1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
|
.\" Copyright (c) 2006, 2008 by Michael Kerrisk <mtk.manpages@gmail.com>
.\"
.\" SPDX-License-Identifier: Linux-man-pages-copyleft
.\"
.TH core 5 2023-02-05 "Linux man-pages 6.03"
.SH NAME
core \- core dump file
.SH DESCRIPTION
The default action of certain signals is to cause a process to terminate
and produce a
.IR "core dump file" ,
a file containing an image of the process's memory at
the time of termination.
This image can be used in a debugger (e.g.,
.BR gdb (1))
to inspect the state of the program at the time that it terminated.
A list of the signals which cause a process to dump core can be found in
.BR signal (7).
.PP
A process can set its soft
.B RLIMIT_CORE
resource limit to place an upper limit on the size of the core dump file
that will be produced if it receives a "core dump" signal; see
.BR getrlimit (2)
for details.
.PP
There are various circumstances in which a core dump file is
not produced:
.IP \[bu] 3
The process does not have permission to write the core file.
(By default, the core file is called
.I core
or
.IR core.pid ,
where
.I pid
is the ID of the process that dumped core,
and is created in the current working directory.
See below for details on naming.)
Writing the core file fails if the directory in which
it is to be created is not writable,
or if a file with the same name exists and
is not writable
or is not a regular file
(e.g., it is a directory or a symbolic link).
.IP \[bu]
A (writable, regular) file with the same name as would be used for the
core dump already exists, but there is more than one hard link to that
file.
.IP \[bu]
The filesystem where the core dump file would be created is full;
or has run out of inodes; or is mounted read-only;
or the user has reached their quota for the filesystem.
.IP \[bu]
The directory in which the core dump file is to be created does
not exist.
.IP \[bu]
The
.B RLIMIT_CORE
(core file size) or
.B RLIMIT_FSIZE
(file size) resource limits for the process are set to zero; see
.BR getrlimit (2)
and the documentation of the shell's
.I ulimit
command
.RI ( limit
in
.BR csh (1)).
However,
.B RLIMIT_CORE
will be ignored if the system is configured to pipe core dumps to a program.
.IP \[bu]
The binary being executed by the process does not have read
permission enabled.
(This is a security measure to
ensure that an executable whose contents are not readable
does not produce a\[em]possibly readable\[em]core dump containing
an image of the executable.)
.IP \[bu]
The process is executing a set-user-ID (set-group-ID) program
that is owned by a user (group) other than the real user (group)
ID of the process,
or the process is executing a program that has file capabilities (see
.BR capabilities (7)).
(However, see the description of the
.BR prctl (2)
.B PR_SET_DUMPABLE
operation, and the description of the
.I /proc/sys/fs/suid_dumpable
.\" FIXME . Perhaps relocate discussion of /proc/sys/fs/suid_dumpable
.\" and PR_SET_DUMPABLE to this page?
file in
.BR proc (5).)
.IP \[bu]
.I /proc/sys/kernel/core_pattern
is empty and
.I /proc/sys/kernel/core_uses_pid
contains the value 0.
(These files are described below.)
Note that if
.I /proc/sys/kernel/core_pattern
is empty and
.I /proc/sys/kernel/core_uses_pid
contains the value 1,
core dump files will have names of the form
.IR .pid ,
and such files are hidden unless one uses the
.BR ls (1)
.I \-a
option.
.IP \[bu]
(Since Linux 3.7)
.\" commit 046d662f481830e652ac34cd112249adde16452a
The kernel was configured without the
.B CONFIG_COREDUMP
option.
.PP
In addition,
a core dump may exclude part of the address space of the process if the
.BR madvise (2)
.B MADV_DONTDUMP
flag was employed.
.PP
On systems that employ
.BR systemd (1)
as the
.I init
framework, core dumps may instead be placed in a location determined by
.BR systemd (1).
See below for further details.
.\"
.SS Naming of core dump files
By default, a core dump file is named
.IR core ,
but the
.I /proc/sys/kernel/core_pattern
file (since Linux 2.6 and 2.4.21)
can be set to define a template that is used to name core dump files.
The template can contain % specifiers which are substituted
by the following values when a core file is created:
.PP
.RS 4
.PD 0
.TP 4
%%
A single % character.
.TP
%c
Core file size soft resource limit of crashing process (since Linux 2.6.24).
.TP
%d
.\" Added in git commit 12a2b4b2241e318b4f6df31228e4272d2c2968a1
Dump mode\[em]same as value returned by
.BR prctl (2)
.B PR_GET_DUMPABLE
(since Linux 3.7).
.TP
%e
The process or thread's
.I comm
value, which typically is the same as the executable filename
(without path prefix, and truncated to a maximum of 15 characters),
but may have been modified to be something different;
see the discussion of
.IR /proc/ pid /comm
and
.IR /proc/ pid /task/ tid /comm
in
.BR proc (5).
.TP
%E
Pathname of executable,
with slashes (\[aq]/\[aq]) replaced by exclamation marks (\[aq]!\[aq])
(since Linux 3.0).
.TP
%g
Numeric real GID of dumped process.
.TP
%h
Hostname (same as \fInodename\fP returned by \fBuname\fP(2)).
.TP
%i
TID of thread that triggered core dump,
as seen in the PID namespace in which the thread resides
.\" commit b03023ecbdb76c1dec86b41ed80b123c22783220
(since Linux 3.18).
.TP
%I
TID of thread that triggered core dump, as seen in the initial PID namespace
.\" commit b03023ecbdb76c1dec86b41ed80b123c22783220
(since Linux 3.18).
.TP
%p
PID of dumped process,
as seen in the PID namespace in which the process resides.
.TP
%P
.\" Added in git commit 65aafb1e7484b7434a0c1d4c593191ebe5776a2f
PID of dumped process, as seen in the initial PID namespace
(since Linux 3.12).
.TP
%s
Number of signal causing dump.
.TP
%t
Time of dump, expressed as seconds since the
Epoch, 1970-01-01 00:00:00 +0000 (UTC).
.TP
%u
Numeric real UID of dumped process.
.PD
.RE
.PP
A single % at the end of the template is dropped from the
core filename, as is the combination of a % followed by any
character other than those listed above.
All other characters in the template become a literal
part of the core filename.
The template may include \[aq]/\[aq] characters, which are interpreted
as delimiters for directory names.
The maximum size of the resulting core filename is 128 bytes (64 bytes
before Linux 2.6.19).
The default value in this file is "core".
For backward compatibility, if
.I /proc/sys/kernel/core_pattern
does not include
.I %p
and
.I /proc/sys/kernel/core_uses_pid
(see below)
is nonzero, then .PID will be appended to the core filename.
.PP
Paths are interpreted according to the settings that are active for the
crashing process.
That means the crashing process's mount namespace (see
.BR mount_namespaces (7)),
its current working directory (found via
.BR getcwd (2)),
and its root directory (see
.BR chroot (2)).
.PP
Since Linux 2.4, Linux has also provided
a more primitive method of controlling
the name of the core dump file.
If the
.I /proc/sys/kernel/core_uses_pid
file contains the value 0, then a core dump file is simply named
.IR core .
If this file contains a nonzero value, then the core dump file includes
the process ID in a name of the form
.IR core.PID .
.PP
Since Linux 3.6,
.\" 9520628e8ceb69fa9a4aee6b57f22675d9e1b709
if
.I /proc/sys/fs/suid_dumpable
is set to 2 ("suidsafe"), the pattern must be either an absolute pathname
(starting with a leading \[aq]/\[aq] character) or a pipe, as defined below.
.SS Piping core dumps to a program
Since Linux 2.6.19, Linux supports an alternate syntax for the
.I /proc/sys/kernel/core_pattern
file.
If the first character of this file is a pipe symbol (\fB|\fP),
then the remainder of the line is interpreted as the command-line for
a user-space program (or script) that is to be executed.
.PP
Since Linux 5.3.0,
.\" commit 315c69261dd3fa12dbc830d4fa00d1fad98d3b03
the pipe template is split on spaces into an argument list
.I before
the template parameters are expanded.
In earlier kernels, the template parameters are expanded first and
the resulting string is split on spaces into an argument list.
This means that in earlier kernels executable names added by the
.I %e
and
.I %E
template parameters could get split into multiple arguments.
So the core dump handler needs to put the executable names as the last
argument and ensure it joins all parts of the executable name using spaces.
Executable names with multiple spaces in them are not correctly represented
in earlier kernels,
meaning that the core dump handler needs to use mechanisms to find
the executable name.
.PP
Instead of being written to a file, the core dump is given as
standard input to the program.
Note the following points:
.IP \[bu] 3
The program must be specified using an absolute pathname (or a
pathname relative to the root directory, \fI/\fP),
and must immediately follow the '|' character.
.IP \[bu]
The command-line arguments can include any of
the % specifiers listed above.
For example, to pass the PID of the process that is being dumped, specify
.I %p
in an argument.
.IP \[bu]
The process created to run the program runs as user and group
.IR root .
.IP \[bu]
Running as
.I root
does not confer any exceptional security bypasses.
Namely, LSMs (e.g., SELinux) are still active and may prevent the handler
from accessing details about the crashed process via
.IR /proc/ pid.
.IP \[bu]
The program pathname is interpreted with respect to the initial mount namespace
as it is always executed there.
It is not affected by the settings
(e.g., root directory, mount namespace, current working directory)
of the crashing process.
.IP \[bu]
The process runs in the initial namespaces
(PID, mount, user, and so on)
and not in the namespaces of the crashing process.
One can utilize specifiers such as
.I %P
to find the right
.IR /proc/ pid
directory and probe/enter the crashing process's namespaces if needed.
.IP \[bu]
The process starts with its current working directory
as the root directory.
If desired, it is possible change to the working directory of
the dumping process by employing the value provided by the
.I %P
specifier to change to the location of the dumping process via
.IR /proc/ pid /cwd .
.IP \[bu]
Command-line arguments can be supplied to the
program (since Linux 2.6.24),
delimited by white space (up to a total line length of 128 bytes).
.IP \[bu]
The
.B RLIMIT_CORE
limit is not enforced for core dumps that are piped to a program
via this mechanism.
.\"
.SS /proc/sys/kernel/core_pipe_limit
When collecting core dumps via a pipe to a user-space program,
it can be useful for the collecting program to gather data about
the crashing process from that process's
.IR /proc/ pid
directory.
In order to do this safely,
the kernel must wait for the program collecting the core dump to exit,
so as not to remove the crashing process's
.IR /proc/ pid
files prematurely.
This in turn creates the
possibility that a misbehaving collecting program can block
the reaping of a crashed process by simply never exiting.
.PP
Since Linux 2.6.32,
.\" commit a293980c2e261bd5b0d2a77340dd04f684caff58
the
.I /proc/sys/kernel/core_pipe_limit
can be used to defend against this possibility.
The value in this file defines how many concurrent crashing
processes may be piped to user-space programs in parallel.
If this value is exceeded, then those crashing processes above this value
are noted in the kernel log and their core dumps are skipped.
.PP
A value of 0 in this file is special.
It indicates that unlimited processes may be captured in parallel,
but that no waiting will take place (i.e., the collecting
program is not guaranteed access to
.IR /proc/<crashing\-PID> ).
The default value for this file is 0.
.\"
.SS Controlling which mappings are written to the core dump
Since Linux 2.6.23, the Linux-specific
.IR /proc/ pid /coredump_filter
file can be used to control which memory segments are written to the
core dump file in the event that a core dump is performed for the
process with the corresponding process ID.
.PP
The value in the file is a bit mask of memory mapping types (see
.BR mmap (2)).
If a bit is set in the mask, then memory mappings of the
corresponding type are dumped; otherwise they are not dumped.
The bits in this file have the following meanings:
.PP
.PD 0
.RS 4
.TP
bit 0
Dump anonymous private mappings.
.TP
bit 1
Dump anonymous shared mappings.
.TP
bit 2
Dump file-backed private mappings.
.TP
bit 3
Dump file-backed shared mappings.
.\" file-backed shared mappings of course also update the underlying
.\" mapped file.
.TP
bit 4 (since Linux 2.6.24)
Dump ELF headers.
.TP
bit 5 (since Linux 2.6.28)
Dump private huge pages.
.TP
bit 6 (since Linux 2.6.28)
Dump shared huge pages.
.TP
bit 7 (since Linux 4.4)
.\" commit ab27a8d04b32b6ee8c30c14c4afd1058e8addc82
Dump private DAX pages.
.TP
bit 8 (since Linux 4.4)
.\" commit ab27a8d04b32b6ee8c30c14c4afd1058e8addc82
Dump shared DAX pages.
.RE
.PD
.PP
By default, the following bits are set: 0, 1, 4 (if the
.B CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS
kernel configuration option is enabled), and 5.
This default can be modified at boot time using the
.I coredump_filter
boot option.
.PP
The value of this file is displayed in hexadecimal.
(The default value is thus displayed as 33.)
.PP
Memory-mapped I/O pages such as frame buffer are never dumped, and
virtual DSO
.RB ( vdso (7))
pages are always dumped, regardless of the
.I coredump_filter
value.
.PP
A child process created via
.BR fork (2)
inherits its parent's
.I coredump_filter
value;
the
.I coredump_filter
value is preserved across an
.BR execve (2).
.PP
It can be useful to set
.I coredump_filter
in the parent shell before running a program, for example:
.PP
.in +4n
.EX
.RB "$" " echo 0x7 > /proc/self/coredump_filter"
.RB "$" " ./some_program"
.EE
.in
.PP
This file is provided only if the kernel was built with the
.B CONFIG_ELF_CORE
configuration option.
.\"
.SS Core dumps and systemd
On systems using the
.BR systemd (1)
.I init
framework, core dumps may be placed in a location determined by
.BR systemd (1).
To do this,
.BR systemd (1)
employs the
.I core_pattern
feature that allows piping core dumps to a program.
One can verify this by checking whether core dumps are being piped to the
.BR systemd\-coredump (8)
program:
.PP
.in +4n
.EX
$ \fBcat /proc/sys/kernel/core_pattern\fP
|/usr/lib/systemd/systemd\-coredump %P %u %g %s %t %c %e
.EE
.in
.PP
In this case, core dumps will be placed in the location configured for
.BR systemd\-coredump (8),
typically as
.BR lz4 (1)
compressed files in the directory
.IR /var/lib/systemd/coredump/ .
One can list the core dumps that have been recorded by
.BR systemd\-coredump (8)
using
.BR coredumpctl (1):
.PP
.EX
$ \fBcoredumpctl list | tail \-5\fP
Wed 2017\-10\-11 22:25:30 CEST 2748 1000 1000 3 present /usr/bin/sleep
Thu 2017\-10\-12 06:29:10 CEST 2716 1000 1000 3 present /usr/bin/sleep
Thu 2017\-10\-12 06:30:50 CEST 2767 1000 1000 3 present /usr/bin/sleep
Thu 2017\-10\-12 06:37:40 CEST 2918 1000 1000 3 present /usr/bin/cat
Thu 2017\-10\-12 08:13:07 CEST 2955 1000 1000 3 present /usr/bin/cat
.EE
.PP
The information shown for each core dump includes the date and time
of the dump, the PID, UID, and GID of the dumping process,
the signal number that caused the core dump,
and the pathname of the executable that was being run by the dumped process.
Various options to
.BR coredumpctl (1)
allow a specified coredump file to be pulled from the
.BR systemd (1)
location into a specified file.
For example, to extract the core dump for PID 2955 shown above to a file named
.I core
in the current directory, one could use:
.PP
.in +4n
.EX
$ \fBcoredumpctl dump 2955 \-o core\fP
.EE
.in
.PP
For more extensive details, see the
.BR coredumpctl (1)
manual page.
.PP
To (persistently) disable the
.BR systemd (1)
mechanism that archives core dumps, restoring to something more like
traditional Linux behavior, one can set an override for the
.BR systemd (1)
mechanism, using something like:
.PP
.in +4n
.EX
# \fBecho "kernel.core_pattern=core.%p" > \e\fP
\fB /etc/sysctl.d/50\-coredump.conf\fP
# \fB/lib/systemd/systemd\-sysctl\fP
.EE
.in
.PP
It is also possible to temporarily (i.e., until the next reboot) change the
.I core_pattern
setting using a command such as the following
(which causes the names of core dump files to include the executable name
as well as the number of the signal which triggered the core dump):
.PP
.in +4n
.EX
# \fBsysctl \-w kernel.core_pattern="%e\-%s.core"\fP
.EE
.in
.\"
.SH NOTES
The
.BR gdb (1)
.I gcore
command can be used to obtain a core dump of a running process.
.PP
In Linux versions up to and including 2.6.27,
.\" Changed with commit 6409324b385f3f63a03645b4422e3be67348d922
if a multithreaded process (or, more precisely, a process that
shares its memory with another process by being created with the
.B CLONE_VM
flag of
.BR clone (2))
dumps core, then the process ID is always appended to the core filename,
unless the process ID was already included elsewhere in the
filename via a
.I %p
specification in
.IR /proc/sys/kernel/core_pattern .
(This is primarily useful when employing the obsolete
LinuxThreads implementation,
where each thread of a process has a different PID.)
.\" Always including the PID in the name of the core file made
.\" sense for LinuxThreads, where each thread had a unique PID,
.\" but doesn't seem to serve any purpose with NPTL, where all the
.\" threads in a process share the same PID (as POSIX.1 requires).
.\" Probably the behavior is maintained so that applications using
.\" LinuxThreads continue appending the PID (the kernel has no easy
.\" way of telling which threading implementation the user-space
.\" application is using). -- mtk, April 2006
.SH EXAMPLES
The program below can be used to demonstrate the use of the
pipe syntax in the
.I /proc/sys/kernel/core_pattern
file.
The following shell session demonstrates the use of this program
(compiled to create an executable named
.IR core_pattern_pipe_test ):
.PP
.in +4n
.EX
.RB "$" " cc \-o core_pattern_pipe_test core_pattern_pipe_test.c"
.RB "$" " su"
Password:
.RB "#" " echo \[dq]|$PWD/core_pattern_pipe_test %p \
UID=%u GID=%g sig=%s\[dq] > \e"
.B " /proc/sys/kernel/core_pattern"
.RB "#" " exit"
.RB "$" " sleep 100"
.BR "\[ha]\e" " # type control\-backslash"
Quit (core dumped)
.RB "$" " cat core.info"
argc=5
argc[0]=</home/mtk/core_pattern_pipe_test>
argc[1]=<20575>
argc[2]=<UID=1000>
argc[3]=<GID=100>
argc[4]=<sig=3>
Total bytes in core dump: 282624
.EE
.in
.SS Program source
\&
.EX
/* core_pattern_pipe_test.c */
#define _GNU_SOURCE
#include <sys/stat.h>
#include <fcntl.h>
#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define BUF_SIZE 1024
int
main(int argc, char *argv[])
{
ssize_t nread, tot;
char buf[BUF_SIZE];
FILE *fp;
char cwd[PATH_MAX];
/* Change our current working directory to that of the
crashing process. */
snprintf(cwd, PATH_MAX, "/proc/%s/cwd", argv[1]);
chdir(cwd);
/* Write output to file "core.info" in that directory. */
fp = fopen("core.info", "w+");
if (fp == NULL)
exit(EXIT_FAILURE);
/* Display command\-line arguments given to core_pattern
pipe program. */
fprintf(fp, "argc=%d\en", argc);
for (size_t j = 0; j < argc; j++)
fprintf(fp, "argc[%zu]=<%s>\en", j, argv[j]);
/* Count bytes in standard input (the core dump). */
tot = 0;
while ((nread = read(STDIN_FILENO, buf, BUF_SIZE)) > 0)
tot += nread;
fprintf(fp, "Total bytes in core dump: %zd\en", tot);
fclose(fp);
exit(EXIT_SUCCESS);
}
.EE
.SH SEE ALSO
.BR bash (1),
.BR coredumpctl (1),
.BR gdb (1),
.BR getrlimit (2),
.BR mmap (2),
.BR prctl (2),
.BR sigaction (2),
.BR elf (5),
.BR proc (5),
.BR pthreads (7),
.BR signal (7),
.BR systemd\-coredump (8)
|