1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2017-2018 John H. Baldwin <jhb@FreeBSD.org>
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25  * SUCH DAMAGE.
26  */
27 
28 
29 #include <sys/param.h>
30 #ifndef WITHOUT_CAPSICUM
31 #include <sys/capsicum.h>
32 #endif
33 #ifdef __FreeBSD__
34 #include <sys/endian.h>
35 #else
36 #include <endian.h>
37 #endif
38 #include <sys/ioctl.h>
39 #include <sys/mman.h>
40 #include <sys/queue.h>
41 #include <sys/socket.h>
42 #include <machine/atomic.h>
43 #include <machine/specialreg.h>
44 #include <machine/vmm.h>
45 #include <netinet/in.h>
46 #include <assert.h>
47 #ifndef WITHOUT_CAPSICUM
48 #include <capsicum_helpers.h>
49 #endif
50 #include <err.h>
51 #include <errno.h>
52 #include <fcntl.h>
53 #include <netdb.h>
54 #include <pthread.h>
55 #include <pthread_np.h>
56 #include <stdbool.h>
57 #include <stdio.h>
58 #include <stdlib.h>
59 #include <string.h>
60 #include <sysexits.h>
61 #include <unistd.h>
62 #include <vmmapi.h>
63 
64 #include "bhyverun.h"
65 #include "config.h"
66 #include "debug.h"
67 #include "gdb.h"
68 #include "mem.h"
69 #include "mevent.h"
70 
71 /*
72  * GDB_SIGNAL_* numbers are part of the GDB remote protocol.  Most stops
73  * use SIGTRAP.
74  */
75 #define	GDB_SIGNAL_TRAP		5
76 
77 #define	GDB_BP_SIZE		1
78 #define	GDB_BP_INSTR		(uint8_t []){0xcc}
79 #define	GDB_PC_REGNAME		VM_REG_GUEST_RIP
80 
81 _Static_assert(sizeof(GDB_BP_INSTR) == GDB_BP_SIZE,
82     "GDB_BP_INSTR has wrong size");
83 
84 static void gdb_resume_vcpus(void);
85 static void check_command(int fd);
86 
87 static struct mevent *read_event, *write_event;
88 
89 static cpuset_t vcpus_active, vcpus_suspended, vcpus_waiting;
90 static pthread_mutex_t gdb_lock;
91 static pthread_cond_t idle_vcpus;
92 static bool first_stop, report_next_stop, swbreak_enabled;
93 
94 /*
95  * An I/O buffer contains 'capacity' bytes of room at 'data'.  For a
96  * read buffer, 'start' is unused and 'len' contains the number of
97  * valid bytes in the buffer.  For a write buffer, 'start' is set to
98  * the index of the next byte in 'data' to send, and 'len' contains
99  * the remaining number of valid bytes to send.
100  */
101 struct io_buffer {
102 	uint8_t *data;
103 	size_t capacity;
104 	size_t start;
105 	size_t len;
106 };
107 
108 struct breakpoint {
109 	uint64_t gpa;
110 	uint8_t shadow_inst[GDB_BP_SIZE];
111 	TAILQ_ENTRY(breakpoint) link;
112 };
113 
114 /*
115  * When a vCPU stops to due to an event that should be reported to the
116  * debugger, information about the event is stored in this structure.
117  * The vCPU thread then sets 'stopped_vcpu' if it is not already set
118  * and stops other vCPUs so the event can be reported.  The
119  * report_stop() function reports the event for the 'stopped_vcpu'
120  * vCPU.  When the debugger resumes execution via continue or step,
121  * the event for 'stopped_vcpu' is cleared.  vCPUs will loop in their
122  * event handlers until the associated event is reported or disabled.
123  *
124  * An idle vCPU will have all of the boolean fields set to false.
125  *
126  * When a vCPU is stepped, 'stepping' is set to true when the vCPU is
127  * released to execute the stepped instruction.  When the vCPU reports
128  * the stepping trap, 'stepped' is set.
129  *
130  * When a vCPU hits a breakpoint set by the debug server,
131  * 'hit_swbreak' is set to true.
132  */
133 struct vcpu_state {
134 	bool stepping;
135 	bool stepped;
136 	bool hit_swbreak;
137 };
138 
139 static struct io_buffer cur_comm, cur_resp;
140 static uint8_t cur_csum;
141 static struct vmctx *ctx;
142 static int cur_fd = -1;
143 static TAILQ_HEAD(, breakpoint) breakpoints;
144 static struct vcpu_state *vcpu_state;
145 static struct vcpu **vcpus;
146 static int cur_vcpu, stopped_vcpu;
147 static bool gdb_active = false;
148 
149 struct gdb_reg {
150 	enum vm_reg_name id;
151 	int size;
152 };
153 
154 static const struct gdb_reg gdb_regset[] = {
155 	{ .id = VM_REG_GUEST_RAX, .size = 8 },
156 	{ .id = VM_REG_GUEST_RBX, .size = 8 },
157 	{ .id = VM_REG_GUEST_RCX, .size = 8 },
158 	{ .id = VM_REG_GUEST_RDX, .size = 8 },
159 	{ .id = VM_REG_GUEST_RSI, .size = 8 },
160 	{ .id = VM_REG_GUEST_RDI, .size = 8 },
161 	{ .id = VM_REG_GUEST_RBP, .size = 8 },
162 	{ .id = VM_REG_GUEST_RSP, .size = 8 },
163 	{ .id = VM_REG_GUEST_R8, .size = 8 },
164 	{ .id = VM_REG_GUEST_R9, .size = 8 },
165 	{ .id = VM_REG_GUEST_R10, .size = 8 },
166 	{ .id = VM_REG_GUEST_R11, .size = 8 },
167 	{ .id = VM_REG_GUEST_R12, .size = 8 },
168 	{ .id = VM_REG_GUEST_R13, .size = 8 },
169 	{ .id = VM_REG_GUEST_R14, .size = 8 },
170 	{ .id = VM_REG_GUEST_R15, .size = 8 },
171 	{ .id = VM_REG_GUEST_RIP, .size = 8 },
172 	{ .id = VM_REG_GUEST_RFLAGS, .size = 4 },
173 	{ .id = VM_REG_GUEST_CS, .size = 4 },
174 	{ .id = VM_REG_GUEST_SS, .size = 4 },
175 	{ .id = VM_REG_GUEST_DS, .size = 4 },
176 	{ .id = VM_REG_GUEST_ES, .size = 4 },
177 	{ .id = VM_REG_GUEST_FS, .size = 4 },
178 	{ .id = VM_REG_GUEST_GS, .size = 4 },
179 };
180 
181 #ifdef GDB_LOG
182 #include <stdarg.h>
183 #include <stdio.h>
184 
185 static void __printflike(1, 2)
debug(const char * fmt,...)186 debug(const char *fmt, ...)
187 {
188 	static FILE *logfile;
189 	va_list ap;
190 
191 	if (logfile == NULL) {
192 		logfile = fopen("/tmp/bhyve_gdb.log", "w");
193 		if (logfile == NULL)
194 			return;
195 #ifndef WITHOUT_CAPSICUM
196 		if (caph_limit_stream(fileno(logfile), CAPH_WRITE) == -1) {
197 			fclose(logfile);
198 			logfile = NULL;
199 			return;
200 		}
201 #endif
202 		setlinebuf(logfile);
203 	}
204 	va_start(ap, fmt);
205 	vfprintf(logfile, fmt, ap);
206 	va_end(ap);
207 }
208 #else
209 #ifndef __FreeBSD__
210 /*
211  * A totally empty debug() makes the compiler grumpy due to how its used with
212  * some control flow here.
213  */
214 #define debug(...) do { } while (0)
215 #else
216 #define debug(...)
217 #endif
218 #endif
219 
220 static void	remove_all_sw_breakpoints(void);
221 
222 static int
guest_paging_info(struct vcpu * vcpu,struct vm_guest_paging * paging)223 guest_paging_info(struct vcpu *vcpu, struct vm_guest_paging *paging)
224 {
225 	uint64_t regs[4];
226 	const int regset[4] = {
227 		VM_REG_GUEST_CR0,
228 		VM_REG_GUEST_CR3,
229 		VM_REG_GUEST_CR4,
230 		VM_REG_GUEST_EFER
231 	};
232 
233 	if (vm_get_register_set(vcpu, nitems(regset), regset, regs) == -1)
234 		return (-1);
235 
236 	/*
237 	 * For the debugger, always pretend to be the kernel (CPL 0),
238 	 * and if long-mode is enabled, always parse addresses as if
239 	 * in 64-bit mode.
240 	 */
241 	paging->cr3 = regs[1];
242 	paging->cpl = 0;
243 	if (regs[3] & EFER_LMA)
244 		paging->cpu_mode = CPU_MODE_64BIT;
245 	else if (regs[0] & CR0_PE)
246 		paging->cpu_mode = CPU_MODE_PROTECTED;
247 	else
248 		paging->cpu_mode = CPU_MODE_REAL;
249 	if (!(regs[0] & CR0_PG))
250 		paging->paging_mode = PAGING_MODE_FLAT;
251 	else if (!(regs[2] & CR4_PAE))
252 		paging->paging_mode = PAGING_MODE_32;
253 	else if (regs[3] & EFER_LME)
254 		paging->paging_mode = PAGING_MODE_64;
255 	else
256 		paging->paging_mode = PAGING_MODE_PAE;
257 	return (0);
258 }
259 
260 /*
261  * Map a guest virtual address to a physical address (for a given vcpu).
262  * If a guest virtual address is valid, return 1.  If the address is
263  * not valid, return 0.  If an error occurs obtaining the mapping,
264  * return -1.
265  */
266 static int
guest_vaddr2paddr(struct vcpu * vcpu,uint64_t vaddr,uint64_t * paddr)267 guest_vaddr2paddr(struct vcpu *vcpu, uint64_t vaddr, uint64_t *paddr)
268 {
269 	struct vm_guest_paging paging;
270 	int fault;
271 
272 	if (guest_paging_info(vcpu, &paging) == -1)
273 		return (-1);
274 
275 	/*
276 	 * Always use PROT_READ.  We really care if the VA is
277 	 * accessible, not if the current vCPU can write.
278 	 */
279 	if (vm_gla2gpa_nofault(vcpu, &paging, vaddr, PROT_READ, paddr,
280 	    &fault) == -1)
281 		return (-1);
282 	if (fault)
283 		return (0);
284 	return (1);
285 }
286 
287 static uint64_t
guest_pc(struct vm_exit * vme)288 guest_pc(struct vm_exit *vme)
289 {
290 	return (vme->rip);
291 }
292 
293 static void
io_buffer_reset(struct io_buffer * io)294 io_buffer_reset(struct io_buffer *io)
295 {
296 
297 	io->start = 0;
298 	io->len = 0;
299 }
300 
301 /* Available room for adding data. */
302 static size_t
io_buffer_avail(struct io_buffer * io)303 io_buffer_avail(struct io_buffer *io)
304 {
305 
306 	return (io->capacity - (io->start + io->len));
307 }
308 
309 static uint8_t *
io_buffer_head(struct io_buffer * io)310 io_buffer_head(struct io_buffer *io)
311 {
312 
313 	return (io->data + io->start);
314 }
315 
316 static uint8_t *
io_buffer_tail(struct io_buffer * io)317 io_buffer_tail(struct io_buffer *io)
318 {
319 
320 	return (io->data + io->start + io->len);
321 }
322 
323 static void
io_buffer_advance(struct io_buffer * io,size_t amount)324 io_buffer_advance(struct io_buffer *io, size_t amount)
325 {
326 
327 	assert(amount <= io->len);
328 	io->start += amount;
329 	io->len -= amount;
330 }
331 
332 static void
io_buffer_consume(struct io_buffer * io,size_t amount)333 io_buffer_consume(struct io_buffer *io, size_t amount)
334 {
335 
336 	io_buffer_advance(io, amount);
337 	if (io->len == 0) {
338 		io->start = 0;
339 		return;
340 	}
341 
342 	/*
343 	 * XXX: Consider making this move optional and compacting on a
344 	 * future read() before realloc().
345 	 */
346 	memmove(io->data, io_buffer_head(io), io->len);
347 	io->start = 0;
348 }
349 
350 static void
io_buffer_grow(struct io_buffer * io,size_t newsize)351 io_buffer_grow(struct io_buffer *io, size_t newsize)
352 {
353 	uint8_t *new_data;
354 	size_t avail, new_cap;
355 
356 	avail = io_buffer_avail(io);
357 	if (newsize <= avail)
358 		return;
359 
360 	new_cap = io->capacity + (newsize - avail);
361 	new_data = realloc(io->data, new_cap);
362 	if (new_data == NULL)
363 		err(1, "Failed to grow GDB I/O buffer");
364 	io->data = new_data;
365 	io->capacity = new_cap;
366 }
367 
368 static bool
response_pending(void)369 response_pending(void)
370 {
371 
372 	if (cur_resp.start == 0 && cur_resp.len == 0)
373 		return (false);
374 	if (cur_resp.start + cur_resp.len == 1 && cur_resp.data[0] == '+')
375 		return (false);
376 	return (true);
377 }
378 
379 static void
close_connection(void)380 close_connection(void)
381 {
382 
383 	/*
384 	 * XXX: This triggers a warning because mevent does the close
385 	 * before the EV_DELETE.
386 	 */
387 	pthread_mutex_lock(&gdb_lock);
388 	mevent_delete(write_event);
389 	mevent_delete_close(read_event);
390 	write_event = NULL;
391 	read_event = NULL;
392 	io_buffer_reset(&cur_comm);
393 	io_buffer_reset(&cur_resp);
394 	cur_fd = -1;
395 
396 	remove_all_sw_breakpoints();
397 
398 	/* Clear any pending events. */
399 	memset(vcpu_state, 0, guest_ncpus * sizeof(*vcpu_state));
400 
401 	/* Resume any stopped vCPUs. */
402 	gdb_resume_vcpus();
403 	pthread_mutex_unlock(&gdb_lock);
404 }
405 
406 static uint8_t
hex_digit(uint8_t nibble)407 hex_digit(uint8_t nibble)
408 {
409 
410 	if (nibble <= 9)
411 		return (nibble + '0');
412 	else
413 		return (nibble + 'a' - 10);
414 }
415 
416 static uint8_t
parse_digit(uint8_t v)417 parse_digit(uint8_t v)
418 {
419 
420 	if (v >= '0' && v <= '9')
421 		return (v - '0');
422 	if (v >= 'a' && v <= 'f')
423 		return (v - 'a' + 10);
424 	if (v >= 'A' && v <= 'F')
425 		return (v - 'A' + 10);
426 	return (0xF);
427 }
428 
429 /* Parses big-endian hexadecimal. */
430 static uintmax_t
parse_integer(const uint8_t * p,size_t len)431 parse_integer(const uint8_t *p, size_t len)
432 {
433 	uintmax_t v;
434 
435 	v = 0;
436 	while (len > 0) {
437 		v <<= 4;
438 		v |= parse_digit(*p);
439 		p++;
440 		len--;
441 	}
442 	return (v);
443 }
444 
445 static uint8_t
parse_byte(const uint8_t * p)446 parse_byte(const uint8_t *p)
447 {
448 
449 	return (parse_digit(p[0]) << 4 | parse_digit(p[1]));
450 }
451 
452 static void
send_pending_data(int fd)453 send_pending_data(int fd)
454 {
455 	ssize_t nwritten;
456 
457 	if (cur_resp.len == 0) {
458 		mevent_disable(write_event);
459 		return;
460 	}
461 	nwritten = write(fd, io_buffer_head(&cur_resp), cur_resp.len);
462 	if (nwritten == -1) {
463 		warn("Write to GDB socket failed");
464 		close_connection();
465 	} else {
466 		io_buffer_advance(&cur_resp, nwritten);
467 		if (cur_resp.len == 0)
468 			mevent_disable(write_event);
469 		else
470 			mevent_enable(write_event);
471 	}
472 }
473 
474 /* Append a single character to the output buffer. */
475 static void
send_char(uint8_t data)476 send_char(uint8_t data)
477 {
478 	io_buffer_grow(&cur_resp, 1);
479 	*io_buffer_tail(&cur_resp) = data;
480 	cur_resp.len++;
481 }
482 
483 /* Append an array of bytes to the output buffer. */
484 static void
send_data(const uint8_t * data,size_t len)485 send_data(const uint8_t *data, size_t len)
486 {
487 
488 	io_buffer_grow(&cur_resp, len);
489 	memcpy(io_buffer_tail(&cur_resp), data, len);
490 	cur_resp.len += len;
491 }
492 
493 static void
format_byte(uint8_t v,uint8_t * buf)494 format_byte(uint8_t v, uint8_t *buf)
495 {
496 
497 	buf[0] = hex_digit(v >> 4);
498 	buf[1] = hex_digit(v & 0xf);
499 }
500 
501 /*
502  * Append a single byte (formatted as two hex characters) to the
503  * output buffer.
504  */
505 static void
send_byte(uint8_t v)506 send_byte(uint8_t v)
507 {
508 	uint8_t buf[2];
509 
510 	format_byte(v, buf);
511 	send_data(buf, sizeof(buf));
512 }
513 
514 static void
start_packet(void)515 start_packet(void)
516 {
517 
518 	send_char('$');
519 	cur_csum = 0;
520 }
521 
522 static void
finish_packet(void)523 finish_packet(void)
524 {
525 
526 	send_char('#');
527 	send_byte(cur_csum);
528 	debug("-> %.*s\n", (int)cur_resp.len, io_buffer_head(&cur_resp));
529 }
530 
531 /*
532  * Append a single character (for the packet payload) and update the
533  * checksum.
534  */
535 static void
append_char(uint8_t v)536 append_char(uint8_t v)
537 {
538 
539 	send_char(v);
540 	cur_csum += v;
541 }
542 
543 /*
544  * Append an array of bytes (for the packet payload) and update the
545  * checksum.
546  */
547 static void
append_packet_data(const uint8_t * data,size_t len)548 append_packet_data(const uint8_t *data, size_t len)
549 {
550 
551 	send_data(data, len);
552 	while (len > 0) {
553 		cur_csum += *data;
554 		data++;
555 		len--;
556 	}
557 }
558 
559 static void
append_string(const char * str)560 append_string(const char *str)
561 {
562 
563 #ifdef __FreeBSD__
564 	append_packet_data(str, strlen(str));
565 #else
566 	append_packet_data((const uint8_t *)str, strlen(str));
567 #endif
568 }
569 
570 static void
append_byte(uint8_t v)571 append_byte(uint8_t v)
572 {
573 	uint8_t buf[2];
574 
575 	format_byte(v, buf);
576 	append_packet_data(buf, sizeof(buf));
577 }
578 
579 static void
append_unsigned_native(uintmax_t value,size_t len)580 append_unsigned_native(uintmax_t value, size_t len)
581 {
582 	size_t i;
583 
584 	for (i = 0; i < len; i++) {
585 		append_byte(value);
586 		value >>= 8;
587 	}
588 }
589 
590 static void
append_unsigned_be(uintmax_t value,size_t len)591 append_unsigned_be(uintmax_t value, size_t len)
592 {
593 	char buf[len * 2];
594 	size_t i;
595 
596 	for (i = 0; i < len; i++) {
597 #ifdef __FreeBSD__
598 		format_byte(value, buf + (len - i - 1) * 2);
599 #else
600 		format_byte(value, (uint8_t *)(buf + (len - i - 1) * 2));
601 #endif
602 		value >>= 8;
603 	}
604 #ifdef __FreeBSD__
605 	append_packet_data(buf, sizeof(buf));
606 #else
607 	append_packet_data((const uint8_t *)buf, sizeof(buf));
608 #endif
609 }
610 
611 static void
append_integer(unsigned int value)612 append_integer(unsigned int value)
613 {
614 
615 	if (value == 0)
616 		append_char('0');
617 	else
618 		append_unsigned_be(value, (fls(value) + 7) / 8);
619 }
620 
621 static void
append_asciihex(const char * str)622 append_asciihex(const char *str)
623 {
624 
625 	while (*str != '\0') {
626 		append_byte(*str);
627 		str++;
628 	}
629 }
630 
631 static void
send_empty_response(void)632 send_empty_response(void)
633 {
634 
635 	start_packet();
636 	finish_packet();
637 }
638 
639 static void
send_error(int error)640 send_error(int error)
641 {
642 
643 	start_packet();
644 	append_char('E');
645 	append_byte(error);
646 	finish_packet();
647 }
648 
649 static void
send_ok(void)650 send_ok(void)
651 {
652 
653 	start_packet();
654 	append_string("OK");
655 	finish_packet();
656 }
657 
658 static int
parse_threadid(const uint8_t * data,size_t len)659 parse_threadid(const uint8_t *data, size_t len)
660 {
661 
662 	if (len == 1 && *data == '0')
663 		return (0);
664 	if (len == 2 && memcmp(data, "-1", 2) == 0)
665 		return (-1);
666 	if (len == 0)
667 		return (-2);
668 	return (parse_integer(data, len));
669 }
670 
671 /*
672  * Report the current stop event to the debugger.  If the stop is due
673  * to an event triggered on a specific vCPU such as a breakpoint or
674  * stepping trap, stopped_vcpu will be set to the vCPU triggering the
675  * stop.  If 'set_cur_vcpu' is true, then cur_vcpu will be updated to
676  * the reporting vCPU for vCPU events.
677  */
678 static void
report_stop(bool set_cur_vcpu)679 report_stop(bool set_cur_vcpu)
680 {
681 	struct vcpu_state *vs;
682 
683 	start_packet();
684 	if (stopped_vcpu == -1) {
685 		append_char('S');
686 		append_byte(GDB_SIGNAL_TRAP);
687 	} else {
688 		vs = &vcpu_state[stopped_vcpu];
689 		if (set_cur_vcpu)
690 			cur_vcpu = stopped_vcpu;
691 		append_char('T');
692 		append_byte(GDB_SIGNAL_TRAP);
693 		append_string("thread:");
694 		append_integer(stopped_vcpu + 1);
695 		append_char(';');
696 		if (vs->hit_swbreak) {
697 			debug("$vCPU %d reporting swbreak\n", stopped_vcpu);
698 			if (swbreak_enabled)
699 				append_string("swbreak:;");
700 		} else if (vs->stepped)
701 			debug("$vCPU %d reporting step\n", stopped_vcpu);
702 		else
703 			debug("$vCPU %d reporting ???\n", stopped_vcpu);
704 	}
705 	finish_packet();
706 	report_next_stop = false;
707 }
708 
709 /*
710  * If this stop is due to a vCPU event, clear that event to mark it as
711  * acknowledged.
712  */
713 static void
discard_stop(void)714 discard_stop(void)
715 {
716 	struct vcpu_state *vs;
717 
718 	if (stopped_vcpu != -1) {
719 		vs = &vcpu_state[stopped_vcpu];
720 		vs->hit_swbreak = false;
721 		vs->stepped = false;
722 		stopped_vcpu = -1;
723 	}
724 	report_next_stop = true;
725 }
726 
727 static void
gdb_finish_suspend_vcpus(void)728 gdb_finish_suspend_vcpus(void)
729 {
730 
731 	if (first_stop) {
732 		first_stop = false;
733 		stopped_vcpu = -1;
734 	} else if (report_next_stop) {
735 		assert(!response_pending());
736 		report_stop(true);
737 		send_pending_data(cur_fd);
738 	}
739 }
740 
741 /*
742  * vCPU threads invoke this function whenever the vCPU enters the
743  * debug server to pause or report an event.  vCPU threads wait here
744  * as long as the debug server keeps them suspended.
745  */
746 static void
_gdb_cpu_suspend(struct vcpu * vcpu,bool report_stop)747 _gdb_cpu_suspend(struct vcpu *vcpu, bool report_stop)
748 {
749 	int vcpuid = vcpu_id(vcpu);
750 
751 	debug("$vCPU %d suspending\n", vcpuid);
752 	CPU_SET(vcpuid, &vcpus_waiting);
753 	if (report_stop && CPU_CMP(&vcpus_waiting, &vcpus_suspended) == 0)
754 		gdb_finish_suspend_vcpus();
755 	while (CPU_ISSET(vcpuid, &vcpus_suspended))
756 		pthread_cond_wait(&idle_vcpus, &gdb_lock);
757 	CPU_CLR(vcpuid, &vcpus_waiting);
758 	debug("$vCPU %d resuming\n", vcpuid);
759 }
760 
761 /*
762  * Invoked at the start of a vCPU thread's execution to inform the
763  * debug server about the new thread.
764  */
765 void
gdb_cpu_add(struct vcpu * vcpu)766 gdb_cpu_add(struct vcpu *vcpu)
767 {
768 	int vcpuid;
769 
770 	if (!gdb_active)
771 		return;
772 	vcpuid = vcpu_id(vcpu);
773 	debug("$vCPU %d starting\n", vcpuid);
774 	pthread_mutex_lock(&gdb_lock);
775 	assert(vcpuid < guest_ncpus);
776 	assert(vcpus[vcpuid] == NULL);
777 	vcpus[vcpuid] = vcpu;
778 	CPU_SET(vcpuid, &vcpus_active);
779 	if (!TAILQ_EMPTY(&breakpoints)) {
780 		vm_set_capability(vcpu, VM_CAP_BPT_EXIT, 1);
781 		debug("$vCPU %d enabled breakpoint exits\n", vcpuid);
782 	}
783 
784 	/*
785 	 * If a vcpu is added while vcpus are stopped, suspend the new
786 	 * vcpu so that it will pop back out with a debug exit before
787 	 * executing the first instruction.
788 	 */
789 	if (!CPU_EMPTY(&vcpus_suspended)) {
790 		CPU_SET(vcpuid, &vcpus_suspended);
791 		_gdb_cpu_suspend(vcpu, false);
792 	}
793 	pthread_mutex_unlock(&gdb_lock);
794 }
795 
796 /*
797  * Invoked by vCPU before resuming execution.  This enables stepping
798  * if the vCPU is marked as stepping.
799  */
800 static void
gdb_cpu_resume(struct vcpu * vcpu)801 gdb_cpu_resume(struct vcpu *vcpu)
802 {
803 	struct vcpu_state *vs;
804 	int error;
805 
806 	vs = &vcpu_state[vcpu_id(vcpu)];
807 
808 	/*
809 	 * Any pending event should already be reported before
810 	 * resuming.
811 	 */
812 	assert(vs->hit_swbreak == false);
813 	assert(vs->stepped == false);
814 	if (vs->stepping) {
815 		error = vm_set_capability(vcpu, VM_CAP_MTRAP_EXIT, 1);
816 		assert(error == 0);
817 	}
818 }
819 
820 /*
821  * Handler for VM_EXITCODE_DEBUG used to suspend a vCPU when the guest
822  * has been suspended due to an event on different vCPU or in response
823  * to a guest-wide suspend such as Ctrl-C or the stop on attach.
824  */
825 void
gdb_cpu_suspend(struct vcpu * vcpu)826 gdb_cpu_suspend(struct vcpu *vcpu)
827 {
828 
829 	if (!gdb_active)
830 		return;
831 	pthread_mutex_lock(&gdb_lock);
832 	_gdb_cpu_suspend(vcpu, true);
833 	gdb_cpu_resume(vcpu);
834 	pthread_mutex_unlock(&gdb_lock);
835 }
836 
837 static void
gdb_suspend_vcpus(void)838 gdb_suspend_vcpus(void)
839 {
840 
841 	assert(pthread_mutex_isowned_np(&gdb_lock));
842 	debug("suspending all CPUs\n");
843 	vcpus_suspended = vcpus_active;
844 	vm_suspend_all_cpus(ctx);
845 	if (CPU_CMP(&vcpus_waiting, &vcpus_suspended) == 0)
846 		gdb_finish_suspend_vcpus();
847 }
848 
849 /*
850  * Handler for VM_EXITCODE_MTRAP reported when a vCPU single-steps via
851  * the VT-x-specific MTRAP exit.
852  */
853 void
gdb_cpu_mtrap(struct vcpu * vcpu)854 gdb_cpu_mtrap(struct vcpu *vcpu)
855 {
856 	struct vcpu_state *vs;
857 	int vcpuid;
858 
859 	if (!gdb_active)
860 		return;
861 	vcpuid = vcpu_id(vcpu);
862 	debug("$vCPU %d MTRAP\n", vcpuid);
863 	pthread_mutex_lock(&gdb_lock);
864 	vs = &vcpu_state[vcpuid];
865 	if (vs->stepping) {
866 		vs->stepping = false;
867 		vs->stepped = true;
868 		vm_set_capability(vcpu, VM_CAP_MTRAP_EXIT, 0);
869 		while (vs->stepped) {
870 			if (stopped_vcpu == -1) {
871 				debug("$vCPU %d reporting step\n", vcpuid);
872 				stopped_vcpu = vcpuid;
873 				gdb_suspend_vcpus();
874 			}
875 			_gdb_cpu_suspend(vcpu, true);
876 		}
877 		gdb_cpu_resume(vcpu);
878 	}
879 	pthread_mutex_unlock(&gdb_lock);
880 }
881 
882 static struct breakpoint *
find_breakpoint(uint64_t gpa)883 find_breakpoint(uint64_t gpa)
884 {
885 	struct breakpoint *bp;
886 
887 	TAILQ_FOREACH(bp, &breakpoints, link) {
888 		if (bp->gpa == gpa)
889 			return (bp);
890 	}
891 	return (NULL);
892 }
893 
894 void
gdb_cpu_breakpoint(struct vcpu * vcpu,struct vm_exit * vmexit)895 gdb_cpu_breakpoint(struct vcpu *vcpu, struct vm_exit *vmexit)
896 {
897 	struct breakpoint *bp;
898 	struct vcpu_state *vs;
899 	uint64_t gpa;
900 	int error, vcpuid;
901 
902 	if (!gdb_active) {
903 		EPRINTLN("vm_loop: unexpected VMEXIT_DEBUG");
904 		exit(4);
905 	}
906 	vcpuid = vcpu_id(vcpu);
907 	pthread_mutex_lock(&gdb_lock);
908 	error = guest_vaddr2paddr(vcpu, guest_pc(vmexit), &gpa);
909 	assert(error == 1);
910 	bp = find_breakpoint(gpa);
911 	if (bp != NULL) {
912 		vs = &vcpu_state[vcpuid];
913 		assert(vs->stepping == false);
914 		assert(vs->stepped == false);
915 		assert(vs->hit_swbreak == false);
916 		vs->hit_swbreak = true;
917 		vm_set_register(vcpu, GDB_PC_REGNAME, guest_pc(vmexit));
918 		for (;;) {
919 			if (stopped_vcpu == -1) {
920 				debug("$vCPU %d reporting breakpoint at rip %#lx\n",
921 				    vcpuid, guest_pc(vmexit));
922 				stopped_vcpu = vcpuid;
923 				gdb_suspend_vcpus();
924 			}
925 			_gdb_cpu_suspend(vcpu, true);
926 			if (!vs->hit_swbreak) {
927 				/* Breakpoint reported. */
928 				break;
929 			}
930 			bp = find_breakpoint(gpa);
931 			if (bp == NULL) {
932 				/* Breakpoint was removed. */
933 				vs->hit_swbreak = false;
934 				break;
935 			}
936 		}
937 		gdb_cpu_resume(vcpu);
938 	} else {
939 		debug("$vCPU %d injecting breakpoint at rip %#lx\n", vcpuid,
940 		    guest_pc(vmexit));
941 		error = vm_set_register(vcpu, VM_REG_GUEST_ENTRY_INST_LENGTH,
942 		    vmexit->u.bpt.inst_length);
943 		assert(error == 0);
944 		error = vm_inject_exception(vcpu, IDT_BP, 0, 0, 0);
945 		assert(error == 0);
946 	}
947 	pthread_mutex_unlock(&gdb_lock);
948 }
949 
950 static bool
gdb_step_vcpu(struct vcpu * vcpu)951 gdb_step_vcpu(struct vcpu *vcpu)
952 {
953 	int error, val, vcpuid;
954 
955 	vcpuid = vcpu_id(vcpu);
956 	debug("$vCPU %d step\n", vcpuid);
957 	error = vm_get_capability(vcpu, VM_CAP_MTRAP_EXIT, &val);
958 	if (error < 0)
959 		return (false);
960 
961 	discard_stop();
962 	vcpu_state[vcpuid].stepping = true;
963 	vm_resume_cpu(vcpu);
964 	CPU_CLR(vcpuid, &vcpus_suspended);
965 	pthread_cond_broadcast(&idle_vcpus);
966 	return (true);
967 }
968 
969 static void
gdb_resume_vcpus(void)970 gdb_resume_vcpus(void)
971 {
972 
973 	assert(pthread_mutex_isowned_np(&gdb_lock));
974 	vm_resume_all_cpus(ctx);
975 	debug("resuming all CPUs\n");
976 	CPU_ZERO(&vcpus_suspended);
977 	pthread_cond_broadcast(&idle_vcpus);
978 }
979 
980 static void
gdb_read_regs(void)981 gdb_read_regs(void)
982 {
983 	uint64_t regvals[nitems(gdb_regset)];
984 	int regnums[nitems(gdb_regset)];
985 
986 	for (size_t i = 0; i < nitems(gdb_regset); i++)
987 		regnums[i] = gdb_regset[i].id;
988 	if (vm_get_register_set(vcpus[cur_vcpu], nitems(gdb_regset),
989 	    regnums, regvals) == -1) {
990 		send_error(errno);
991 		return;
992 	}
993 	start_packet();
994 	for (size_t i = 0; i < nitems(gdb_regset); i++)
995 		append_unsigned_native(regvals[i], gdb_regset[i].size);
996 	finish_packet();
997 }
998 
999 static void
gdb_read_one_reg(const uint8_t * data,size_t len)1000 gdb_read_one_reg(const uint8_t *data, size_t len)
1001 {
1002 	uint64_t regval;
1003 	uintmax_t reg;
1004 
1005 	reg = parse_integer(data, len);
1006 	if (reg >= nitems(gdb_regset)) {
1007 		send_error(EINVAL);
1008 		return;
1009 	}
1010 
1011 	if (vm_get_register(vcpus[cur_vcpu], gdb_regset[reg].id, ®val) ==
1012 	    -1) {
1013 		send_error(errno);
1014 		return;
1015 	}
1016 
1017 	start_packet();
1018 	append_unsigned_native(regval, gdb_regset[reg].size);
1019 	finish_packet();
1020 }
1021 
1022 static void
gdb_read_mem(const uint8_t * data,size_t len)1023 gdb_read_mem(const uint8_t *data, size_t len)
1024 {
1025 	uint64_t gpa, gva, val;
1026 	uint8_t *cp;
1027 	size_t resid, todo, bytes;
1028 	bool started;
1029 	int error;
1030 
1031 	assert(len >= 1);
1032 
1033 	/* Skip 'm' */
1034 	data += 1;
1035 	len -= 1;
1036 
1037 	/* Parse and consume address. */
1038 	cp = memchr(data, ',', len);
1039 	if (cp == NULL || cp == data) {
1040 		send_error(EINVAL);
1041 		return;
1042 	}
1043 	gva = parse_integer(data, cp - data);
1044 	len -= (cp - data) + 1;
1045 	data += (cp - data) + 1;
1046 
1047 	/* Parse length. */
1048 	resid = parse_integer(data, len);
1049 
1050 	started = false;
1051 	while (resid > 0) {
1052 		error = guest_vaddr2paddr(vcpus[cur_vcpu], gva, &gpa);
1053 		if (error == -1) {
1054 			if (started)
1055 				finish_packet();
1056 			else
1057 				send_error(errno);
1058 			return;
1059 		}
1060 		if (error == 0) {
1061 			if (started)
1062 				finish_packet();
1063 			else
1064 				send_error(EFAULT);
1065 			return;
1066 		}
1067 
1068 		/* Read bytes from current page. */
1069 		todo = getpagesize() - gpa % getpagesize();
1070 		if (todo > resid)
1071 			todo = resid;
1072 
1073 		cp = paddr_guest2host(ctx, gpa, todo);
1074 		if (cp != NULL) {
1075 			/*
1076 			 * If this page is guest RAM, read it a byte
1077 			 * at a time.
1078 			 */
1079 			if (!started) {
1080 				start_packet();
1081 				started = true;
1082 			}
1083 			while (todo > 0) {
1084 				append_byte(*cp);
1085 				cp++;
1086 				gpa++;
1087 				gva++;
1088 				resid--;
1089 				todo--;
1090 			}
1091 		} else {
1092 			/*
1093 			 * If this page isn't guest RAM, try to handle
1094 			 * it via MMIO.  For MMIO requests, use
1095 			 * aligned reads of words when possible.
1096 			 */
1097 			while (todo > 0) {
1098 				if (gpa & 1 || todo == 1)
1099 					bytes = 1;
1100 				else if (gpa & 2 || todo == 2)
1101 					bytes = 2;
1102 				else
1103 					bytes = 4;
1104 				error = read_mem(vcpus[cur_vcpu], gpa, &val,
1105 				    bytes);
1106 				if (error == 0) {
1107 					if (!started) {
1108 						start_packet();
1109 						started = true;
1110 					}
1111 					gpa += bytes;
1112 					gva += bytes;
1113 					resid -= bytes;
1114 					todo -= bytes;
1115 					while (bytes > 0) {
1116 						append_byte(val);
1117 						val >>= 8;
1118 						bytes--;
1119 					}
1120 				} else {
1121 					if (started)
1122 						finish_packet();
1123 					else
1124 						send_error(EFAULT);
1125 					return;
1126 				}
1127 			}
1128 		}
1129 		assert(resid == 0 || gpa % getpagesize() == 0);
1130 	}
1131 	if (!started)
1132 		start_packet();
1133 	finish_packet();
1134 }
1135 
1136 static void
gdb_write_mem(const uint8_t * data,size_t len)1137 gdb_write_mem(const uint8_t *data, size_t len)
1138 {
1139 	uint64_t gpa, gva, val;
1140 	uint8_t *cp;
1141 	size_t resid, todo, bytes;
1142 	int error;
1143 
1144 	assert(len >= 1);
1145 
1146 	/* Skip 'M' */
1147 	data += 1;
1148 	len -= 1;
1149 
1150 	/* Parse and consume address. */
1151 	cp = memchr(data, ',', len);
1152 	if (cp == NULL || cp == data) {
1153 		send_error(EINVAL);
1154 		return;
1155 	}
1156 	gva = parse_integer(data, cp - data);
1157 	len -= (cp - data) + 1;
1158 	data += (cp - data) + 1;
1159 
1160 	/* Parse and consume length. */
1161 	cp = memchr(data, ':', len);
1162 	if (cp == NULL || cp == data) {
1163 		send_error(EINVAL);
1164 		return;
1165 	}
1166 	resid = parse_integer(data, cp - data);
1167 	len -= (cp - data) + 1;
1168 	data += (cp - data) + 1;
1169 
1170 	/* Verify the available bytes match the length. */
1171 	if (len != resid * 2) {
1172 		send_error(EINVAL);
1173 		return;
1174 	}
1175 
1176 	while (resid > 0) {
1177 		error = guest_vaddr2paddr(vcpus[cur_vcpu], gva, &gpa);
1178 		if (error == -1) {
1179 			send_error(errno);
1180 			return;
1181 		}
1182 		if (error == 0) {
1183 			send_error(EFAULT);
1184 			return;
1185 		}
1186 
1187 		/* Write bytes to current page. */
1188 		todo = getpagesize() - gpa % getpagesize();
1189 		if (todo > resid)
1190 			todo = resid;
1191 
1192 		cp = paddr_guest2host(ctx, gpa, todo);
1193 		if (cp != NULL) {
1194 			/*
1195 			 * If this page is guest RAM, write it a byte
1196 			 * at a time.
1197 			 */
1198 			while (todo > 0) {
1199 				assert(len >= 2);
1200 				*cp = parse_byte(data);
1201 				data += 2;
1202 				len -= 2;
1203 				cp++;
1204 				gpa++;
1205 				gva++;
1206 				resid--;
1207 				todo--;
1208 			}
1209 		} else {
1210 			/*
1211 			 * If this page isn't guest RAM, try to handle
1212 			 * it via MMIO.  For MMIO requests, use
1213 			 * aligned writes of words when possible.
1214 			 */
1215 			while (todo > 0) {
1216 				if (gpa & 1 || todo == 1) {
1217 					bytes = 1;
1218 					val = parse_byte(data);
1219 				} else if (gpa & 2 || todo == 2) {
1220 					bytes = 2;
1221 					val = be16toh(parse_integer(data, 4));
1222 				} else {
1223 					bytes = 4;
1224 					val = be32toh(parse_integer(data, 8));
1225 				}
1226 				error = write_mem(vcpus[cur_vcpu], gpa, val,
1227 				    bytes);
1228 				if (error == 0) {
1229 					gpa += bytes;
1230 					gva += bytes;
1231 					resid -= bytes;
1232 					todo -= bytes;
1233 					data += 2 * bytes;
1234 					len -= 2 * bytes;
1235 				} else {
1236 					send_error(EFAULT);
1237 					return;
1238 				}
1239 			}
1240 		}
1241 		assert(resid == 0 || gpa % getpagesize() == 0);
1242 	}
1243 	assert(len == 0);
1244 	send_ok();
1245 }
1246 
1247 static bool
set_breakpoint_caps(bool enable)1248 set_breakpoint_caps(bool enable)
1249 {
1250 	cpuset_t mask;
1251 	int vcpu;
1252 
1253 	mask = vcpus_active;
1254 	while (!CPU_EMPTY(&mask)) {
1255 		vcpu = CPU_FFS(&mask) - 1;
1256 		CPU_CLR(vcpu, &mask);
1257 		if (vm_set_capability(vcpus[vcpu], VM_CAP_BPT_EXIT,
1258 		    enable ? 1 : 0) < 0)
1259 			return (false);
1260 		debug("$vCPU %d %sabled breakpoint exits\n", vcpu,
1261 		    enable ? "en" : "dis");
1262 	}
1263 	return (true);
1264 }
1265 
1266 static void
remove_all_sw_breakpoints(void)1267 remove_all_sw_breakpoints(void)
1268 {
1269 	struct breakpoint *bp, *nbp;
1270 	uint8_t *cp;
1271 
1272 	if (TAILQ_EMPTY(&breakpoints))
1273 		return;
1274 
1275 	TAILQ_FOREACH_SAFE(bp, &breakpoints, link, nbp) {
1276 		debug("remove breakpoint at %#lx\n", bp->gpa);
1277 		cp = paddr_guest2host(ctx, bp->gpa, sizeof(bp->shadow_inst));
1278 		memcpy(cp, bp->shadow_inst, sizeof(bp->shadow_inst));
1279 		TAILQ_REMOVE(&breakpoints, bp, link);
1280 		free(bp);
1281 	}
1282 	TAILQ_INIT(&breakpoints);
1283 	set_breakpoint_caps(false);
1284 }
1285 
1286 static void
update_sw_breakpoint(uint64_t gva,int kind,bool insert)1287 update_sw_breakpoint(uint64_t gva, int kind, bool insert)
1288 {
1289 	struct breakpoint *bp;
1290 	uint64_t gpa;
1291 	uint8_t *cp;
1292 	int error;
1293 
1294 	if (kind != GDB_BP_SIZE) {
1295 		send_error(EINVAL);
1296 		return;
1297 	}
1298 
1299 	error = guest_vaddr2paddr(vcpus[cur_vcpu], gva, &gpa);
1300 	if (error == -1) {
1301 		send_error(errno);
1302 		return;
1303 	}
1304 	if (error == 0) {
1305 		send_error(EFAULT);
1306 		return;
1307 	}
1308 
1309 	cp = paddr_guest2host(ctx, gpa, sizeof(bp->shadow_inst));
1310 
1311 	/* Only permit breakpoints in guest RAM. */
1312 	if (cp == NULL) {
1313 		send_error(EFAULT);
1314 		return;
1315 	}
1316 
1317 	/* Find any existing breakpoint. */
1318 	bp = find_breakpoint(gpa);
1319 
1320 	/*
1321 	 * Silently ignore duplicate commands since the protocol
1322 	 * requires these packets to be idempotent.
1323 	 */
1324 	if (insert) {
1325 		if (bp == NULL) {
1326 			if (TAILQ_EMPTY(&breakpoints) &&
1327 			    !set_breakpoint_caps(true)) {
1328 				send_empty_response();
1329 				return;
1330 			}
1331 			bp = malloc(sizeof(*bp));
1332 			bp->gpa = gpa;
1333 			memcpy(bp->shadow_inst, cp, sizeof(bp->shadow_inst));
1334 			memcpy(cp, GDB_BP_INSTR, sizeof(bp->shadow_inst));
1335 			TAILQ_INSERT_TAIL(&breakpoints, bp, link);
1336 			debug("new breakpoint at %#lx\n", gpa);
1337 		}
1338 	} else {
1339 		if (bp != NULL) {
1340 			debug("remove breakpoint at %#lx\n", gpa);
1341 			memcpy(cp, bp->shadow_inst, sizeof(bp->shadow_inst));
1342 			TAILQ_REMOVE(&breakpoints, bp, link);
1343 			free(bp);
1344 			if (TAILQ_EMPTY(&breakpoints))
1345 				set_breakpoint_caps(false);
1346 		}
1347 	}
1348 	send_ok();
1349 }
1350 
1351 static void
parse_breakpoint(const uint8_t * data,size_t len)1352 parse_breakpoint(const uint8_t *data, size_t len)
1353 {
1354 	uint64_t gva;
1355 	uint8_t *cp;
1356 	bool insert;
1357 	int kind, type;
1358 
1359 	insert = data[0] == 'Z';
1360 
1361 	/* Skip 'Z/z' */
1362 	data += 1;
1363 	len -= 1;
1364 
1365 	/* Parse and consume type. */
1366 	cp = memchr(data, ',', len);
1367 	if (cp == NULL || cp == data) {
1368 		send_error(EINVAL);
1369 		return;
1370 	}
1371 	type = parse_integer(data, cp - data);
1372 	len -= (cp - data) + 1;
1373 	data += (cp - data) + 1;
1374 
1375 	/* Parse and consume address. */
1376 	cp = memchr(data, ',', len);
1377 	if (cp == NULL || cp == data) {
1378 		send_error(EINVAL);
1379 		return;
1380 	}
1381 	gva = parse_integer(data, cp - data);
1382 	len -= (cp - data) + 1;
1383 	data += (cp - data) + 1;
1384 
1385 	/* Parse and consume kind. */
1386 	cp = memchr(data, ';', len);
1387 	if (cp == data) {
1388 		send_error(EINVAL);
1389 		return;
1390 	}
1391 	if (cp != NULL) {
1392 		/*
1393 		 * We do not advertise support for either the
1394 		 * ConditionalBreakpoints or BreakpointCommands
1395 		 * features, so we should not be getting conditions or
1396 		 * commands from the remote end.
1397 		 */
1398 		send_empty_response();
1399 		return;
1400 	}
1401 	kind = parse_integer(data, len);
1402 	data += len;
1403 	len = 0;
1404 
1405 	switch (type) {
1406 	case 0:
1407 		update_sw_breakpoint(gva, kind, insert);
1408 		break;
1409 	default:
1410 		send_empty_response();
1411 		break;
1412 	}
1413 }
1414 
1415 static bool
command_equals(const uint8_t * data,size_t len,const char * cmd)1416 command_equals(const uint8_t *data, size_t len, const char *cmd)
1417 {
1418 
1419 	if (strlen(cmd) > len)
1420 		return (false);
1421 	return (memcmp(data, cmd, strlen(cmd)) == 0);
1422 }
1423 
1424 static void
check_features(const uint8_t * data,size_t len)1425 check_features(const uint8_t *data, size_t len)
1426 {
1427 	char *feature, *next_feature, *str, *value;
1428 	bool supported;
1429 
1430 	str = malloc(len + 1);
1431 	memcpy(str, data, len);
1432 	str[len] = '\0';
1433 	next_feature = str;
1434 
1435 	while ((feature = strsep(&next_feature, ";")) != NULL) {
1436 		/*
1437 		 * Null features shouldn't exist, but skip if they
1438 		 * do.
1439 		 */
1440 		if (strcmp(feature, "") == 0)
1441 			continue;
1442 
1443 		/*
1444 		 * Look for the value or supported / not supported
1445 		 * flag.
1446 		 */
1447 		value = strchr(feature, '=');
1448 		if (value != NULL) {
1449 			*value = '\0';
1450 			value++;
1451 			supported = true;
1452 		} else {
1453 			value = feature + strlen(feature) - 1;
1454 			switch (*value) {
1455 			case '+':
1456 				supported = true;
1457 				break;
1458 			case '-':
1459 				supported = false;
1460 				break;
1461 			default:
1462 				/*
1463 				 * This is really a protocol error,
1464 				 * but we just ignore malformed
1465 				 * features for ease of
1466 				 * implementation.
1467 				 */
1468 				continue;
1469 			}
1470 			value = NULL;
1471 		}
1472 
1473 		if (strcmp(feature, "swbreak") == 0)
1474 			swbreak_enabled = supported;
1475 
1476 #ifndef __FreeBSD__
1477 		/*
1478 		 * The compiler dislikes 'supported' being set but never used.
1479 		 * Make it happy here.
1480 		 */
1481 		if (supported) {
1482 			debug("feature '%s' supported\n", feature);
1483 		}
1484 #endif /* __FreeBSD__ */
1485 	}
1486 	free(str);
1487 
1488 	start_packet();
1489 
1490 	/* This is an arbitrary limit. */
1491 	append_string("PacketSize=4096");
1492 	append_string(";swbreak+");
1493 	finish_packet();
1494 }
1495 
1496 static void
gdb_query(const uint8_t * data,size_t len)1497 gdb_query(const uint8_t *data, size_t len)
1498 {
1499 
1500 	/*
1501 	 * TODO:
1502 	 * - qSearch
1503 	 */
1504 	if (command_equals(data, len, "qAttached")) {
1505 		start_packet();
1506 		append_char('1');
1507 		finish_packet();
1508 	} else if (command_equals(data, len, "qC")) {
1509 		start_packet();
1510 		append_string("QC");
1511 		append_integer(cur_vcpu + 1);
1512 		finish_packet();
1513 	} else if (command_equals(data, len, "qfThreadInfo")) {
1514 		cpuset_t mask;
1515 		bool first;
1516 		int vcpu;
1517 
1518 		if (CPU_EMPTY(&vcpus_active)) {
1519 			send_error(EINVAL);
1520 			return;
1521 		}
1522 		mask = vcpus_active;
1523 		start_packet();
1524 		append_char('m');
1525 		first = true;
1526 		while (!CPU_EMPTY(&mask)) {
1527 			vcpu = CPU_FFS(&mask) - 1;
1528 			CPU_CLR(vcpu, &mask);
1529 			if (first)
1530 				first = false;
1531 			else
1532 				append_char(',');
1533 			append_integer(vcpu + 1);
1534 		}
1535 		finish_packet();
1536 	} else if (command_equals(data, len, "qsThreadInfo")) {
1537 		start_packet();
1538 		append_char('l');
1539 		finish_packet();
1540 	} else if (command_equals(data, len, "qSupported")) {
1541 		data += strlen("qSupported");
1542 		len -= strlen("qSupported");
1543 		check_features(data, len);
1544 	} else if (command_equals(data, len, "qThreadExtraInfo")) {
1545 		char buf[16];
1546 		int tid;
1547 
1548 		data += strlen("qThreadExtraInfo");
1549 		len -= strlen("qThreadExtraInfo");
1550 		if (len == 0 || *data != ',') {
1551 			send_error(EINVAL);
1552 			return;
1553 		}
1554 		tid = parse_threadid(data + 1, len - 1);
1555 		if (tid <= 0 || !CPU_ISSET(tid - 1, &vcpus_active)) {
1556 			send_error(EINVAL);
1557 			return;
1558 		}
1559 
1560 		snprintf(buf, sizeof(buf), "vCPU %d", tid - 1);
1561 		start_packet();
1562 		append_asciihex(buf);
1563 		finish_packet();
1564 	} else
1565 		send_empty_response();
1566 }
1567 
1568 static void
handle_command(const uint8_t * data,size_t len)1569 handle_command(const uint8_t *data, size_t len)
1570 {
1571 
1572 	/* Reject packets with a sequence-id. */
1573 	if (len >= 3 && data[0] >= '0' && data[0] <= '9' &&
1574 	    data[0] >= '0' && data[0] <= '9' && data[2] == ':') {
1575 		send_empty_response();
1576 		return;
1577 	}
1578 
1579 	switch (*data) {
1580 	case 'c':
1581 		if (len != 1) {
1582 			send_error(EINVAL);
1583 			break;
1584 		}
1585 
1586 		discard_stop();
1587 		gdb_resume_vcpus();
1588 		break;
1589 	case 'D':
1590 		send_ok();
1591 
1592 		/* TODO: Resume any stopped CPUs. */
1593 		break;
1594 	case 'g':
1595 		gdb_read_regs();
1596 		break;
1597 	case 'p':
1598 		gdb_read_one_reg(data + 1, len - 1);
1599 		break;
1600 	case 'H': {
1601 		int tid;
1602 
1603 		if (len < 2 || (data[1] != 'g' && data[1] != 'c')) {
1604 			send_error(EINVAL);
1605 			break;
1606 		}
1607 		tid = parse_threadid(data + 2, len - 2);
1608 		if (tid == -2) {
1609 			send_error(EINVAL);
1610 			break;
1611 		}
1612 
1613 		if (CPU_EMPTY(&vcpus_active)) {
1614 			send_error(EINVAL);
1615 			break;
1616 		}
1617 		if (tid == -1 || tid == 0)
1618 			cur_vcpu = CPU_FFS(&vcpus_active) - 1;
1619 		else if (CPU_ISSET(tid - 1, &vcpus_active))
1620 			cur_vcpu = tid - 1;
1621 		else {
1622 			send_error(EINVAL);
1623 			break;
1624 		}
1625 		send_ok();
1626 		break;
1627 	}
1628 	case 'm':
1629 		gdb_read_mem(data, len);
1630 		break;
1631 	case 'M':
1632 		gdb_write_mem(data, len);
1633 		break;
1634 	case 'T': {
1635 		int tid;
1636 
1637 		tid = parse_threadid(data + 1, len - 1);
1638 		if (tid <= 0 || !CPU_ISSET(tid - 1, &vcpus_active)) {
1639 			send_error(EINVAL);
1640 			return;
1641 		}
1642 		send_ok();
1643 		break;
1644 	}
1645 	case 'q':
1646 		gdb_query(data, len);
1647 		break;
1648 	case 's':
1649 		if (len != 1) {
1650 			send_error(EINVAL);
1651 			break;
1652 		}
1653 
1654 		/* Don't send a reply until a stop occurs. */
1655 		if (!gdb_step_vcpu(vcpus[cur_vcpu])) {
1656 			send_error(EOPNOTSUPP);
1657 			break;
1658 		}
1659 		break;
1660 	case 'z':
1661 	case 'Z':
1662 		parse_breakpoint(data, len);
1663 		break;
1664 	case '?':
1665 		report_stop(false);
1666 		break;
1667 	case 'G': /* TODO */
1668 	case 'v':
1669 		/* Handle 'vCont' */
1670 		/* 'vCtrlC' */
1671 	case 'P': /* TODO */
1672 	case 'Q': /* TODO */
1673 	case 't': /* TODO */
1674 	case 'X': /* TODO */
1675 	default:
1676 		send_empty_response();
1677 	}
1678 }
1679 
1680 /* Check for a valid packet in the command buffer. */
1681 static void
check_command(int fd)1682 check_command(int fd)
1683 {
1684 	uint8_t *head, *hash, *p, sum;
1685 	size_t avail, plen;
1686 
1687 	for (;;) {
1688 		avail = cur_comm.len;
1689 		if (avail == 0)
1690 			return;
1691 		head = io_buffer_head(&cur_comm);
1692 		switch (*head) {
1693 		case 0x03:
1694 			debug("<- Ctrl-C\n");
1695 			io_buffer_consume(&cur_comm, 1);
1696 
1697 			gdb_suspend_vcpus();
1698 			break;
1699 		case '+':
1700 			/* ACK of previous response. */
1701 			debug("<- +\n");
1702 			if (response_pending())
1703 				io_buffer_reset(&cur_resp);
1704 			io_buffer_consume(&cur_comm, 1);
1705 			if (stopped_vcpu != -1 && report_next_stop) {
1706 				report_stop(true);
1707 				send_pending_data(fd);
1708 			}
1709 			break;
1710 		case '-':
1711 			/* NACK of previous response. */
1712 			debug("<- -\n");
1713 			if (response_pending()) {
1714 				cur_resp.len += cur_resp.start;
1715 				cur_resp.start = 0;
1716 				if (cur_resp.data[0] == '+')
1717 					io_buffer_advance(&cur_resp, 1);
1718 				debug("-> %.*s\n", (int)cur_resp.len,
1719 				    io_buffer_head(&cur_resp));
1720 			}
1721 			io_buffer_consume(&cur_comm, 1);
1722 			send_pending_data(fd);
1723 			break;
1724 		case '$':
1725 			/* Packet. */
1726 
1727 			if (response_pending()) {
1728 				warnx("New GDB command while response in "
1729 				    "progress");
1730 				io_buffer_reset(&cur_resp);
1731 			}
1732 
1733 			/* Is packet complete? */
1734 			hash = memchr(head, '#', avail);
1735 			if (hash == NULL)
1736 				return;
1737 			plen = (hash - head + 1) + 2;
1738 			if (avail < plen)
1739 				return;
1740 			debug("<- %.*s\n", (int)plen, head);
1741 
1742 			/* Verify checksum. */
1743 			for (sum = 0, p = head + 1; p < hash; p++)
1744 				sum += *p;
1745 			if (sum != parse_byte(hash + 1)) {
1746 				io_buffer_consume(&cur_comm, plen);
1747 				debug("-> -\n");
1748 				send_char('-');
1749 				send_pending_data(fd);
1750 				break;
1751 			}
1752 			send_char('+');
1753 
1754 			handle_command(head + 1, hash - (head + 1));
1755 			io_buffer_consume(&cur_comm, plen);
1756 			if (!response_pending()) {
1757 				debug("-> +\n");
1758 			}
1759 			send_pending_data(fd);
1760 			break;
1761 		default:
1762 			/* XXX: Possibly drop connection instead. */
1763 			debug("-> %02x\n", *head);
1764 			io_buffer_consume(&cur_comm, 1);
1765 			break;
1766 		}
1767 	}
1768 }
1769 
1770 static void
gdb_readable(int fd,enum ev_type event __unused,void * arg __unused)1771 gdb_readable(int fd, enum ev_type event __unused, void *arg __unused)
1772 {
1773 	size_t pending;
1774 	ssize_t nread;
1775 	int n;
1776 
1777 	if (ioctl(fd, FIONREAD, &n) == -1) {
1778 		warn("FIONREAD on GDB socket");
1779 		return;
1780 	}
1781 	assert(n >= 0);
1782 	pending = n;
1783 
1784 	/*
1785 	 * 'pending' might be zero due to EOF.  We need to call read
1786 	 * with a non-zero length to detect EOF.
1787 	 */
1788 	if (pending == 0)
1789 		pending = 1;
1790 
1791 	/* Ensure there is room in the command buffer. */
1792 	io_buffer_grow(&cur_comm, pending);
1793 	assert(io_buffer_avail(&cur_comm) >= pending);
1794 
1795 	nread = read(fd, io_buffer_tail(&cur_comm), io_buffer_avail(&cur_comm));
1796 	if (nread == 0) {
1797 		close_connection();
1798 	} else if (nread == -1) {
1799 		if (errno == EAGAIN)
1800 			return;
1801 
1802 		warn("Read from GDB socket");
1803 		close_connection();
1804 	} else {
1805 		cur_comm.len += nread;
1806 		pthread_mutex_lock(&gdb_lock);
1807 		check_command(fd);
1808 		pthread_mutex_unlock(&gdb_lock);
1809 	}
1810 }
1811 
1812 static void
gdb_writable(int fd,enum ev_type event __unused,void * arg __unused)1813 gdb_writable(int fd, enum ev_type event __unused, void *arg __unused)
1814 {
1815 
1816 	send_pending_data(fd);
1817 }
1818 
1819 static void
new_connection(int fd,enum ev_type event __unused,void * arg)1820 new_connection(int fd, enum ev_type event __unused, void *arg)
1821 {
1822 	int optval, s;
1823 
1824 	s = accept4(fd, NULL, NULL, SOCK_NONBLOCK);
1825 	if (s == -1) {
1826 		if (arg != NULL)
1827 			err(1, "Failed accepting initial GDB connection");
1828 
1829 		/* Silently ignore errors post-startup. */
1830 		return;
1831 	}
1832 
1833 	optval = 1;
1834 	if (setsockopt(s, SOL_SOCKET, SO_NOSIGPIPE, &optval, sizeof(optval)) ==
1835 	    -1) {
1836 		warn("Failed to disable SIGPIPE for GDB connection");
1837 		close(s);
1838 		return;
1839 	}
1840 
1841 	pthread_mutex_lock(&gdb_lock);
1842 	if (cur_fd != -1) {
1843 		close(s);
1844 		warnx("Ignoring additional GDB connection.");
1845 	}
1846 
1847 	read_event = mevent_add(s, EVF_READ, gdb_readable, NULL);
1848 	if (read_event == NULL) {
1849 		if (arg != NULL)
1850 			err(1, "Failed to setup initial GDB connection");
1851 		pthread_mutex_unlock(&gdb_lock);
1852 		return;
1853 	}
1854 	write_event = mevent_add(s, EVF_WRITE, gdb_writable, NULL);
1855 	if (write_event == NULL) {
1856 		if (arg != NULL)
1857 			err(1, "Failed to setup initial GDB connection");
1858 		mevent_delete_close(read_event);
1859 		read_event = NULL;
1860 	}
1861 
1862 	cur_fd = s;
1863 	cur_vcpu = 0;
1864 	stopped_vcpu = -1;
1865 
1866 	/* Break on attach. */
1867 	first_stop = true;
1868 	report_next_stop = false;
1869 	gdb_suspend_vcpus();
1870 	pthread_mutex_unlock(&gdb_lock);
1871 }
1872 
1873 #ifndef WITHOUT_CAPSICUM
1874 static void
limit_gdb_socket(int s)1875 limit_gdb_socket(int s)
1876 {
1877 	cap_rights_t rights;
1878 	unsigned long ioctls[] = { FIONREAD };
1879 
1880 	cap_rights_init(&rights, CAP_ACCEPT, CAP_EVENT, CAP_READ, CAP_WRITE,
1881 	    CAP_SETSOCKOPT, CAP_IOCTL);
1882 	if (caph_rights_limit(s, &rights) == -1)
1883 		errx(EX_OSERR, "Unable to apply rights for sandbox");
1884 	if (caph_ioctls_limit(s, ioctls, nitems(ioctls)) == -1)
1885 		errx(EX_OSERR, "Unable to apply rights for sandbox");
1886 }
1887 #endif
1888 
1889 
1890 #ifndef __FreeBSD__
1891 /*
1892  * Equivalent to init_gdb() below, but without configuring the listening socket.
1893  * This will allow the bhyve process to tolerate mdb attaching/detaching from
1894  * the instance while it is running.
1895  */
1896 void
init_mdb(struct vmctx * _ctx)1897 init_mdb(struct vmctx *_ctx)
1898 {
1899 	int error;
1900 	bool wait;
1901 
1902 	wait = get_config_bool_default("gdb.wait", false);
1903 
1904 	error = pthread_mutex_init(&gdb_lock, NULL);
1905 	if (error != 0)
1906 		errc(1, error, "gdb mutex init");
1907 	error = pthread_cond_init(&idle_vcpus, NULL);
1908 	if (error != 0)
1909 		errc(1, error, "gdb cv init");
1910 
1911 	ctx = _ctx;
1912 	stopped_vcpu = -1;
1913 	TAILQ_INIT(&breakpoints);
1914 	vcpu_state = calloc(guest_ncpus, sizeof(*vcpu_state));
1915 	if (wait) {
1916 		/*
1917 		 * Set vcpu 0 in vcpus_suspended.  This will trigger the
1918 		 * logic in gdb_cpu_add() to suspend the first vcpu before
1919 		 * it starts execution.  The vcpu will remain suspended
1920 		 * until a debugger connects.
1921 		 */
1922 		CPU_SET(0, &vcpus_suspended);
1923 		stopped_vcpu = 0;
1924 	}
1925 }
1926 #endif
1927 
1928 void
init_gdb(struct vmctx * _ctx)1929 init_gdb(struct vmctx *_ctx)
1930 {
1931 	int error, flags, optval, s;
1932 	struct addrinfo hints;
1933 	struct addrinfo *gdbaddr;
1934 	const char *saddr, *value;
1935 	char *sport;
1936 	bool wait;
1937 
1938 	value = get_config_value("gdb.port");
1939 	if (value == NULL)
1940 		return;
1941 	sport = strdup(value);
1942 	if (sport == NULL)
1943 		errx(4, "Failed to allocate memory");
1944 
1945 	wait = get_config_bool_default("gdb.wait", false);
1946 
1947 	saddr = get_config_value("gdb.address");
1948 	if (saddr == NULL) {
1949 		saddr = "localhost";
1950 	}
1951 
1952 	debug("==> starting on %s:%s, %swaiting\n",
1953 	    saddr, sport, wait ? "" : "not ");
1954 
1955 	error = pthread_mutex_init(&gdb_lock, NULL);
1956 	if (error != 0)
1957 		errc(1, error, "gdb mutex init");
1958 	error = pthread_cond_init(&idle_vcpus, NULL);
1959 	if (error != 0)
1960 		errc(1, error, "gdb cv init");
1961 
1962 	memset(&hints, 0, sizeof(hints));
1963 	hints.ai_family = AF_UNSPEC;
1964 	hints.ai_socktype = SOCK_STREAM;
1965 	hints.ai_flags = AI_NUMERICSERV | AI_PASSIVE;
1966 
1967 	error = getaddrinfo(saddr, sport, &hints, &gdbaddr);
1968 	if (error != 0)
1969 		errx(1, "gdb address resolution: %s", gai_strerror(error));
1970 
1971 	ctx = _ctx;
1972 	s = socket(gdbaddr->ai_family, gdbaddr->ai_socktype, 0);
1973 	if (s < 0)
1974 		err(1, "gdb socket create");
1975 
1976 	optval = 1;
1977 	(void)setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval));
1978 
1979 	if (bind(s, gdbaddr->ai_addr, gdbaddr->ai_addrlen) < 0)
1980 		err(1, "gdb socket bind");
1981 
1982 	if (listen(s, 1) < 0)
1983 		err(1, "gdb socket listen");
1984 
1985 	stopped_vcpu = -1;
1986 	TAILQ_INIT(&breakpoints);
1987 	vcpus = calloc(guest_ncpus, sizeof(*vcpus));
1988 	vcpu_state = calloc(guest_ncpus, sizeof(*vcpu_state));
1989 	if (wait) {
1990 		/*
1991 		 * Set vcpu 0 in vcpus_suspended.  This will trigger the
1992 		 * logic in gdb_cpu_add() to suspend the first vcpu before
1993 		 * it starts execution.  The vcpu will remain suspended
1994 		 * until a debugger connects.
1995 		 */
1996 		CPU_SET(0, &vcpus_suspended);
1997 		stopped_vcpu = 0;
1998 	}
1999 
2000 	flags = fcntl(s, F_GETFL);
2001 	if (fcntl(s, F_SETFL, flags | O_NONBLOCK) == -1)
2002 		err(1, "Failed to mark gdb socket non-blocking");
2003 
2004 #ifndef WITHOUT_CAPSICUM
2005 	limit_gdb_socket(s);
2006 #endif
2007 	mevent_add(s, EVF_READ, new_connection, NULL);
2008 	gdb_active = true;
2009 	freeaddrinfo(gdbaddr);
2010 	free(sport);
2011 }
2012