOFFSET_T ||
                    dynoffset + dynfilesz > MAXOFFSET_T) {
                        uprintf("%s: cannot read full .dynamic section\n",
                            exec_file);
                        error = EINVAL;
                        goto out;
                }

#define DYN_STRIDE      100
                for (i = 0; i < dynfilesz; i += sizeof (*dyn) * DYN_STRIDE) {
                        const size_t remdyns = (dynfilesz - i) / sizeof (*dyn);
                        const size_t ndyns = MIN(DYN_STRIDE, remdyns);
                        const size_t dynsize = ndyns * sizeof (*dyn);

                        dyn = kmem_alloc(dynsize, KM_SLEEP);

                        if ((error = vn_rdwr(UIO_READ, vp, (caddr_t)dyn,
                            (ssize_t)dynsize, (offset_t)(dynoffset + i),
                            UIO_SYSSPACE, 0, (rlim64_t)0,
                            CRED(), NULL)) != 0) {
                                uprintf("%s: cannot read .dynamic section\n",
                                    exec_file);
                                goto out;
                        }

                        for (dp = dyn; dp < (dyn + ndyns); dp++) {
                                if (dp->d_tag == DT_SUNW_ASLR) {
                                        if ((error = handle_secflag_dt(p,
                                            DT_SUNW_ASLR,
                                            dp->d_un.d_val)) != 0) {
                                                uprintf("%s: error setting "
                                                    "security-flag from "
                                                    "DT_SUNW_ASLR: %d\n",
                                                    exec_file, error);
                                                goto out;
                                        }
                                }
                        }

                        kmem_free(dyn, dynsize);
                }
        }

        /* Hardware/Software capabilities */
        if (capphdr != NULL &&
            (capsize = capphdr->p_filesz) > 0 &&
            capsize <= 16 * sizeof (*cap)) {
                const uint_t ncaps = capsize / sizeof (*cap);
                Cap *cp;

                cap = kmem_alloc(capsize, KM_SLEEP);
                if ((error = vn_rdwr(UIO_READ, vp, (caddr_t)cap,
                    (ssize_t)capsize, (offset_t)capphdr->p_offset,
                    UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), NULL)) != 0) {
                        uprintf("%s: Cannot read capabilities section\n",
                            exec_file);
                        goto out;
                }
                for (cp = cap; cp < cap + ncaps; cp++) {
                        if (cp->c_tag == CA_SUNW_SF_1 &&
                            (cp->c_un.c_val & SF1_SUNW_ADDR32)) {
                                if (args->to_model == DATAMODEL_LP64)
                                        args->addr32 = 1;
                                break;
                        }
                }
        }

        aux = bigwad->elfargs;
        /*
         * Move args to the user's stack.
         * This can fill in the AT_SUN_PLATFORM and AT_SUN_EXECNAME aux entries.
         */
        if ((error = exec_args(uap, args, idatap, (void **)&aux)) != 0) {
                if (error == -1) {
                        error = ENOEXEC;
                        goto bad;
                }
                goto out;
        }
        /* we're single threaded after this point */

        /*
         * If this is an ET_DYN executable (shared object),
         * determine its memory size so that mapelfexec() can load it.
         */
        if (ehdrp->e_type == ET_DYN)
                len = elfsize(ehdrp, nphdrs, phdrbase, NULL);
        else
                len = 0;

        dtrphdr = NULL;

        error = mapelfexec(vp, ehdrp, nphdrs, phdrbase, &uphdr, &intphdr,
            &stphdr, &dtrphdr, dataphdrp, &bssbase, &brkbase, &voffset, NULL,
            len, execsz, &brksize);

        /*
         * Our uphdr has been dynamically allocated if (and only if) its
         * program header flags are clear.  To avoid leaks, this must be
         * checked regardless of whether mapelfexec() emitted an error.
         */
        dynuphdr = (uphdr != NULL && uphdr->p_flags == 0);

        if (error != 0)
                goto bad;

        if (uphdr != NULL && intphdr == NULL)
                goto bad;

        if (dtrphdr != NULL && dtrace_safe_phdr(dtrphdr, args, voffset) != 0) {
                uprintf("%s: Bad DTrace phdr in %s\n", exec_file, exec_file);
                goto bad;
        }

        if (intphdr != NULL) {
                size_t          len;
                uintptr_t       lddata;
                char            *p;
                struct vnode    *nvp;

                dlnsize = intphdr->p_filesz;

                /*
                 * Make sure none of the component pieces of dlnsize result in
                 * an oversized or zeroed result.
                 */
                if (intphdr->p_filesz > MAXPATHLEN || dlnsize > MAXPATHLEN ||
                    dlnsize == 0 || dlnsize < intphdr->p_filesz) {
                        goto bad;
                }

                /*
                 * Read in "interpreter" pathname.
                 */
                if ((error = vn_rdwr(UIO_READ, vp, dlnp,
                    (ssize_t)intphdr->p_filesz, (offset_t)intphdr->p_offset,
                    UIO_SYSSPACE, 0, (rlim64_t)0, CRED(), &resid)) != 0) {
                        uprintf("%s: Cannot obtain interpreter pathname\n",
                            exec_file);
                        goto bad;
                }

                if (resid != 0 || dlnp[dlnsize - 1] != '\0')
                        goto bad;

                /*
                 * Search for '$ORIGIN' token in interpreter path.
                 * If found, expand it.
                 */
                for (p = dlnp; p = strchr(p, '$'); ) {
                        uint_t  len, curlen;
                        char    *_ptr;

                        if (strncmp(++p, ORIGIN_STR, ORIGIN_STR_SIZE))
                                continue;

                        /*
                         * We don't support $ORIGIN on setid programs to close
                         * a potential attack vector.
                         */
                        if ((setid & EXECSETID_SETID) != 0) {
                                error = ENOEXEC;
                                goto bad;
                        }

                        curlen = 0;
                        len = p - dlnp - 1;
                        if (len) {
                                bcopy(dlnp, pathbufp, len);
                                curlen += len;
                        }
                        if (_ptr = strrchr(args->pathname, '/')) {
                                len = _ptr - args->pathname;
                                if ((curlen + len) > MAXPATHLEN)
                                        break;

                                bcopy(args->pathname, &pathbufp[curlen], len);
                                curlen += len;
                        } else {
                                /*
                                 * executable is a basename found in the
                                 * current directory.  So - just substitue
                                 * '.' for ORIGIN.
                                 */
                                pathbufp[curlen] = '.';
                                curlen++;
                        }
                        p += ORIGIN_STR_SIZE;
                        len = strlen(p);

                        if ((curlen + len) > MAXPATHLEN)
                                break;
                        bcopy(p, &pathbufp[curlen], len);
                        curlen += len;
                        pathbufp[curlen++] = '\0';
                        bcopy(pathbufp, dlnp, curlen);
                }

                /*
                 * /usr/lib/ld.so.1 is known to be a symlink to /lib/ld.so.1
                 * (and /usr/lib/64/ld.so.1 is a symlink to /lib/64/ld.so.1).
                 * Just in case /usr is not mounted, change it now.
                 */
                if (strcmp(dlnp, USR_LIB_RTLD) == 0)
                        dlnp += 4;
                error = lookupname(dlnp, UIO_SYSSPACE, FOLLOW, NULLVPP, &nvp);
                if (error && dlnp != bigwad->dl_name) {
                        /* new kernel, old user-level */
                        error = lookupname(dlnp -= 4, UIO_SYSSPACE, FOLLOW,
                            NULLVPP, &nvp);
                }
                if (error) {
                        uprintf("%s: Cannot find %s\n", exec_file, dlnp);
                        goto bad;
                }

                /*
                 * Setup the "aux" vector.
                 */
                if (uphdr) {
                        if (ehdrp->e_type == ET_DYN) {
                                /* don't use the first page */
                                bigwad->exenv.ex_brkbase = (caddr_t)PAGESIZE;
                                bigwad->exenv.ex_bssbase = (caddr_t)PAGESIZE;
                        } else {
                                bigwad->exenv.ex_bssbase = bssbase;
                                bigwad->exenv.ex_brkbase = brkbase;
                        }
                        bigwad->exenv.ex_brksize = brksize;
                        bigwad->exenv.ex_magic = elfmagic;
                        bigwad->exenv.ex_vp = vp;
                        setexecenv(&bigwad->exenv);

                        ADDAUX(aux, AT_PHDR, uphdr->p_vaddr + voffset)
                        ADDAUX(aux, AT_PHENT, ehdrp->e_phentsize)
                        ADDAUX(aux, AT_PHNUM, nphdrs)
                        ADDAUX(aux, AT_ENTRY, ehdrp->e_entry + voffset)
                } else {
                        if ((error = execopen(&vp, &fd)) != 0) {
                                VN_RELE(nvp);
                                goto bad;
                        }

                        ADDAUX(aux, AT_EXECFD, fd)
                }

                if ((error = execpermissions(nvp, &bigwad->vattr, args)) != 0) {
                        VN_RELE(nvp);
                        uprintf("%s: Cannot execute %s\n", exec_file, dlnp);
                        goto bad;
                }

                /*
                 * Now obtain the ELF header along with the entire program
                 * header contained in "nvp".
                 */
                kmem_free(phdrbase, phdrsize);
                phdrbase = NULL;
                if ((error = getelfhead(nvp, CRED(), ehdrp, &nshdrs,
                    &shstrndx, &nphdrs)) != 0 ||
                    (error = getelfphdr(nvp, CRED(), ehdrp, nphdrs, &phdrbase,
                    &phdrsize)) != 0) {
                        VN_RELE(nvp);
                        uprintf("%s: Cannot read %s\n", exec_file, dlnp);
                        goto bad;
                }

                /*
                 * Determine memory size of the "interpreter's" loadable
                 * sections.  This size is then used to obtain the virtual
                 * address of a hole, in the user's address space, large
                 * enough to map the "interpreter".
                 */
                if ((len = elfsize(ehdrp, nphdrs, phdrbase, &lddata)) == 0) {
                        VN_RELE(nvp);
                        uprintf("%s: Nothing to load in %s\n", exec_file, dlnp);
                        goto bad;
                }

                dtrphdr = NULL;

                error = mapelfexec(nvp, ehdrp, nphdrs, phdrbase, NULL, &junk,
                    &junk, &dtrphdr, NULL, NULL, NULL, &voffset, NULL, len,
                    execsz, NULL);

                if (error || junk != NULL) {
                        VN_RELE(nvp);
                        uprintf("%s: Cannot map %s\n", exec_file, dlnp);
                        goto bad;
                }

                /*
                 * We use the DTrace program header to initialize the
                 * architecture-specific user per-LWP location. The dtrace
                 * fasttrap provider requires ready access to per-LWP scratch
                 * space. We assume that there is only one such program header
                 * in the interpreter.
                 */
                if (dtrphdr != NULL &&
                    dtrace_safe_phdr(dtrphdr, args, voffset) != 0) {
                        VN_RELE(nvp);
                        uprintf("%s: Bad DTrace phdr in %s\n", exec_file, dlnp);
                        goto bad;
                }

                VN_RELE(nvp);
                ADDAUX(aux, AT_SUN_LDDATA, voffset + lddata)
        }

        if (hasauxv) {
                int auxf = AF_SUN_HWCAPVERIFY;
#if defined(__amd64)
                size_t fpsize;
                int fptype;
#endif /* defined(__amd64) */

                /*
                 * Note: AT_SUN_PLATFORM and AT_SUN_EXECNAME were filled in via
                 * exec_args()
                 */
                ADDAUX(aux, AT_BASE, voffset)
                ADDAUX(aux, AT_FLAGS, at_flags)
                ADDAUX(aux, AT_PAGESZ, PAGESIZE)
                /*
                 * Linker flags. (security)
                 * p_flag not yet set at this time.
                 * We rely on gexec() to provide us with the information.
                 * If the application is set-uid but this is not reflected
                 * in a mismatch between real/effective uids/gids, then
                 * don't treat this as a set-uid exec.  So we care about
                 * the EXECSETID_UGIDS flag but not the ...SETID flag.
                 */
                if ((setid &= ~EXECSETID_SETID) != 0)
                        auxf |= AF_SUN_SETUGID;

                /*
                 * If we're running a native process from within a branded
                 * zone under pfexec then we clear the AF_SUN_SETUGID flag so
                 * that the native ld.so.1 is able to link with the native
                 * libraries instead of using the brand libraries that are
                 * installed in the zone.  We only do this for processes
                 * which we trust because we see they are already running
                 * under pfexec (where uid != euid).  This prevents a
                 * malicious user within the zone from crafting a wrapper to
                 * run native suid commands with unsecure libraries interposed.
                 */
                if ((brand_action == EBA_NATIVE) && (PROC_IS_BRANDED(p) &&
                    (setid &= ~EXECSETID_SETID) != 0))
                        auxf &= ~AF_SUN_SETUGID;

                /*
                 * Record the user addr of the auxflags aux vector entry
                 * since brands may optionally want to manipulate this field.
                 */
                args->auxp_auxflags =
                    (char *)((char *)args->stackend +
                    ((char *)&aux->a_type -
                    (char *)bigwad->elfargs));
                ADDAUX(aux, AT_SUN_AUXFLAGS, auxf);

                /*
                 * Hardware capability flag word (performance hints)
                 * Used for choosing faster library routines.
                 * (Potentially different between 32-bit and 64-bit ABIs)
                 */
                if (args->to_model == DATAMODEL_NATIVE) {
                        ADDAUX(aux, AT_SUN_HWCAP, auxv_hwcap)
                        ADDAUX(aux, AT_SUN_HWCAP2, auxv_hwcap_2)
                        ADDAUX(aux, AT_SUN_HWCAP3, auxv_hwcap_3)
                } else {
                        ADDAUX(aux, AT_SUN_HWCAP, auxv_hwcap32)
                        ADDAUX(aux, AT_SUN_HWCAP2, auxv_hwcap32_2)
                        ADDAUX(aux, AT_SUN_HWCAP3, auxv_hwcap32_3)
                }

                if (branded) {
                        /*
                         * Reserve space for the brand-private aux vectors,
                         * and record the user addr of that space.
                         */
                        args->auxp_brand =
                            (char *)((char *)args->stackend +
                            ((char *)&aux->a_type -
                            (char *)bigwad->elfargs));
                        ADDAUX(aux, AT_SUN_BRAND_AUX1, 0)
                        ADDAUX(aux, AT_SUN_BRAND_AUX2, 0)
                        ADDAUX(aux, AT_SUN_BRAND_AUX3, 0)
                }

                /*
                 * Add the comm page auxv entry, mapping it in if needed. Also
                 * take care of the FPU entries.
                 */
#if defined(__amd64)
                if (args->commpage != (uintptr_t)NULL ||
                    (args->commpage = (uintptr_t)comm_page_mapin()) !=
                    (uintptr_t)NULL) {
                        ADDAUX(aux, AT_SUN_COMMPAGE, args->commpage)
                } else {
                        /*
                         * If the comm page cannot be mapped, pad out the auxv
                         * to satisfy later size checks.
                         */
                        ADDAUX(aux, AT_NULL, 0)
                }

                fptype = AT_386_FPINFO_NONE;
                fpu_auxv_info(&fptype, &fpsize);
                if (fptype != AT_386_FPINFO_NONE) {
                        ADDAUX(aux, AT_SUN_FPTYPE, fptype)
                        ADDAUX(aux, AT_SUN_FPSIZE, fpsize)
                } else {
                        ADDAUX(aux, AT_NULL, 0)
                        ADDAUX(aux, AT_NULL, 0)
                }
#endif /* defined(__amd64) */

                ADDAUX(aux, AT_NULL, 0)
                postfixsize = (uintptr_t)aux - (uintptr_t)bigwad->elfargs;

                /*
                 * We make assumptions above when we determine how many aux
                 * vector entries we will be adding. However, if we have an
                 * invalid elf file, it is possible that mapelfexec might
                 * behave differently (but not return an error), in which case
                 * the number of aux entries we actually add will be different.
                 * We detect that now and error out.
                 */
                if (postfixsize != args->auxsize) {
                        DTRACE_PROBE2(elfexec_badaux, size_t, postfixsize,
                            size_t, args->auxsize);
                        goto bad;
                }
                ASSERT(postfixsize <= __KERN_NAUXV_IMPL * sizeof (aux_entry_t));
        }

        /*
         * For the 64-bit kernel, the limit is big enough that rounding it up
         * to a page can overflow the 64-bit limit, so we check for btopr()
         * overflowing here by comparing it with the unrounded limit in pages.
         * If it hasn't overflowed, compare the exec size with the rounded up
         * limit in pages.  Otherwise, just compare with the unrounded limit.
         */
        limit = btop(p->p_vmem_ctl);
        roundlimit = btopr(p->p_vmem_ctl);
        if ((roundlimit > limit && *execsz > roundlimit) ||
            (roundlimit < limit && *execsz > limit)) {
                mutex_enter(&p->p_lock);
                (void) rctl_action(rctlproc_legacy[RLIMIT_VMEM], p->p_rctls, p,
                    RCA_SAFE);
                mutex_exit(&p->p_lock);
                error = ENOMEM;
                goto bad;
        }

        bzero(up->u_auxv, sizeof (up->u_auxv));
        up->u_commpagep = args->commpage;
        if (postfixsize) {
                size_t num_auxv;

                /*
                 * Copy the aux vector to the user stack.
                 */
                error = execpoststack(args, bigwad->elfargs, postfixsize);
                if (error)
                        goto bad;

                /*
                 * Copy auxv to the process's user structure for use by /proc.
                 * If this is a branded process, the brand's exec routine will
                 * copy it's private entries to the user structure later. It
                 * relies on the fact that the blank entries are at the end.
                 */
                num_auxv = postfixsize / sizeof (aux_entry_t);
                ASSERT(num_auxv <= sizeof (up->u_auxv) / sizeof (auxv_t));
                aux = bigwad->elfargs;
                for (i = 0; i < num_auxv; i++) {
                        up->u_auxv[i].a_type = aux[i].a_type;
                        up->u_auxv[i].a_un.a_val = (aux_val_t)aux[i].a_un.a_val;
                }
        }

        /*
         * Pass back the starting address so we can set the program counter.
         */
        args->entry = (uintptr_t)(ehdrp->e_entry + voffset);

        if (!uphdr) {
                if (ehdrp->e_type == ET_DYN) {
                        /*
                         * If we are executing a shared library which doesn't
                         * have a interpreter (probably ld.so.1) then
                         * we don't set the brkbase now.  Instead we
                         * delay it's setting until the first call
                         * via grow.c::brk().  This permits ld.so.1 to
                         * initialize brkbase to the tail of the executable it
                         * loads (which is where it needs to be).
                         */
                        bigwad->exenv.ex_brkbase = (caddr_t)0;
                        bigwad->exenv.ex_bssbase = (caddr_t)0;
                        bigwad->exenv.ex_brksize = 0;
                } else {
                        bigwad->exenv.ex_brkbase = brkbase;
                        bigwad->exenv.ex_bssbase = bssbase;
                        bigwad->exenv.ex_brksize = brksize;
                }
                bigwad->exenv.ex_magic = elfmagic;
                bigwad->exenv.ex_vp = vp;
                setexecenv(&bigwad->exenv);
        }

        ASSERT(error == 0);
        goto out;

bad:
        if (fd != -1)           /* did we open the a.out yet */
                (void) execclose(fd);

        psignal(p, SIGKILL);

        if (error == 0)
                error = ENOEXEC;
out:
        if (dynuphdr)
                kmem_free(uphdr, sizeof (Phdr));
        if (phdrbase != NULL)
                kmem_free(phdrbase, phdrsize);
        if (cap != NULL)
                kmem_free(cap, capsize);
        kmem_free(bigwad, sizeof (struct bigwad));
        return (error);
}

/*
 * Compute the memory size requirement for the ELF file.
 */
static size_t
elfsize(const Ehdr *ehdrp, uint_t nphdrs, const caddr_t phdrbase,
    uintptr_t *lddata)
{
        const Phdr *phdrp = (Phdr *)phdrbase;
        const uint_t hsize = ehdrp->e_phentsize;
        boolean_t dfirst = B_TRUE;
        uintptr_t loaddr = UINTPTR_MAX;
        uintptr_t hiaddr = 0;
        uint_t i;

        for (i = nphdrs; i > 0; i--) {
                if (phdrp->p_type == PT_LOAD) {
                        const uintptr_t lo = phdrp->p_vaddr;
                        const uintptr_t hi = lo + phdrp->p_memsz;

                        loaddr = MIN(lo, loaddr);
                        hiaddr = MAX(hi, hiaddr);

                        /*
                         * save the address of the first data segment
                         * of a object - used for the AT_SUNW_LDDATA
                         * aux entry.
                         */
                        if ((lddata != NULL) && dfirst &&
                            (phdrp->p_flags & PF_W)) {
                                *lddata = lo;
                                dfirst = B_FALSE;
                        }
                }
                phdrp = (Phdr *)((caddr_t)phdrp + hsize);
        }

        if (hiaddr <= loaddr) {
                /* No non-zero PT_LOAD segment found */
                return (0);
        }

        return (roundup(hiaddr - (loaddr & PAGEMASK), PAGESIZE));
}

/*
 * Read in the ELF header and program header table.
 * SUSV3 requires:
 *      ENOEXEC File format is not recognized
 *      EINVAL  Format recognized but execution not supported
 */
static int
getelfhead(vnode_t *vp, cred_t *credp, Ehdr *ehdr, uint_t *nshdrs,
    uint_t *shstrndx, uint_t *nphdrs)
{
        int error;
        ssize_t resid;

        /*
         * We got here by the first two bytes in ident,
         * now read the entire ELF header.
         */
        if ((error = vn_rdwr(UIO_READ, vp, (caddr_t)ehdr,
            sizeof (Ehdr), (offset_t)0, UIO_SYSSPACE, 0,
            (rlim64_t)0, credp, &resid)) != 0)
                return (error);

        /*
         * Since a separate version is compiled for handling 32-bit and
         * 64-bit ELF executables on a 64-bit kernel, the 64-bit version
         * doesn't need to be able to deal with 32-bit ELF files.
         */
        if (resid != 0 ||
            ehdr->e_ident[EI_MAG2] != ELFMAG2 ||
            ehdr->e_ident[EI_MAG3] != ELFMAG3)
                return (ENOEXEC);

        if ((ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN) ||
#if defined(_ILP32) || defined(_ELF32_COMPAT)
            ehdr->e_ident[EI_CLASS] != ELFCLASS32 ||
#else
            ehdr->e_ident[EI_CLASS] != ELFCLASS64 ||
#endif
            !elfheadcheck(ehdr->e_ident[EI_DATA], ehdr->e_machine,
            ehdr->e_flags))
                return (EINVAL);

        *nshdrs = ehdr->e_shnum;
        *shstrndx = ehdr->e_shstrndx;
        *nphdrs = ehdr->e_phnum;

        /*
         * If e_shnum, e_shstrndx, or e_phnum is its sentinel value, we need
         * to read in the section header at index zero to access the true
         * values for those fields.
         */
        if ((*nshdrs == 0 && ehdr->e_shoff != 0) ||
            *shstrndx == SHN_XINDEX || *nphdrs == PN_XNUM) {
                Shdr shdr;

                if (ehdr->e_shoff == 0)
                        return (EINVAL);

                if ((error = vn_rdwr(UIO_READ, vp, (caddr_t)&shdr,
                    sizeof (shdr), (offset_t)ehdr->e_shoff, UIO_SYSSPACE, 0,
                    (rlim64_t)0, credp, NULL)) != 0) {
                        return (error);
                }

                if (*nshdrs == 0)
                        *nshdrs = shdr.sh_size;
                if (*shstrndx == SHN_XINDEX)
                        *shstrndx = shdr.sh_link;
                if (*nphdrs == PN_XNUM && shdr.sh_info != 0)
                        *nphdrs = shdr.sh_info;
        }

        return (0);
}

/*
 * We use members through p_flags on 32-bit files and p_memsz on 64-bit files,
 * so e_phentsize must be at least large enough to include those members.
 */
#if !defined(_LP64) || defined(_ELF32_COMPAT)
#define MINPHENTSZ      (offsetof(Phdr, p_flags) + \
                        sizeof (((Phdr *)NULL)->p_flags))
#else
#define MINPHENTSZ      (offsetof(Phdr, p_memsz) + \
                        sizeof (((Phdr *)NULL)->p_memsz))
#endif

static int
getelfphdr(vnode_t *vp, cred_t *credp, const Ehdr *ehdr, uint_t nphdrs,
    caddr_t *phbasep, size_t *phsizep)
{
        int err;

        /*
         * Ensure that e_phentsize is large enough for required fields to be
         * accessible and will maintain 8-byte alignment.
         */
        if (ehdr->e_phentsize < MINPHENTSZ || (ehdr->e_phentsize & 3))
                return (EINVAL);

        *phsizep = nphdrs * ehdr->e_phentsize;

        if (*phsizep > sizeof (Phdr) * elf_nphdr_max) {
                if ((*phbasep = kmem_alloc(*phsizep, KM_NOSLEEP)) == NULL)
                        return (ENOMEM);
        } else {
                *phbasep = kmem_alloc(*phsizep, KM_SLEEP);
        }

        if ((err = vn_rdwr(UIO_READ, vp, *phbasep, (ssize_t)*phsizep,
            (offset_t)ehdr->e_phoff, UIO_SYSSPACE, 0, (rlim64_t)0,
            credp, NULL)) != 0) {
                kmem_free(*phbasep, *phsizep);
                *phbasep = NULL;
                return (err);
        }

        return (0);
}

#define MINSHDRSZ       (offsetof(Shdr, sh_entsize) + \
                        sizeof (((Shdr *)NULL)->sh_entsize))

static int
getelfshdr(vnode_t *vp, cred_t *credp, const Ehdr *ehdr, uint_t nshdrs,
    uint_t shstrndx, caddr_t *shbasep, size_t *shsizep, char **shstrbasep,
    size_t *shstrsizep)
{
        int err;
        Shdr *shdr;

        /*
         * Since we're going to be using e_shentsize to iterate down the
         * array of section headers, it must be 8-byte aligned or else
         * a we might cause a misaligned access. We use all members through
         * sh_entsize (on both 32- and 64-bit ELF files) so e_shentsize
         * must be at least large enough to include that member. The index
         * of the string table section must also be valid.
         */
        if (ehdr->e_shentsize < MINSHDRSZ || (ehdr->e_shentsize & 3) ||
            nshdrs == 0 || shstrndx >= nshdrs) {
                return (EINVAL);
        }

        *shsizep = nshdrs * ehdr->e_shentsize;

        if (*shsizep > sizeof (Shdr) * elf_nshdr_max) {
                if ((*shbasep = kmem_alloc(*shsizep, KM_NOSLEEP)) == NULL)
                        return (ENOMEM);
        } else {
                *shbasep = kmem_alloc(*shsizep, KM_SLEEP);
        }

        if ((err = vn_rdwr(UIO_READ, vp, *shbasep, (ssize_t)*shsizep,
            (offset_t)ehdr->e_shoff, UIO_SYSSPACE, 0, (rlim64_t)0,
            credp, NULL)) != 0) {
                kmem_free(*shbasep, *shsizep);
                return (err);
        }

        /*
         * Grab the section string table.  Walking through the shdrs is
         * pointless if their names cannot be interrogated.
         */
        shdr = (Shdr *)(*shbasep + shstrndx * ehdr->e_shentsize);
        if ((*shstrsizep = shdr->sh_size) == 0) {
                kmem_free(*shbasep, *shsizep);
                return (EINVAL);
        }

        if (*shstrsizep > elf_shstrtab_max) {
                if ((*shstrbasep = kmem_alloc(*shstrsizep,
                    KM_NOSLEEP)) == NULL) {
                        kmem_free(*shbasep, *shsizep);
                        return (ENOMEM);
                }
        } else {
                *shstrbasep = kmem_alloc(*shstrsizep, KM_SLEEP);
        }

        if ((err = vn_rdwr(UIO_READ, vp, *shstrbasep, (ssize_t)*shstrsizep,
            (offset_t)shdr->sh_offset, UIO_SYSSPACE, 0, (rlim64_t)0,
            credp, NULL)) != 0) {
                kmem_free(*shbasep, *shsizep);
                kmem_free(*shstrbasep, *shstrsizep);
                return (err);
        }

        /*
         * Make sure the strtab is null-terminated to make sure we
         * don't run off the end of the table.
         */
        (*shstrbasep)[*shstrsizep - 1] = '\0';

        return (0);
}

int
elfreadhdr(vnode_t *vp, cred_t *credp, Ehdr *ehdrp, uint_t *nphdrs,
    caddr_t *phbasep, size_t *phsizep)
{
        int error;
        uint_t nshdrs, shstrndx;

        if ((error = getelfhead(vp, credp, ehdrp, &nshdrs, &shstrndx,
            nphdrs)) != 0 ||
            (error = getelfphdr(vp, credp, ehdrp, *nphdrs, phbasep,
            phsizep)) != 0) {
                return (error);
        }
        return (0);
}

static int
mapelfexec(
        vnode_t *vp,
        Ehdr *ehdr,
        uint_t nphdrs,
        caddr_t phdrbase,
        Phdr **uphdr,
        Phdr **intphdr,
        Phdr **stphdr,
        Phdr **dtphdr,
        Phdr *dataphdrp,
        caddr_t *bssbase,
        caddr_t *brkbase,
        intptr_t *voffset,
        uintptr_t *minaddrp,
        size_t len,
        size_t *execsz,
        size_t *brksize)
{
        Phdr *phdr;
        int error, page, prot;
        caddr_t addr = NULL;
        caddr_t minaddr = (caddr_t)UINTPTR_MAX;
        uint_t i;
        size_t zfodsz, memsz;
        boolean_t ptload = B_FALSE;
        off_t offset;
        const uint_t hsize = ehdr->e_phentsize;
        extern int use_brk_lpg;

        if (ehdr->e_type == ET_DYN) {
                secflagset_t flags = 0;
                /*
                 * Obtain the virtual address of a hole in the
                 * address space to map the "interpreter".
                 */
                if (secflag_enabled(curproc, PROC_SEC_ASLR))
                        flags |= _MAP_RANDOMIZE;

                map_addr(&addr, len, (offset_t)0, 1, flags);
                if (addr == NULL)
                        return (ENOMEM);
                *voffset = (intptr_t)addr;

                /*
                 * Calculate the minimum vaddr so it can be subtracted out.
                 * According to the ELF specification, since PT_LOAD sections
                 * must be sorted by increasing p_vaddr values, this is
                 * guaranteed to be the first PT_LOAD section.
                 */
                phdr = (Phdr *)phdrbase;
                for (i = nphdrs; i > 0; i--) {
                        if (phdr->p_type == PT_LOAD) {
                                *voffset -= (uintptr_t)phdr->p_vaddr;
                                break;
                        }
                        phdr = (Phdr *)((caddr_t)phdr + hsize);
                }

        } else {
                *voffset = 0;
        }

        phdr = (Phdr *)phdrbase;
        for (i = nphdrs; i > 0; i--) {
                switch (phdr->p_type) {
                case PT_LOAD:
                        ptload = B_TRUE;
                        prot = PROT_USER;
                        if (phdr->p_flags & PF_R)
                                prot |= PROT_READ;
                        if (phdr->p_flags & PF_W)
                                prot |= PROT_WRITE;
                        if (phdr->p_flags & PF_X)
                                prot |= PROT_EXEC;

                        addr = (caddr_t)((uintptr_t)phdr->p_vaddr + *voffset);

                        if (*intphdr != NULL && uphdr != NULL &&
                            *uphdr == NULL) {
                                /*
                                 * The PT_PHDR program header is, strictly
                                 * speaking, optional.  If we find that this
                                 * is missing, we will determine the location
                                 * of the program headers based on the address
                                 * of the lowest PT_LOAD segment (namely, this
                                 * one):  we subtract the p_offset to get to
                                 * the ELF header and then add back the program
                                 * header offset to get to the program headers.
                                 * We then cons up a Phdr that corresponds to
                                 * the (missing) PT_PHDR, setting the flags
                                 * to 0 to denote that this is artificial and
                                 * should (must) be freed by the caller.
                                 */
                                Phdr *cons;

                                cons = kmem_zalloc(sizeof (Phdr), KM_SLEEP);

                                cons->p_flags = 0;
                                cons->p_type = PT_PHDR;
                                cons->p_vaddr = ((uintptr_t)addr -
                                    phdr->p_offset) + ehdr->e_phoff;

                                *uphdr = cons;
                        }

                        /*
                         * The ELF spec dictates that p_filesz may not be
                         * larger than p_memsz in PT_LOAD segments.
                         */
                        if (phdr->p_filesz > phdr->p_memsz) {
                                error = EINVAL;
                                goto bad;
                        }

                        /*
                         * Keep track of the segment with the lowest starting
                         * address.
                         */
                        if (addr < minaddr)
                                minaddr = addr;

                        zfodsz = (size_t)phdr->p_memsz - phdr->p_filesz;

                        offset = phdr->p_offset;
                        if (((uintptr_t)offset & PAGEOFFSET) ==
                            ((uintptr_t)addr & PAGEOFFSET) &&
                            (!(vp->v_flag & VNOMAP))) {
                                page = 1;
                        } else {
                                page = 0;
                        }

                        /*
                         * Set the heap pagesize for OOB when the bss size
                         * is known and use_brk_lpg is not 0.
                         */
                        if (brksize != NULL && use_brk_lpg &&
                            zfodsz != 0 && phdr == dataphdrp &&
                            (prot & PROT_WRITE)) {
                                const size_t tlen = P2NPHASE((uintptr_t)addr +
                                    phdr->p_filesz, PAGESIZE);

                                if (zfodsz > tlen) {
                                        const caddr_t taddr = addr +
                                            phdr->p_filesz + tlen;

                                        /*
                                         * Since a hole in the AS large enough
                                         * for this object as calculated by
                                         * elfsize() is available, we do not
                                         * need to fear overflow for 'taddr'.
                                         */
                                        curproc->p_brkpageszc =
                                            page_szc(map_pgsz(MAPPGSZ_HEAP,
                                            curproc, taddr, zfodsz - tlen, 0));
                                }
                        }

                        if (curproc->p_brkpageszc != 0 && phdr == dataphdrp &&
                            (prot & PROT_WRITE)) {
                                uint_t  szc = curproc->p_brkpageszc;
                                size_t pgsz = page_get_pagesize(szc);
                                caddr_t ebss = addr + phdr->p_memsz;
                                /*
                                 * If we need extra space to keep the BSS an
                                 * integral number of pages in size, some of
                                 * that space may fall beyond p_brkbase, so we
                                 * need to set p_brksize to account for it
                                 * being (logically) part of the brk.
                                 */
                                size_t extra_zfodsz;

                                ASSERT(pgsz > PAGESIZE);

                                extra_zfodsz = P2NPHASE((uintptr_t)ebss, pgsz);

                                if (error = execmap(vp, addr, phdr->p_filesz,
                                    zfodsz + extra_zfodsz, phdr->p_offset,
                                    prot, page, szc))
                                        goto bad;
                                if (brksize != NULL)
                                        *brksize = extra_zfodsz;
                        } else {
                                if (error = execmap(vp, addr, phdr->p_filesz,
                                    zfodsz, phdr->p_offset, prot, page, 0))
                                        goto bad;
                        }

                        if (bssbase != NULL && addr >= *bssbase &&
                            phdr == dataphdrp) {
                                *bssbase = addr + phdr->p_filesz;
                        }
                        if (brkbase != NULL && addr >= *brkbase) {
                                *brkbase = addr + phdr->p_memsz;
                        }

                        memsz = btopr(phdr->p_memsz);
                        if ((*execsz + memsz) < *execsz) {
                                error = ENOMEM;
                                goto bad;
                        }
                        *execsz += memsz;
                        break;

                case PT_INTERP:
                        if (ptload)
                                goto bad;
                        *intphdr = phdr;
                        break;

                case PT_SHLIB:
                        *stphdr = phdr;
                        break;

                case PT_PHDR:
                        if (ptload || phdr->p_flags == 0)
                                goto bad;

                        if (uphdr != NULL)
                                *uphdr = phdr;

                        break;

                case PT_NULL:
                case PT_DYNAMIC:
                case PT_NOTE:
                        break;

                case PT_SUNWDTRACE:
                        if (dtphdr != NULL)
                                *dtphdr = phdr;
                        break;

                default:
                        break;
                }
                phdr = (Phdr *)((caddr_t)phdr + hsize);
        }

        if (minaddrp != NULL) {
                ASSERT(minaddr != (caddr_t)UINTPTR_MAX);
                *minaddrp = (uintptr_t)minaddr;
        }

        if (brkbase != NULL && secflag_enabled(curproc, PROC_SEC_ASLR)) {
                size_t off;
                uintptr_t base = (uintptr_t)*brkbase;
                uintptr_t oend = base + *brksize;

                ASSERT(ISP2(aslr_max_brk_skew));

                (void) random_get_pseudo_bytes((uint8_t *)&off, sizeof (off));
                base += P2PHASE(off, aslr_max_brk_skew);
                base = P2ROUNDUP(base, PAGESIZE);
                *brkbase = (caddr_t)base;
                /*
                 * Above, we set *brksize to account for the possibility we
                 * had to grow the 'brk' in padding out the BSS to a page
                 * boundary.
                 *
                 * We now need to adjust that based on where we now are
                 * actually putting the brk.
                 */
                if (oend > base)
                        *brksize = oend - base;
                else
                        *brksize = 0;
        }

        return (0);
bad:
        if (error == 0)
                error = EINVAL;
        return (error);
}

int
elfnote(vnode_t *vp, offset_t *offsetp, int type, int descsz, void *desc,
    rlim64_t rlimit, cred_t *credp)
{
        Note note;
        int error;

        bzero(&note, sizeof (note));
        bcopy("CORE", note.name, 4);
        note.nhdr.n_type = type;
        /*
         * The System V ABI states that n_namesz must be the length of the
         * string that follows the Nhdr structure including the terminating
         * null. The ABI also specifies that sufficient padding should be
         * included so that the description that follows the name string
         * begins on a 4- or 8-byte boundary for 32- and 64-bit binaries
         * respectively. However, since this change was not made correctly
         * at the time of the 64-bit port, both 32- and 64-bit binaries
         * descriptions are only guaranteed to begin on a 4-byte boundary.
         */
        note.nhdr.n_namesz = 5;
        note.nhdr.n_descsz = roundup(descsz, sizeof (Word));

        if (error = core_write(vp, UIO_SYSSPACE, *offsetp, &note,
            sizeof (note), rlimit, credp))
                return (error);

        *offsetp += sizeof (note);

        if (error = core_write(vp, UIO_SYSSPACE, *offsetp, desc,
            note.nhdr.n_descsz, rlimit, credp))
                return (error);

        *offsetp += note.nhdr.n_descsz;
        return (0);
}

/*
 * Copy the section data from one vnode to the section of another vnode.
 */
static void
elf_copy_scn(elf_core_ctx_t *ctx, const Shdr *src, vnode_t *src_vp, Shdr *dst)
{
        size_t n = src->sh_size;
        u_offset_t off = 0;
        const u_offset_t soff = src->sh_offset;
        const u_offset_t doff = ctx->ecc_doffset;
        void *buf = ctx->ecc_buf;
        vnode_t *dst_vp = ctx->ecc_vp;
        cred_t *credp = ctx->ecc_credp;

        /* Protect the copy loop below from overflow on the offsets */
        if (n > OFF_MAX || (n + soff) > OFF_MAX || (n + doff) > OFF_MAX ||
            (n + soff) < n || (n + doff) < n) {
                dst->sh_size = 0;
                dst->sh_offset = 0;
                return;
        }

        while (n != 0) {
                const size_t len = MIN(ctx->ecc_bufsz, n);
                ssize_t resid;

                if (vn_rdwr(UIO_READ, src_vp, buf, (ssize_t)len,
                    (offset_t)(soff + off),
                    UIO_SYSSPACE, 0, (rlim64_t)0, credp, &resid) != 0 ||
                    resid >= len || resid < 0 ||
                    core_write(dst_vp, UIO_SYSSPACE, (offset_t)(doff + off),
                    buf, len - resid, ctx->ecc_rlimit, credp) != 0) {
                        dst->sh_size = 0;
                        dst->sh_offset = 0;
                        return;
                }

                ASSERT(n >= len - resid);

                n -= len - resid;
                off += len - resid;
        }

        ctx->ecc_doffset += src->sh_size;
}

/*
 * Walk sections for a given ELF object, counting (or copying) those of
 * interest (CTF, symtab, strtab, .debug_*).
 */
static int
elf_process_obj_scns(elf_core_ctx_t *ctx, vnode_t *mvp, caddr_t saddr,
    Shdr *v, uint_t idx, const uint_t remain, shstrtab_t *shstrtab,
    uint_t *countp)
{
        Ehdr ehdr;
        const core_content_t content = ctx->ecc_content;
        cred_t *credp = ctx->ecc_credp;
        Shdr *ctf = NULL, *symtab = NULL, *strtab = NULL;
        uintptr_t off = 0;
        uint_t nshdrs, shstrndx, nphdrs, count, extra;
        u_offset_t *doffp = &ctx->ecc_doffset;
        boolean_t ctf_link = B_FALSE;
        caddr_t shbase;
        size_t shsize, shstrsize;
        char *shstrbase;
        int error = 0;
        const boolean_t justcounting = (v == NULL);

        /*
         * remain must be less than UINT_MAX so we can check for count
         * exceeding it.
         */
        ASSERT3U(remain, <, UINT_MAX);

        *countp = count = 0;

        if ((content &
            (CC_CONTENT_CTF | CC_CONTENT_SYMTAB | CC_CONTENT_DEBUG)) == 0) {
                return (0);
        }

        if (getelfhead(mvp, credp, &ehdr, &nshdrs, &shstrndx, &nphdrs) != 0 ||
            getelfshdr(mvp, credp, &ehdr, nshdrs, shstrndx, &shbase, &shsize,
            &shstrbase, &shstrsize) != 0) {
                return (0);
        }

        /* Starting at index 1 skips SHT_NULL which is expected at index 0 */
        off = ehdr.e_shentsize;
        for (uint_t i = 1; i < nshdrs; i++, off += ehdr.e_shentsize) {
                Shdr *shdr, *symchk = NULL, *strchk;
                const char *name;

                shdr = (Shdr *)(shbase + off);
                if (shdr->sh_name >= shstrsize || shdr->sh_type == SHT_NULL)
                        continue;

                name = shstrbase + shdr->sh_name;

                if (ctf == NULL && (content & CC_CONTENT_CTF) != 0 &&
                    strcmp(name, shstrtab_data[STR_CTF]) == 0) {
                        ctf = shdr;
                        if (ctf->sh_link != 0 && ctf->sh_link < nshdrs) {
                                /* check linked symtab below */
                                symchk = (Shdr *)(shbase +
                                    shdr->sh_link * ehdr.e_shentsize);
                                ctf_link = B_TRUE;
                        } else {
                                continue;
                        }
                } else if (symtab == NULL &&
                    (content & CC_CONTENT_SYMTAB) != 0 &&
                    strcmp(name, shstrtab_data[STR_SYMTAB]) == 0) {
                        symchk = shdr;
                } else if ((content & CC_CONTENT_DEBUG) != 0 &&
                    strncmp(name, ".debug_", strlen(".debug_")) == 0) {
                        /*
                         * The design of the above check is intentional. In
                         * particular, we want to capture any sections that
                         * begin with '.debug_' for a few reasons:
                         *
                         * 1) Various revisions to the DWARF spec end up
                         * changing the set of section headers that exist. This
                         * ensures that we don't need to change the kernel to
                         * get a new version.
                         *
                         * 2) Other software uses .debug_ sections for things
                         * which aren't DWARF. This allows them to be captured
                         * as well.
                         */
                        count++;

                        if (count > remain) {
                                error = ENOMEM;
                                goto done;
                        }

                        if (justcounting)
                                continue;

                        elf_ctx_resize_scratch(ctx, shdr->sh_size);

                        if (!shstrtab_ndx(shstrtab, name, &v[idx].sh_name)) {
                                error = ENOMEM;
                                goto done;
                        }

                        v[idx].sh_addr = (Addr)(uintptr_t)saddr;
                        v[idx].sh_type = shdr->sh_type;
                        v[idx].sh_addralign = shdr->sh_addralign;
                        *doffp = roundup(*doffp, v[idx].sh_addralign);
                        v[idx].sh_offset = *doffp;
                        v[idx].sh_size = shdr->sh_size;
                        v[idx].sh_link = 0;
                        v[idx].sh_entsize = shdr->sh_entsize;
                        v[idx].sh_info = shdr->sh_info;

                        elf_copy_scn(ctx, shdr, mvp, &v[idx]);
                        idx++;

                        continue;
                } else {
                        continue;
                }

                ASSERT(symchk != NULL);
                if ((symchk->sh_type != SHT_DYNSYM &&
                    symchk->sh_type != SHT_SYMTAB) ||
                    symchk->sh_link == 0 || symchk->sh_link >= nshdrs) {
                        ctf_link = B_FALSE;
                        continue;
                }
                strchk = (Shdr *)(shbase + symchk->sh_link * ehdr.e_shentsize);
                if (strchk->sh_type != SHT_STRTAB) {
                        ctf_link = B_FALSE;
                        continue;
                }
                symtab = symchk;
                strtab = strchk;

                if (symtab != NULL && ctf != NULL &&
                    (content & CC_CONTENT_DEBUG) == 0) {
                        /* No other shdrs are of interest at this point */
                        break;
                }
        }

        extra = 0;
        if (ctf != NULL)
                extra += 1;
        if (symtab != NULL)
                extra += 2;

        if (remain < extra || count > remain - extra) {
                error = ENOMEM;
                goto done;
        }

        count += extra;

        if (justcounting)
                goto done;

        /* output CTF section */
        if (ctf != NULL) {
                elf_ctx_resize_scratch(ctx, ctf->sh_size);

                if (!shstrtab_ndx(shstrtab,
                    shstrtab_data[STR_CTF], &v[idx].sh_name)) {
                        error = ENOMEM;
                        goto done;
                }
                v[idx].sh_addr = (Addr)(uintptr_t)saddr;
                v[idx].sh_type = SHT_PROGBITS;
                v[idx].sh_addralign = 4;
                *doffp = roundup(*doffp, v[idx].sh_addralign);
                v[idx].sh_offset = *doffp;
                v[idx].sh_size = ctf->sh_size;

                if (ctf_link) {
                        /*
                         * The linked symtab (and strtab) will be output
                         * immediately after this CTF section.  Its shdr index
                         * directly follows this one.
                         */
                        v[idx].sh_link = idx + 1;
                        ASSERT(symtab != NULL);
                } else {
                        v[idx].sh_link = 0;
                }
                elf_copy_scn(ctx, ctf, mvp, &v[idx]);
                idx++;
        }

        /* output SYMTAB/STRTAB sections */
        if (symtab != NULL) {
                shstrtype_t symtab_type, strtab_type;
                uint_t symtab_name, strtab_name;

                elf_ctx_resize_scratch(ctx,
                    MAX(symtab->sh_size, strtab->sh_size));

                if (symtab->sh_type == SHT_DYNSYM) {
                        symtab_type = STR_DYNSYM;
                        strtab_type = STR_DYNSTR;
                } else {
                        symtab_type = STR_SYMTAB;
                        strtab_type = STR_STRTAB;
                }

                if (!shstrtab_ndx(shstrtab,
                    shstrtab_data[symtab_type], &symtab_name)) {
                        error = ENOMEM;
                        goto done;
                }
                if (!shstrtab_ndx(shstrtab,
                    shstrtab_data[strtab_type], &strtab_name)) {
                        error = ENOMEM;
                        goto done;
                }

                v[idx].sh_name = symtab_name;
                v[idx].sh_type = symtab->sh_type;
                v[idx].sh_addr = symtab->sh_addr;
                if (ehdr.e_type == ET_DYN || v[idx].sh_addr == 0)
                        v[idx].sh_addr += (Addr)(uintptr_t)saddr;
                v[idx].sh_addralign = symtab->sh_addralign;
                *doffp = roundup(*doffp, v[idx].sh_addralign);
                v[idx].sh_offset = *doffp;
                v[idx].sh_size = symtab->sh_size;
                v[idx].sh_link = idx + 1;
                v[idx].sh_entsize = symtab->sh_entsize;
                v[idx].sh_info = symtab->sh_info;

                elf_copy_scn(ctx, symtab, mvp, &v[idx]);
                idx++;

                v[idx].sh_name = strtab_name;
                v[idx].sh_type = SHT_STRTAB;
                v[idx].sh_flags = SHF_STRINGS;
                v[idx].sh_addr = strtab->sh_addr;
                if (ehdr.e_type == ET_DYN || v[idx].sh_addr == 0)
                        v[idx].sh_addr += (Addr)(uintptr_t)saddr;
                v[idx].sh_addralign = strtab->sh_addralign;
                *doffp = roundup(*doffp, v[idx].sh_addralign);
                v[idx].sh_offset = *doffp;
                v[idx].sh_size = strtab->sh_size;

                elf_copy_scn(ctx, strtab, mvp, &v[idx]);
                idx++;
        }

done:
        kmem_free(shstrbase, shstrsize);
        kmem_free(shbase, shsize);

        if (error == 0)
                *countp = count;

        return (error);
}

/*
 * Walk mappings in process address space, examining those which correspond to
 * loaded objects.  It is called twice from elfcore: Once to simply count
 * relevant sections, and again later to copy those sections once an adequate
 * buffer has been allocated for the shdr details.
 */
static int
elf_process_scns(elf_core_ctx_t *ctx, Shdr *v, const uint_t nv, uint_t *nshdrsp)
{
        vnode_t *lastvp = NULL;
        struct seg *seg;
        uint_t remain, idx;
        shstrtab_t shstrtab;
        struct as *as = ctx->ecc_p->p_as;
        int error = 0;
        const boolean_t justcounting = (v == NULL);

        ASSERT(AS_WRITE_HELD(as));

        if (justcounting) {
                ASSERT(nv == 0);
                /*
                 * In the counting case, set remain to UINT_MAX so that we
                 * allow up to that many sections. Note that remain is
                 * decremented immediately below to account for the SHT_NULL
                 * section at index zero and so we do not end up passing
                 * UINT_MAX as the 'remain' value to elf_process_obj_scns().
                 * Once we've finished counting, we further check that there
                 * is at least one array slot available for shstrtab.
                 */
                remain = UINT_MAX;
        } else {
                ASSERT(nv != 0);
                remain = nv;

                if (!shstrtab_init(&shstrtab))
                        return (ENOMEM);
        }

        /* Per the ELF spec, shdr index 0 is reserved. */
        idx = 1;
        remain--;
        for (seg = AS_SEGFIRST(as); seg != NULL; seg = AS_SEGNEXT(as, seg)) {
                vnode_t *mvp;
                void *tmp = NULL;
                caddr_t saddr = seg->s_base, naddr, eaddr;
                size_t segsize;
                uint_t count, prot;

                /*
                 * Since we're just looking for text segments of load
                 * objects, we only care about the protection bits; we don't
                 * care about the actual size of the segment so we use the
                 * reserved size. If the segment's size is zero, there's
                 * something fishy going on so we ignore this segment.
                 */
                if (seg->s_ops != &segvn_ops ||
                    SEGOP_GETVP(seg, seg->s_base, &mvp) != 0 ||
                    mvp == lastvp || mvp == NULL || mvp->v_type != VREG ||
                    (segsize = pr_getsegsize(seg, 1)) == 0) {
                        continue;
                }

                eaddr = saddr + segsize;
                prot = pr_getprot(seg, 1, &tmp, &saddr, &naddr, eaddr);
                pr_getprot_done(&tmp);

                /*
                 * Skip this segment unless the protection bits look like
                 * what we'd expect for a text segment.
                 */
                if ((prot & (PROT_WRITE | PROT_EXEC)) != PROT_EXEC)
                        continue;

                error = elf_process_obj_scns(ctx, mvp, saddr, v, idx, remain,
                    &shstrtab, &count);
                if (error != 0)
                        goto done;

                VERIFY3U(count, <=, remain);
                if (!justcounting) {
                        VERIFY3U(idx + count, <=, nv);
                }

                remain -= count;
                idx += count;
                lastvp = mvp;
        }

        if (justcounting) {
                if (idx == 1) {
                        /* No sections found */
                        *nshdrsp = 0;
                } else if (remain < 1) {
                        /* No space for the shrstrtab at the end */
                        *nshdrsp = 0;
                        return (ENOMEM);
                } else {
                        /* Include room for the shrstrtab at the end */
                        *nshdrsp = idx + 1;
                }
                return (0);
        }

        if (remain != 1) {
                cmn_err(CE_WARN, "elfcore: core dump failed for "
                    "process %d; address space is changing",
                    ctx->ecc_p->p_pid);
                error = EIO;
                goto done;
        }

        if (!shstrtab_ndx(&shstrtab, shstrtab_data[STR_SHSTRTAB],
            &v[idx].sh_name)) {
                error = ENOMEM;
                goto done;
        }
        v[idx].sh_size = shstrtab_size(&shstrtab);
        v[idx].sh_addralign = 1;
        v[idx].sh_offset = ctx->ecc_doffset;
        v[idx].sh_flags = SHF_STRINGS;
        v[idx].sh_type = SHT_STRTAB;

        elf_ctx_resize_scratch(ctx, v[idx].sh_size);
        VERIFY3U(ctx->ecc_bufsz, >=, v[idx].sh_size);
        shstrtab_dump(&shstrtab, ctx->ecc_buf);

        error = core_write(ctx->ecc_vp, UIO_SYSSPACE, ctx->ecc_doffset,
            ctx->ecc_buf, v[idx].sh_size, ctx->ecc_rlimit, ctx->ecc_credp);
        if (error == 0)
                ctx->ecc_doffset += v[idx].sh_size;

done:
        if (!justcounting)
                shstrtab_fini(&shstrtab);

        return (error);
}

int
elfcore(vnode_t *vp, proc_t *p, cred_t *credp, rlim64_t rlimit, int sig,
    core_content_t content)
{
        u_offset_t poffset, soffset, doffset;
        int error;
        uint_t i, nphdrs, nshdrs;
        struct seg *seg;
        struct as *as = p->p_as;
        void *bigwad, *zeropg = NULL;
        size_t bigsize, phdrsz, shdrsz;
        Ehdr *ehdr;
        Phdr *phdr;
        Shdr shdr0;
        caddr_t brkbase, stkbase;
        size_t brksize, stksize;
        boolean_t overflowed = B_FALSE, retried = B_FALSE;
        klwp_t *lwp = ttolwp(curthread);
        elf_core_ctx_t ctx = {
                .ecc_vp = vp,
                .ecc_p = p,
                .ecc_credp = credp,
                .ecc_rlimit = rlimit,
                .ecc_content = content,
                .ecc_doffset = 0,
                .ecc_buf = NULL,
                .ecc_bufsz = 0
        };

top:
        /*
         * Make sure we have everything we need (registers, etc.).
         * All other lwps have already stopped and are in an orderly state.
         */
        ASSERT(p == ttoproc(curthread));
        prstop(0, 0);

        AS_LOCK_ENTER(as, RW_WRITER);
        nphdrs = prnsegs(as, 0) + 2;            /* two CORE note sections */

        /*
         * Count the number of section headers we're going to need.
         */
        nshdrs = error = 0;
        if (content & (CC_CONTENT_CTF | CC_CONTENT_SYMTAB | CC_CONTENT_DEBUG))
                error = elf_process_scns(&ctx, NULL, 0, &nshdrs);
        AS_LOCK_EXIT(as);

        if (error != 0)
                return (error);

        /*
         * The core file contents may require zero section headers, but if
         * we overflow the 16 bits allotted to the program header count in
         * the ELF header, we'll need that program header at index zero.
         */
        if (nshdrs == 0 && nphdrs >= PN_XNUM)
                nshdrs = 1;

        /*
         * Allocate a buffer which is sized adequately to hold the ehdr, phdrs
         * or shdrs needed to produce the core file.  It is used for the three
         * tasks sequentially, not simultaneously, so it does not need space
         * for all three data at once, only the largest one.
         */
        VERIFY3U(nphdrs, >=, 2);
        phdrsz = nphdrs * sizeof (Phdr);
        shdrsz = nshdrs * sizeof (Shdr);
        bigsize = MAX(sizeof (Ehdr), MAX(phdrsz, shdrsz));
        bigwad = kmem_alloc(bigsize, KM_SLEEP);

        ehdr = (Ehdr *)bigwad;
        bzero(ehdr, sizeof (*ehdr));

        ehdr->e_ident[EI_MAG0] = ELFMAG0;
        ehdr->e_ident[EI_MAG1] = ELFMAG1;
        ehdr->e_ident[EI_MAG2] = ELFMAG2;
        ehdr->e_ident[EI_MAG3] = ELFMAG3;
        ehdr->e_ident[EI_CLASS] = ELFCLASS;
        ehdr->e_type = ET_CORE;

#if !defined(_LP64) || defined(_ELF32_COMPAT)

#if defined(__sparc)
        ehdr->e_ident[EI_DATA] = ELFDATA2MSB;
        ehdr->e_machine = EM_SPARC;
#elif defined(__i386_COMPAT)
        ehdr->e_ident[EI_DATA] = ELFDATA2LSB;
        ehdr->e_machine = EM_386;
#else
#error "no recognized machine type is defined"
#endif

#else   /* !defined(_LP64) || defined(_ELF32_COMPAT) */

#if defined(__sparc)
        ehdr->e_ident[EI_DATA] = ELFDATA2MSB;
        ehdr->e_machine = EM_SPARCV9;
#elif defined(__amd64)
        ehdr->e_ident[EI_DATA] = ELFDATA2LSB;
        ehdr->e_machine = EM_AMD64;
#else
#error "no recognized 64-bit machine type is defined"
#endif

#endif  /* !defined(_LP64) || defined(_ELF32_COMPAT) */

        poffset = sizeof (Ehdr);
        soffset = sizeof (Ehdr) + phdrsz;
        doffset = sizeof (Ehdr) + phdrsz + shdrsz;
        bzero(&shdr0, sizeof (shdr0));

        /*
         * If the count of program headers or section headers or the index
         * of the section string table can't fit in the mere 16 bits
         * shortsightedly allotted to them in the ELF header, we use the
         * extended formats and put the real values in the section header
         * as index 0.
         */
        if (nphdrs >= PN_XNUM) {
                ehdr->e_phnum = PN_XNUM;
                shdr0.sh_info = nphdrs;
        } else {
                ehdr->e_phnum = (unsigned short)nphdrs;
        }

        if (nshdrs > 0) {
                if (nshdrs >= SHN_LORESERVE) {
                        ehdr->e_shnum = 0;
                        shdr0.sh_size = nshdrs;
                } else {
                        ehdr->e_shnum = (unsigned short)nshdrs;
                }

                if (nshdrs - 1 >= SHN_LORESERVE) {
                        ehdr->e_shstrndx = SHN_XINDEX;
                        shdr0.sh_link = nshdrs - 1;
                } else {
                        ehdr->e_shstrndx = (unsigned short)(nshdrs - 1);
                }

                ehdr->e_shoff = soffset;
                ehdr->e_shentsize = sizeof (Shdr);
        }

        ehdr->e_ident[EI_VERSION] = EV_CURRENT;
        ehdr->e_version = EV_CURRENT;
        ehdr->e_ehsize = sizeof (Ehdr);
        ehdr->e_phoff = poffset;
        ehdr->e_phentsize = sizeof (Phdr);

        if (error = core_write(vp, UIO_SYSSPACE, (offset_t)0, ehdr,
            sizeof (Ehdr), rlimit, credp)) {
                goto done;
        }

        phdr = (Phdr *)bigwad;
        bzero(phdr, phdrsz);

        setup_old_note_header(&phdr[0], p);
        phdr[0].p_offset = doffset = roundup(doffset, sizeof (Word));
        doffset += phdr[0].p_filesz;

        setup_note_header(&phdr[1], p);
        phdr[1].p_offset = doffset = roundup(doffset, sizeof (Word));
        doffset += phdr[1].p_filesz;

        mutex_enter(&p->p_lock);

        brkbase = p->p_brkbase;
        brksize = p->p_brksize;

        stkbase = p->p_usrstack - p->p_stksize;
        stksize = p->p_stksize;

        mutex_exit(&p->p_lock);

        AS_LOCK_ENTER(as, RW_WRITER);
        i = 2;
        for (seg = AS_SEGFIRST(as); seg != NULL; seg = AS_SEGNEXT(as, seg)) {
                caddr_t eaddr = seg->s_base + pr_getsegsize(seg, 0);
                caddr_t saddr, naddr;
                void *tmp = NULL;
                extern struct seg_ops segspt_shmops;

                if ((seg->s_flags & S_HOLE) != 0) {
                        continue;
                }

                for (saddr = seg->s_base; saddr < eaddr; saddr = naddr) {
                        uint_t prot;
                        size_t size;
                        int type;
                        vnode_t *mvp;

                        prot = pr_getprot(seg, 0, &tmp, &saddr, &naddr, eaddr);
                        prot &= PROT_READ | PROT_WRITE | PROT_EXEC;
                        if ((size = (size_t)(naddr - saddr)) == 0) {
                                ASSERT(tmp == NULL);
                                continue;
                        } else if (i == nphdrs) {
                                pr_getprot_done(&tmp);
                                overflowed = B_TRUE;
                                break;
                        }
                        phdr[i].p_type = PT_LOAD;
                        phdr[i].p_vaddr = (Addr)(uintptr_t)saddr;
                        phdr[i].p_memsz = size;
                        if (prot & PROT_READ)
                                phdr[i].p_flags |= PF_R;
                        if (prot & PROT_WRITE)
                                phdr[i].p_flags |= PF_W;
                        if (prot & PROT_EXEC)
                                phdr[i].p_flags |= PF_X;

                        /*
                         * Figure out which mappings to include in the core.
                         */
                        type = SEGOP_GETTYPE(seg, saddr);

                        if (saddr == stkbase && size == stksize) {
                                if (!(content & CC_CONTENT_STACK))
                                        goto exclude;

                        } else if (saddr == brkbase && size == brksize) {
                                if (!(content & CC_CONTENT_HEAP))
                                        goto exclude;

                        } else if (seg->s_ops == &segspt_shmops) {
                                if (type & MAP_NORESERVE) {
                                        if (!(content & CC_CONTENT_DISM))
                                                goto exclude;
                                } else {
                                        if (!(content & CC_CONTENT_ISM))
                                                goto exclude;
                                }

                        } else if (seg->s_ops != &segvn_ops) {
                                goto exclude;

                        } else if (type & MAP_SHARED) {
                                if (shmgetid(p, saddr) != SHMID_NONE) {
                                        if (!(content & CC_CONTENT_SHM))
                                                goto exclude;

                                } else if (SEGOP_GETVP(seg, seg->s_base,
                                    &mvp) != 0 || mvp == NULL ||
                                    mvp->v_type != VREG) {
                                        if (!(content & CC_CONTENT_SHANON))
                                                goto exclude;

                                } else {
                                        if (!(content & CC_CONTENT_SHFILE))
                                                goto exclude;
                                }

                        } else if (SEGOP_GETVP(seg, seg->s_base, &mvp) != 0 ||
                            mvp == NULL || mvp->v_type != VREG) {
                                if (!(content & CC_CONTENT_ANON))
                                        goto exclude;

                        } else if (prot == (PROT_READ | PROT_EXEC)) {
                                if (!(content & CC_CONTENT_TEXT))
                                        goto exclude;

                        } else if (prot == PROT_READ) {
                                if (!(content & CC_CONTENT_RODATA))
                                        goto exclude;

                        } else {
                                if (!(content & CC_CONTENT_DATA))
                                        goto exclude;
                        }

                        doffset = roundup(doffset, sizeof (Word));
                        phdr[i].p_offset = doffset;
                        phdr[i].p_filesz = size;
                        doffset += size;
exclude:
                        i++;
                }
                VERIFY(tmp == NULL);
                if (overflowed)
                        break;
        }
        AS_LOCK_EXIT(as);

        if (overflowed || i != nphdrs) {
                if (!retried) {
                        retried = B_TRUE;
                        overflowed = B_FALSE;
                        kmem_free(bigwad, bigsize);
                        goto top;
                }
                cmn_err(CE_WARN, "elfcore: core dump failed for "
                    "process %d; address space is changing", p->p_pid);
                error = EIO;
                goto done;
        }

        if ((error = core_write(vp, UIO_SYSSPACE, poffset,
            phdr, phdrsz, rlimit, credp)) != 0) {
                goto done;
        }

        if ((error = write_old_elfnotes(p, sig, vp, phdr[0].p_offset, rlimit,
            credp)) != 0) {
                goto done;
        }
        if ((error = write_elfnotes(p, sig, vp, phdr[1].p_offset, rlimit,
            credp, content)) != 0) {
                goto done;
        }

        for (i = 2; i < nphdrs; i++) {
                prkillinfo_t killinfo;
                sigqueue_t *sq;
                int sig, j;

                if (phdr[i].p_filesz == 0)
                        continue;

                /*
                 * If we hit a region that was mapped PROT_NONE then we cannot
                 * continue dumping this normally as the kernel would be unable
                 * to read from the page and that would result in us failing to
                 * dump the page. As such, any region mapped PROT_NONE, we dump
                 * as a zero-filled page such that this is still represented in
                 * the map.
                 *
                 * If dumping out this segment fails, rather than failing
                 * the core dump entirely, we reset the size of the mapping
                 * to zero to indicate that the data is absent from the core
                 * file and or in the PF_SUNW_FAILURE flag to differentiate
                 * this from mappings that were excluded due to the core file
                 * content settings.
                 */
                if ((phdr[i].p_flags & (PF_R | PF_W | PF_X)) == 0) {
                        size_t towrite = phdr[i].p_filesz;
                        size_t curoff = 0;

                        if (zeropg == NULL) {
                                zeropg = kmem_zalloc(elf_zeropg_sz, KM_SLEEP);
                        }

                        error = 0;
                        while (towrite != 0) {
                                size_t len = MIN(towrite, elf_zeropg_sz);

                                error = core_write(vp, UIO_SYSSPACE,
                                    phdr[i].p_offset + curoff, zeropg, len,
                                    rlimit, credp);
                                if (error != 0)
                                        break;

                                towrite -= len;
                                curoff += len;
                        }
                } else {
                        error = core_seg(p, vp, phdr[i].p_offset,
                            (caddr_t)(uintptr_t)phdr[i].p_vaddr,
                            phdr[i].p_filesz, rlimit, credp);
                }
                if (error == 0)
                        continue;

                if ((sig = lwp->lwp_cursig) == 0) {
                        /*
                         * We failed due to something other than a signal.
                         * Since the space reserved for the segment is now
                         * unused, we stash the errno in the first four
                         * bytes. This undocumented interface will let us
                         * understand the nature of the failure.
                         */
                        (void) core_write(vp, UIO_SYSSPACE, phdr[i].p_offset,
                            &error, sizeof (error), rlimit, credp);

                        phdr[i].p_filesz = 0;
                        phdr[i].p_flags |= PF_SUNW_FAILURE;
                        if ((error = core_write(vp, UIO_SYSSPACE,
                            poffset + sizeof (Phdr) * i, &phdr[i],
                            sizeof (Phdr), rlimit, credp)) != 0)
                                goto done;

                        continue;
                }

                /*
                 * We took a signal.  We want to abort the dump entirely, but
                 * we also want to indicate what failed and why.  We therefore
                 * use the space reserved for the first failing segment to
                 * write our error (which, for purposes of compatability with
                 * older core dump readers, we set to EINTR) followed by any
                 * siginfo associated with the signal.
                 */
                bzero(&killinfo, sizeof (killinfo));
                killinfo.prk_error = EINTR;

                sq = sig == SIGKILL ? curproc->p_killsqp : lwp->lwp_curinfo;

                if (sq != NULL) {
                        bcopy(&sq->sq_info, &killinfo.prk_info,
                            sizeof (sq->sq_info));
                } else {
                        killinfo.prk_info.si_signo = lwp->lwp_cursig;
                        killinfo.prk_info.si_code = SI_NOINFO;
                }

#if (defined(_SYSCALL32_IMPL) || defined(_LP64))
                /*
                 * If this is a 32-bit process, we need to translate from the
                 * native siginfo to the 32-bit variant.  (Core readers must
                 * always have the same data model as their target or must
                 * be aware of -- and compensate for -- data model differences.)
                 */
                if (curproc->p_model == DATAMODEL_ILP32) {
                        siginfo32_t si32;

                        siginfo_kto32((k_siginfo_t *)&killinfo.prk_info, &si32);
                        bcopy(&si32, &killinfo.prk_info, sizeof (si32));
                }
#endif

                (void) core_write(vp, UIO_SYSSPACE, phdr[i].p_offset,
                    &killinfo, sizeof (killinfo), rlimit, credp);

                /*
                 * For the segment on which we took the signal, indicate that
                 * its data now refers to a siginfo.
                 */
                phdr[i].p_filesz = 0;
                phdr[i].p_flags |= PF_SUNW_FAILURE | PF_SUNW_KILLED |
                    PF_SUNW_SIGINFO;

                /*
                 * And for every other segment, indicate that its absence
                 * is due to a signal.
                 */
                for (j = i + 1; j < nphdrs; j++) {
                        phdr[j].p_filesz = 0;
                        phdr[j].p_flags |= PF_SUNW_FAILURE | PF_SUNW_KILLED;
                }

                /*
                 * Finally, write out our modified program headers.
                 */
                if ((error = core_write(vp, UIO_SYSSPACE,
                    poffset + sizeof (Phdr) * i, &phdr[i],
                    sizeof (Phdr) * (nphdrs - i), rlimit, credp)) != 0) {
                        goto done;
                }

                break;
        }

        if (nshdrs > 0) {
                Shdr *shdr = (Shdr *)bigwad;

                bzero(shdr, shdrsz);
                if (nshdrs > 1) {
                        ctx.ecc_doffset = doffset;
                        AS_LOCK_ENTER(as, RW_WRITER);
                        error = elf_process_scns(&ctx, shdr, nshdrs, NULL);
                        AS_LOCK_EXIT(as);
                        if (error != 0)
                                goto done;
                }
                /* Copy any extended format data destined for the first shdr */
                bcopy(&shdr0, shdr, sizeof (shdr0));

                error = core_write(vp, UIO_SYSSPACE, soffset, shdr, shdrsz,
                    rlimit, credp);
        }

done:
        if (zeropg != NULL)
                kmem_free(zeropg, elf_zeropg_sz);
        if (ctx.ecc_bufsz != 0)
                kmem_free(ctx.ecc_buf, ctx.ecc_bufsz);
        kmem_free(bigwad, bigsize);
        return (error);
}

#ifndef _ELF32_COMPAT

static struct execsw esw = {
#ifdef  _LP64
        elf64magicstr,
#else   /* _LP64 */
        elf32magicstr,
#endif  /* _LP64 */
        0,
        5,
        elfexec,
        elfcore
};

static struct modlexec modlexec = {
        &mod_execops, "exec module for elf", &esw
};

#ifdef  _LP64
extern int elf32exec(vnode_t *vp, execa_t *uap, uarg_t *args,
                        intpdata_t *idatap, int level, size_t *execsz,
                        int setid, caddr_t exec_file, cred_t *cred,
                        int brand_action);
extern int elf32core(vnode_t *vp, proc_t *p, cred_t *credp,
                        rlim64_t rlimit, int sig, core_content_t content);

static struct execsw esw32 = {
        elf32magicstr,
        0,
        5,
        elf32exec,
        elf32core
};

static struct modlexec modlexec32 = {
        &mod_execops, "32-bit exec module for elf", &esw32
};
#endif  /* _LP64 */

static struct modlinkage modlinkage = {
        MODREV_1,
        (void *)&modlexec,
#ifdef  _LP64
        (void *)&modlexec32,
#endif  /* _LP64 */
        NULL
};

int
_init(void)
{
        return (mod_install(&modlinkage));
}

int
_fini(void)
{
        return (mod_remove(&modlinkage));
}

int
_info(struct modinfo *modinfop)
{
        return (mod_info(&modlinkage, modinfop));
}

#endif  /* !_ELF32_COMPAT */
Illumos
