1 /*- 2 * SPDX-License-Identifier: BSD-4-Clause 3 * 4 * Copyright (c) 1994, Sean Eric Fagan 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by Sean Eric Fagan. 18 * 4. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/ktr.h> 37 #include <sys/limits.h> 38 #include <sys/lock.h> 39 #include <sys/mman.h> 40 #include <sys/mutex.h> 41 #include <sys/reg.h> 42 #include <sys/sleepqueue.h> 43 #include <sys/syscallsubr.h> 44 #include <sys/sysent.h> 45 #include <sys/sysproto.h> 46 #include <sys/priv.h> 47 #include <sys/proc.h> 48 #include <sys/vnode.h> 49 #include <sys/ptrace.h> 50 #include <sys/rwlock.h> 51 #include <sys/sx.h> 52 #include <sys/malloc.h> 53 #include <sys/signalvar.h> 54 #include <sys/caprights.h> 55 #include <sys/filedesc.h> 56 57 #include <security/audit/audit.h> 58 59 #include <vm/vm.h> 60 #include <vm/pmap.h> 61 #include <vm/vm_extern.h> 62 #include <vm/vm_map.h> 63 #include <vm/vm_kern.h> 64 #include <vm/vm_object.h> 65 #include <vm/vm_page.h> 66 #include <vm/vm_param.h> 67 68 #ifdef COMPAT_FREEBSD32 69 #include <sys/procfs.h> 70 #endif 71 72 /* Assert it's safe to unlock a process, e.g. to allocate working memory */ 73 #define PROC_ASSERT_TRACEREQ(p) MPASS(((p)->p_flag2 & P2_PTRACEREQ) != 0) 74 75 /* 76 * Functions implemented below: 77 * 78 * proc_read_regs(proc, regs) 79 * Get the current user-visible register set from the process 80 * and copy it into the regs structure (<machine/reg.h>). 81 * The process is stopped at the time read_regs is called. 82 * 83 * proc_write_regs(proc, regs) 84 * Update the current register set from the passed in regs 85 * structure. Take care to avoid clobbering special CPU 86 * registers or privileged bits in the PSL. 87 * Depending on the architecture this may have fix-up work to do, 88 * especially if the IAR or PCW are modified. 89 * The process is stopped at the time write_regs is called. 90 * 91 * proc_read_fpregs, proc_write_fpregs 92 * deal with the floating point register set, otherwise as above. 93 * 94 * proc_read_dbregs, proc_write_dbregs 95 * deal with the processor debug register set, otherwise as above. 96 * 97 * proc_sstep(proc) 98 * Arrange for the process to trap after executing a single instruction. 99 */ 100 101 int 102 proc_read_regs(struct thread *td, struct reg *regs) 103 { 104 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 105 return (fill_regs(td, regs)); 106 } 107 108 int 109 proc_write_regs(struct thread *td, struct reg *regs) 110 { 111 int error; 112 113 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 114 error = priv_check(curthread, PRIV_PROC_MEM_WRITE); 115 if (error != 0) 116 return (error); 117 return (set_regs(td, regs)); 118 } 119 120 int 121 proc_read_dbregs(struct thread *td, struct dbreg *dbregs) 122 { 123 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 124 return (fill_dbregs(td, dbregs)); 125 } 126 127 int 128 proc_write_dbregs(struct thread *td, struct dbreg *dbregs) 129 { 130 int error; 131 132 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 133 error = priv_check(curthread, PRIV_PROC_MEM_WRITE); 134 if (error != 0) 135 return (error); 136 return (set_dbregs(td, dbregs)); 137 } 138 139 /* 140 * Ptrace doesn't support fpregs at all, and there are no security holes 141 * or translations for fpregs, so we can just copy them. 142 */ 143 int 144 proc_read_fpregs(struct thread *td, struct fpreg *fpregs) 145 { 146 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 147 return (fill_fpregs(td, fpregs)); 148 } 149 150 int 151 proc_write_fpregs(struct thread *td, struct fpreg *fpregs) 152 { 153 int error; 154 155 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 156 error = priv_check(curthread, PRIV_PROC_MEM_WRITE); 157 if (error != 0) 158 return (error); 159 return (set_fpregs(td, fpregs)); 160 } 161 162 static struct regset * 163 proc_find_regset(struct thread *td, int note) 164 { 165 struct regset **regsetp, **regset_end, *regset; 166 struct sysentvec *sv; 167 168 sv = td->td_proc->p_sysent; 169 regsetp = sv->sv_regset_begin; 170 if (regsetp == NULL) 171 return (NULL); 172 regset_end = sv->sv_regset_end; 173 MPASS(regset_end != NULL); 174 for (; regsetp < regset_end; regsetp++) { 175 regset = *regsetp; 176 if (regset->note != note) 177 continue; 178 179 return (regset); 180 } 181 182 return (NULL); 183 } 184 185 static int 186 proc_read_regset(struct thread *td, int note, struct iovec *iov) 187 { 188 struct regset *regset; 189 struct proc *p; 190 void *buf; 191 size_t size; 192 int error; 193 194 regset = proc_find_regset(td, note); 195 if (regset == NULL) 196 return (EINVAL); 197 198 if (regset->get == NULL) 199 return (EINVAL); 200 201 size = regset->size; 202 /* 203 * The regset is dynamically sized, e.g. the size could change 204 * depending on the hardware, or may have a per-thread size. 205 */ 206 if (size == 0) { 207 if (!regset->get(regset, td, NULL, &size)) 208 return (EINVAL); 209 } 210 211 if (iov->iov_base == NULL) { 212 iov->iov_len = size; 213 if (iov->iov_len == 0) 214 return (EINVAL); 215 216 return (0); 217 } 218 219 /* The length is wrong, return an error */ 220 if (iov->iov_len != size) 221 return (EINVAL); 222 223 error = 0; 224 p = td->td_proc; 225 226 /* Drop the proc lock while allocating the temp buffer */ 227 PROC_ASSERT_TRACEREQ(p); 228 PROC_UNLOCK(p); 229 buf = malloc(size, M_TEMP, M_WAITOK); 230 PROC_LOCK(p); 231 232 if (!regset->get(regset, td, buf, &size)) { 233 error = EINVAL; 234 } else { 235 KASSERT(size == regset->size || regset->size == 0, 236 ("%s: Getter function changed the size", __func__)); 237 238 iov->iov_len = size; 239 PROC_UNLOCK(p); 240 error = copyout(buf, iov->iov_base, size); 241 PROC_LOCK(p); 242 } 243 244 free(buf, M_TEMP); 245 246 return (error); 247 } 248 249 static int 250 proc_write_regset(struct thread *td, int note, struct iovec *iov) 251 { 252 struct regset *regset; 253 struct proc *p; 254 void *buf; 255 size_t size; 256 int error; 257 258 regset = proc_find_regset(td, note); 259 if (regset == NULL) 260 return (EINVAL); 261 262 size = regset->size; 263 /* 264 * The regset is dynamically sized, e.g. the size could change 265 * depending on the hardware, or may have a per-thread size. 266 */ 267 if (size == 0) { 268 if (!regset->get(regset, td, NULL, &size)) 269 return (EINVAL); 270 } 271 272 /* The length is wrong, return an error */ 273 if (iov->iov_len != size) 274 return (EINVAL); 275 276 if (regset->set == NULL) 277 return (EINVAL); 278 279 error = priv_check(curthread, PRIV_PROC_MEM_WRITE); 280 if (error != 0) 281 return (error); 282 283 p = td->td_proc; 284 285 /* Drop the proc lock while allocating the temp buffer */ 286 PROC_ASSERT_TRACEREQ(p); 287 PROC_UNLOCK(p); 288 buf = malloc(size, M_TEMP, M_WAITOK); 289 error = copyin(iov->iov_base, buf, size); 290 PROC_LOCK(p); 291 292 if (error == 0) { 293 if (!regset->set(regset, td, buf, size)) { 294 error = EINVAL; 295 } 296 } 297 298 free(buf, M_TEMP); 299 300 return (error); 301 } 302 303 #ifdef COMPAT_FREEBSD32 304 /* For 32 bit binaries, we need to expose the 32 bit regs layouts. */ 305 int 306 proc_read_regs32(struct thread *td, struct reg32 *regs32) 307 { 308 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 309 return (fill_regs32(td, regs32)); 310 } 311 312 int 313 proc_write_regs32(struct thread *td, struct reg32 *regs32) 314 { 315 int error; 316 317 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 318 error = priv_check(curthread, PRIV_PROC_MEM_WRITE); 319 if (error != 0) 320 return (error); 321 return (set_regs32(td, regs32)); 322 } 323 324 int 325 proc_read_dbregs32(struct thread *td, struct dbreg32 *dbregs32) 326 { 327 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 328 return (fill_dbregs32(td, dbregs32)); 329 } 330 331 int 332 proc_write_dbregs32(struct thread *td, struct dbreg32 *dbregs32) 333 { 334 int error; 335 336 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 337 error = priv_check(curthread, PRIV_PROC_MEM_WRITE); 338 if (error != 0) 339 return (error); 340 return (set_dbregs32(td, dbregs32)); 341 } 342 343 int 344 proc_read_fpregs32(struct thread *td, struct fpreg32 *fpregs32) 345 { 346 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 347 return (fill_fpregs32(td, fpregs32)); 348 } 349 350 int 351 proc_write_fpregs32(struct thread *td, struct fpreg32 *fpregs32) 352 { 353 int error; 354 355 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 356 error = priv_check(curthread, PRIV_PROC_MEM_WRITE); 357 if (error != 0) 358 return (error); 359 return (set_fpregs32(td, fpregs32)); 360 } 361 #endif 362 363 int 364 proc_sstep(struct thread *td) 365 { 366 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 367 return (ptrace_single_step(td)); 368 } 369 370 int 371 proc_rwmem(struct proc *p, struct uio *uio) 372 { 373 vm_map_t map; 374 vm_offset_t pageno; /* page number */ 375 vm_prot_t reqprot; 376 int error, fault_flags, page_offset, writing; 377 378 /* 379 * Make sure that the process' vmspace remains live. 380 */ 381 if (p != curproc) 382 PROC_ASSERT_HELD(p); 383 PROC_LOCK_ASSERT(p, MA_NOTOWNED); 384 385 /* 386 * The map we want... 387 */ 388 map = &p->p_vmspace->vm_map; 389 390 /* 391 * If we are writing, then we request vm_fault() to create a private 392 * copy of each page. Since these copies will not be writeable by the 393 * process, we must explicitly request that they be dirtied. 394 */ 395 writing = uio->uio_rw == UIO_WRITE; 396 reqprot = writing ? VM_PROT_COPY | VM_PROT_READ : VM_PROT_READ; 397 fault_flags = writing ? VM_FAULT_DIRTY : VM_FAULT_NORMAL; 398 399 if (writing) { 400 error = priv_check(curthread, PRIV_PROC_MEM_WRITE); 401 if (error != 0) 402 return (error); 403 } 404 405 /* 406 * Only map in one page at a time. We don't have to, but it 407 * makes things easier. This way is trivial - right? 408 */ 409 do { 410 vm_offset_t uva; 411 u_int len; 412 vm_page_t m; 413 414 uva = (vm_offset_t)uio->uio_offset; 415 416 /* 417 * Get the page number of this segment. 418 */ 419 pageno = trunc_page(uva); 420 page_offset = uva - pageno; 421 422 /* 423 * How many bytes to copy 424 */ 425 len = MIN(PAGE_SIZE - page_offset, uio->uio_resid); 426 427 /* 428 * Fault and hold the page on behalf of the process. 429 */ 430 error = vm_fault(map, pageno, reqprot, fault_flags, &m); 431 if (error != KERN_SUCCESS) { 432 if (error == KERN_RESOURCE_SHORTAGE) 433 error = ENOMEM; 434 else 435 error = EFAULT; 436 break; 437 } 438 439 /* 440 * Now do the i/o move. 441 */ 442 error = uiomove_fromphys(&m, page_offset, len, uio); 443 444 /* Make the I-cache coherent for breakpoints. */ 445 if (writing && error == 0) { 446 vm_map_lock_read(map); 447 if (vm_map_check_protection(map, pageno, pageno + 448 PAGE_SIZE, VM_PROT_EXECUTE)) 449 vm_sync_icache(map, uva, len); 450 vm_map_unlock_read(map); 451 } 452 453 /* 454 * Release the page. 455 */ 456 vm_page_unwire(m, PQ_ACTIVE); 457 458 } while (error == 0 && uio->uio_resid > 0); 459 460 return (error); 461 } 462 463 static ssize_t 464 proc_iop(struct thread *td, struct proc *p, vm_offset_t va, void *buf, 465 size_t len, enum uio_rw rw) 466 { 467 struct iovec iov; 468 struct uio uio; 469 ssize_t slen; 470 471 MPASS(len < SSIZE_MAX); 472 slen = (ssize_t)len; 473 474 iov.iov_base = (caddr_t)buf; 475 iov.iov_len = len; 476 uio.uio_iov = &iov; 477 uio.uio_iovcnt = 1; 478 uio.uio_offset = va; 479 uio.uio_resid = slen; 480 uio.uio_segflg = UIO_SYSSPACE; 481 uio.uio_rw = rw; 482 uio.uio_td = td; 483 proc_rwmem(p, &uio); 484 if (uio.uio_resid == slen) 485 return (-1); 486 return (slen - uio.uio_resid); 487 } 488 489 ssize_t 490 proc_readmem(struct thread *td, struct proc *p, vm_offset_t va, void *buf, 491 size_t len) 492 { 493 494 return (proc_iop(td, p, va, buf, len, UIO_READ)); 495 } 496 497 ssize_t 498 proc_writemem(struct thread *td, struct proc *p, vm_offset_t va, void *buf, 499 size_t len) 500 { 501 502 return (proc_iop(td, p, va, buf, len, UIO_WRITE)); 503 } 504 505 static int 506 ptrace_vm_entry(struct thread *td, struct proc *p, struct ptrace_vm_entry *pve) 507 { 508 struct vattr vattr; 509 vm_map_t map; 510 vm_map_entry_t entry; 511 vm_object_t obj, tobj, lobj; 512 struct vmspace *vm; 513 struct vnode *vp; 514 char *freepath, *fullpath; 515 u_int pathlen; 516 int error, index; 517 518 error = 0; 519 obj = NULL; 520 521 vm = vmspace_acquire_ref(p); 522 map = &vm->vm_map; 523 vm_map_lock_read(map); 524 525 do { 526 KASSERT((map->header.eflags & MAP_ENTRY_IS_SUB_MAP) == 0, 527 ("Submap in map header")); 528 index = 0; 529 VM_MAP_ENTRY_FOREACH(entry, map) { 530 if (index >= pve->pve_entry && 531 (entry->eflags & MAP_ENTRY_IS_SUB_MAP) == 0) 532 break; 533 index++; 534 } 535 if (index < pve->pve_entry) { 536 error = EINVAL; 537 break; 538 } 539 if (entry == &map->header) { 540 error = ENOENT; 541 break; 542 } 543 544 /* We got an entry. */ 545 pve->pve_entry = index + 1; 546 pve->pve_timestamp = map->timestamp; 547 pve->pve_start = entry->start; 548 pve->pve_end = entry->end - 1; 549 pve->pve_offset = entry->offset; 550 pve->pve_prot = entry->protection | 551 PROT_MAX(entry->max_protection); 552 553 /* Backing object's path needed? */ 554 if (pve->pve_pathlen == 0) 555 break; 556 557 pathlen = pve->pve_pathlen; 558 pve->pve_pathlen = 0; 559 560 obj = entry->object.vm_object; 561 if (obj != NULL) 562 VM_OBJECT_RLOCK(obj); 563 } while (0); 564 565 vm_map_unlock_read(map); 566 567 pve->pve_fsid = VNOVAL; 568 pve->pve_fileid = VNOVAL; 569 570 if (error == 0 && obj != NULL) { 571 lobj = obj; 572 for (tobj = obj; tobj != NULL; tobj = tobj->backing_object) { 573 if (tobj != obj) 574 VM_OBJECT_RLOCK(tobj); 575 if (lobj != obj) 576 VM_OBJECT_RUNLOCK(lobj); 577 lobj = tobj; 578 pve->pve_offset += tobj->backing_object_offset; 579 } 580 vp = vm_object_vnode(lobj); 581 if (vp != NULL) 582 vref(vp); 583 if (lobj != obj) 584 VM_OBJECT_RUNLOCK(lobj); 585 VM_OBJECT_RUNLOCK(obj); 586 587 if (vp != NULL) { 588 freepath = NULL; 589 fullpath = NULL; 590 vn_fullpath(vp, &fullpath, &freepath); 591 vn_lock(vp, LK_SHARED | LK_RETRY); 592 if (VOP_GETATTR(vp, &vattr, td->td_ucred) == 0) { 593 pve->pve_fileid = vattr.va_fileid; 594 pve->pve_fsid = vattr.va_fsid; 595 } 596 vput(vp); 597 598 if (fullpath != NULL) { 599 pve->pve_pathlen = strlen(fullpath) + 1; 600 if (pve->pve_pathlen <= pathlen) { 601 error = copyout(fullpath, pve->pve_path, 602 pve->pve_pathlen); 603 } else 604 error = ENAMETOOLONG; 605 } 606 if (freepath != NULL) 607 free(freepath, M_TEMP); 608 } 609 } 610 vmspace_free(vm); 611 if (error == 0) 612 CTR3(KTR_PTRACE, "PT_VM_ENTRY: pid %d, entry %d, start %p", 613 p->p_pid, pve->pve_entry, pve->pve_start); 614 615 return (error); 616 } 617 618 /* 619 * Process debugging system call. 620 */ 621 #ifndef _SYS_SYSPROTO_H_ 622 struct ptrace_args { 623 int req; 624 pid_t pid; 625 caddr_t addr; 626 int data; 627 }; 628 #endif 629 630 int 631 sys_ptrace(struct thread *td, struct ptrace_args *uap) 632 { 633 /* 634 * XXX this obfuscation is to reduce stack usage, but the register 635 * structs may be too large to put on the stack anyway. 636 */ 637 union { 638 struct ptrace_io_desc piod; 639 struct ptrace_lwpinfo pl; 640 struct ptrace_vm_entry pve; 641 struct ptrace_coredump pc; 642 struct ptrace_sc_remote sr; 643 struct dbreg dbreg; 644 struct fpreg fpreg; 645 struct reg reg; 646 struct iovec vec; 647 syscallarg_t args[nitems(td->td_sa.args)]; 648 struct ptrace_sc_ret psr; 649 int ptevents; 650 } r; 651 syscallarg_t pscr_args[nitems(td->td_sa.args)]; 652 void *addr; 653 int error; 654 655 if (!allow_ptrace) 656 return (ENOSYS); 657 error = 0; 658 659 AUDIT_ARG_PID(uap->pid); 660 AUDIT_ARG_CMD(uap->req); 661 AUDIT_ARG_VALUE(uap->data); 662 addr = &r; 663 switch (uap->req) { 664 case PT_GET_EVENT_MASK: 665 case PT_LWPINFO: 666 case PT_GET_SC_ARGS: 667 case PT_GET_SC_RET: 668 break; 669 case PT_GETREGS: 670 bzero(&r.reg, sizeof(r.reg)); 671 break; 672 case PT_GETFPREGS: 673 bzero(&r.fpreg, sizeof(r.fpreg)); 674 break; 675 case PT_GETDBREGS: 676 bzero(&r.dbreg, sizeof(r.dbreg)); 677 break; 678 case PT_GETREGSET: 679 case PT_SETREGSET: 680 error = copyin(uap->addr, &r.vec, sizeof(r.vec)); 681 break; 682 case PT_SETREGS: 683 error = copyin(uap->addr, &r.reg, sizeof(r.reg)); 684 break; 685 case PT_SETFPREGS: 686 error = copyin(uap->addr, &r.fpreg, sizeof(r.fpreg)); 687 break; 688 case PT_SETDBREGS: 689 error = copyin(uap->addr, &r.dbreg, sizeof(r.dbreg)); 690 break; 691 case PT_SET_EVENT_MASK: 692 if (uap->data != sizeof(r.ptevents)) 693 error = EINVAL; 694 else 695 error = copyin(uap->addr, &r.ptevents, uap->data); 696 break; 697 case PT_IO: 698 error = copyin(uap->addr, &r.piod, sizeof(r.piod)); 699 break; 700 case PT_VM_ENTRY: 701 error = copyin(uap->addr, &r.pve, sizeof(r.pve)); 702 break; 703 case PT_COREDUMP: 704 if (uap->data != sizeof(r.pc)) 705 error = EINVAL; 706 else 707 error = copyin(uap->addr, &r.pc, uap->data); 708 break; 709 case PT_SC_REMOTE: 710 if (uap->data != sizeof(r.sr)) { 711 error = EINVAL; 712 break; 713 } 714 error = copyin(uap->addr, &r.sr, uap->data); 715 if (error != 0) 716 break; 717 if (r.sr.pscr_nargs > nitems(td->td_sa.args)) { 718 error = EINVAL; 719 break; 720 } 721 error = copyin(r.sr.pscr_args, pscr_args, 722 sizeof(u_long) * r.sr.pscr_nargs); 723 if (error != 0) 724 break; 725 r.sr.pscr_args = pscr_args; 726 break; 727 case PTINTERNAL_FIRST ... PTINTERNAL_LAST: 728 error = EINVAL; 729 break; 730 default: 731 addr = uap->addr; 732 break; 733 } 734 if (error != 0) 735 return (error); 736 737 error = kern_ptrace(td, uap->req, uap->pid, addr, uap->data); 738 if (error != 0) 739 return (error); 740 741 switch (uap->req) { 742 case PT_VM_ENTRY: 743 error = copyout(&r.pve, uap->addr, sizeof(r.pve)); 744 break; 745 case PT_IO: 746 error = copyout(&r.piod, uap->addr, sizeof(r.piod)); 747 break; 748 case PT_GETREGS: 749 error = copyout(&r.reg, uap->addr, sizeof(r.reg)); 750 break; 751 case PT_GETFPREGS: 752 error = copyout(&r.fpreg, uap->addr, sizeof(r.fpreg)); 753 break; 754 case PT_GETDBREGS: 755 error = copyout(&r.dbreg, uap->addr, sizeof(r.dbreg)); 756 break; 757 case PT_GETREGSET: 758 error = copyout(&r.vec, uap->addr, sizeof(r.vec)); 759 break; 760 case PT_GET_EVENT_MASK: 761 /* NB: The size in uap->data is validated in kern_ptrace(). */ 762 error = copyout(&r.ptevents, uap->addr, uap->data); 763 break; 764 case PT_LWPINFO: 765 /* NB: The size in uap->data is validated in kern_ptrace(). */ 766 error = copyout(&r.pl, uap->addr, uap->data); 767 break; 768 case PT_GET_SC_ARGS: 769 error = copyout(r.args, uap->addr, MIN(uap->data, 770 sizeof(r.args))); 771 break; 772 case PT_GET_SC_RET: 773 error = copyout(&r.psr, uap->addr, MIN(uap->data, 774 sizeof(r.psr))); 775 break; 776 case PT_SC_REMOTE: 777 error = copyout(&r.sr.pscr_ret, uap->addr + 778 offsetof(struct ptrace_sc_remote, pscr_ret), 779 sizeof(r.sr.pscr_ret)); 780 break; 781 } 782 783 return (error); 784 } 785 786 #ifdef COMPAT_FREEBSD32 787 /* 788 * PROC_READ(regs, td2, addr); 789 * becomes either: 790 * proc_read_regs(td2, addr); 791 * or 792 * proc_read_regs32(td2, addr); 793 * .. except this is done at runtime. There is an additional 794 * complication in that PROC_WRITE disallows 32 bit consumers 795 * from writing to 64 bit address space targets. 796 */ 797 #define PROC_READ(w, t, a) wrap32 ? \ 798 proc_read_ ## w ## 32(t, a) : \ 799 proc_read_ ## w (t, a) 800 #define PROC_WRITE(w, t, a) wrap32 ? \ 801 (safe ? proc_write_ ## w ## 32(t, a) : EINVAL ) : \ 802 proc_write_ ## w (t, a) 803 #else 804 #define PROC_READ(w, t, a) proc_read_ ## w (t, a) 805 #define PROC_WRITE(w, t, a) proc_write_ ## w (t, a) 806 #endif 807 808 void 809 proc_set_traced(struct proc *p, bool stop) 810 { 811 812 sx_assert(&proctree_lock, SX_XLOCKED); 813 PROC_LOCK_ASSERT(p, MA_OWNED); 814 p->p_flag |= P_TRACED; 815 if (stop) 816 p->p_flag2 |= P2_PTRACE_FSTP; 817 p->p_ptevents = PTRACE_DEFAULT; 818 } 819 820 void 821 ptrace_unsuspend(struct proc *p) 822 { 823 PROC_LOCK_ASSERT(p, MA_OWNED); 824 825 PROC_SLOCK(p); 826 p->p_flag &= ~(P_STOPPED_TRACE | P_STOPPED_SIG | P_WAITED); 827 thread_unsuspend(p); 828 PROC_SUNLOCK(p); 829 itimer_proc_continue(p); 830 kqtimer_proc_continue(p); 831 } 832 833 static int 834 proc_can_ptrace(struct thread *td, struct proc *p) 835 { 836 int error; 837 838 PROC_LOCK_ASSERT(p, MA_OWNED); 839 840 if ((p->p_flag & P_WEXIT) != 0) 841 return (ESRCH); 842 843 if ((error = p_cansee(td, p)) != 0) 844 return (error); 845 if ((error = p_candebug(td, p)) != 0) 846 return (error); 847 848 /* not being traced... */ 849 if ((p->p_flag & P_TRACED) == 0) 850 return (EPERM); 851 852 /* not being traced by YOU */ 853 if (p->p_pptr != td->td_proc) 854 return (EBUSY); 855 856 /* not currently stopped */ 857 if ((p->p_flag & P_STOPPED_TRACE) == 0 || 858 p->p_suspcount != p->p_numthreads || 859 (p->p_flag & P_WAITED) == 0) 860 return (EBUSY); 861 862 return (0); 863 } 864 865 static struct thread * 866 ptrace_sel_coredump_thread(struct proc *p) 867 { 868 struct thread *td2; 869 870 PROC_LOCK_ASSERT(p, MA_OWNED); 871 MPASS((p->p_flag & P_STOPPED_TRACE) != 0); 872 873 FOREACH_THREAD_IN_PROC(p, td2) { 874 if ((td2->td_dbgflags & TDB_SSWITCH) != 0) 875 return (td2); 876 } 877 return (NULL); 878 } 879 880 int 881 kern_ptrace(struct thread *td, int req, pid_t pid, void *addr, int data) 882 { 883 struct iovec iov; 884 struct uio uio; 885 struct proc *curp, *p, *pp; 886 struct thread *td2 = NULL, *td3; 887 struct ptrace_io_desc *piod = NULL; 888 struct ptrace_lwpinfo *pl; 889 struct ptrace_sc_ret *psr; 890 struct ptrace_sc_remote *pscr; 891 struct file *fp; 892 struct ptrace_coredump *pc; 893 struct thr_coredump_req *tcq; 894 struct thr_syscall_req *tsr; 895 int error, num, tmp; 896 lwpid_t tid = 0, *buf; 897 #ifdef COMPAT_FREEBSD32 898 int wrap32 = 0, safe = 0; 899 #endif 900 bool proctree_locked, p2_req_set; 901 902 curp = td->td_proc; 903 proctree_locked = false; 904 p2_req_set = false; 905 906 /* Lock proctree before locking the process. */ 907 switch (req) { 908 case PT_TRACE_ME: 909 case PT_ATTACH: 910 case PT_STEP: 911 case PT_CONTINUE: 912 case PT_TO_SCE: 913 case PT_TO_SCX: 914 case PT_SYSCALL: 915 case PT_FOLLOW_FORK: 916 case PT_LWP_EVENTS: 917 case PT_GET_EVENT_MASK: 918 case PT_SET_EVENT_MASK: 919 case PT_DETACH: 920 case PT_GET_SC_ARGS: 921 sx_xlock(&proctree_lock); 922 proctree_locked = true; 923 break; 924 default: 925 break; 926 } 927 928 if (req == PT_TRACE_ME) { 929 p = td->td_proc; 930 PROC_LOCK(p); 931 } else { 932 if (pid <= PID_MAX) { 933 if ((p = pfind(pid)) == NULL) { 934 if (proctree_locked) 935 sx_xunlock(&proctree_lock); 936 return (ESRCH); 937 } 938 } else { 939 td2 = tdfind(pid, -1); 940 if (td2 == NULL) { 941 if (proctree_locked) 942 sx_xunlock(&proctree_lock); 943 return (ESRCH); 944 } 945 p = td2->td_proc; 946 tid = pid; 947 pid = p->p_pid; 948 } 949 } 950 AUDIT_ARG_PROCESS(p); 951 952 if ((p->p_flag & P_WEXIT) != 0) { 953 error = ESRCH; 954 goto fail; 955 } 956 if ((error = p_cansee(td, p)) != 0) 957 goto fail; 958 959 if ((error = p_candebug(td, p)) != 0) 960 goto fail; 961 962 /* 963 * System processes can't be debugged. 964 */ 965 if ((p->p_flag & P_SYSTEM) != 0) { 966 error = EINVAL; 967 goto fail; 968 } 969 970 if (tid == 0) { 971 if ((p->p_flag & P_STOPPED_TRACE) != 0) 972 td2 = p->p_xthread; 973 if (td2 == NULL) 974 td2 = FIRST_THREAD_IN_PROC(p); 975 tid = td2->td_tid; 976 } 977 978 #ifdef COMPAT_FREEBSD32 979 /* 980 * Test if we're a 32 bit client and what the target is. 981 * Set the wrap controls accordingly. 982 */ 983 if (SV_CURPROC_FLAG(SV_ILP32)) { 984 if (SV_PROC_FLAG(td2->td_proc, SV_ILP32)) 985 safe = 1; 986 wrap32 = 1; 987 } 988 #endif 989 /* 990 * Permissions check 991 */ 992 switch (req) { 993 case PT_TRACE_ME: 994 /* 995 * Always legal, when there is a parent process which 996 * could trace us. Otherwise, reject. 997 */ 998 if ((p->p_flag & P_TRACED) != 0) { 999 error = EBUSY; 1000 goto fail; 1001 } 1002 if (p->p_pptr == initproc) { 1003 error = EPERM; 1004 goto fail; 1005 } 1006 break; 1007 1008 case PT_ATTACH: 1009 /* Self */ 1010 if (p == td->td_proc) { 1011 error = EINVAL; 1012 goto fail; 1013 } 1014 1015 /* Already traced */ 1016 if (p->p_flag & P_TRACED) { 1017 error = EBUSY; 1018 goto fail; 1019 } 1020 1021 /* Can't trace an ancestor if you're being traced. */ 1022 if (curp->p_flag & P_TRACED) { 1023 for (pp = curp->p_pptr; pp != NULL; pp = pp->p_pptr) { 1024 if (pp == p) { 1025 error = EINVAL; 1026 goto fail; 1027 } 1028 } 1029 } 1030 1031 /* OK */ 1032 break; 1033 1034 case PT_CLEARSTEP: 1035 /* Allow thread to clear single step for itself */ 1036 if (td->td_tid == tid) 1037 break; 1038 1039 /* FALLTHROUGH */ 1040 default: 1041 /* 1042 * Check for ptrace eligibility before waiting for 1043 * holds to drain. 1044 */ 1045 error = proc_can_ptrace(td, p); 1046 if (error != 0) 1047 goto fail; 1048 1049 /* 1050 * Block parallel ptrace requests. Most important, do 1051 * not allow other thread in debugger to continue the 1052 * debuggee until coredump finished. 1053 */ 1054 while ((p->p_flag2 & P2_PTRACEREQ) != 0) { 1055 if (proctree_locked) 1056 sx_xunlock(&proctree_lock); 1057 error = msleep(&p->p_flag2, &p->p_mtx, PPAUSE | PCATCH | 1058 (proctree_locked ? PDROP : 0), "pptrace", 0); 1059 if (proctree_locked) { 1060 sx_xlock(&proctree_lock); 1061 PROC_LOCK(p); 1062 } 1063 if (error == 0 && td2->td_proc != p) 1064 error = ESRCH; 1065 if (error == 0) 1066 error = proc_can_ptrace(td, p); 1067 if (error != 0) 1068 goto fail; 1069 } 1070 1071 /* Ok */ 1072 break; 1073 } 1074 1075 /* 1076 * Keep this process around and request parallel ptrace() 1077 * request to wait until we finish this request. 1078 */ 1079 MPASS((p->p_flag2 & P2_PTRACEREQ) == 0); 1080 p->p_flag2 |= P2_PTRACEREQ; 1081 p2_req_set = true; 1082 _PHOLD(p); 1083 1084 /* 1085 * Actually do the requests 1086 */ 1087 1088 td->td_retval[0] = 0; 1089 1090 switch (req) { 1091 case PT_TRACE_ME: 1092 /* set my trace flag and "owner" so it can read/write me */ 1093 proc_set_traced(p, false); 1094 if (p->p_flag & P_PPWAIT) 1095 p->p_flag |= P_PPTRACE; 1096 CTR1(KTR_PTRACE, "PT_TRACE_ME: pid %d", p->p_pid); 1097 break; 1098 1099 case PT_ATTACH: 1100 /* security check done above */ 1101 /* 1102 * It would be nice if the tracing relationship was separate 1103 * from the parent relationship but that would require 1104 * another set of links in the proc struct or for "wait" 1105 * to scan the entire proc table. To make life easier, 1106 * we just re-parent the process we're trying to trace. 1107 * The old parent is remembered so we can put things back 1108 * on a "detach". 1109 */ 1110 proc_set_traced(p, true); 1111 proc_reparent(p, td->td_proc, false); 1112 CTR2(KTR_PTRACE, "PT_ATTACH: pid %d, oppid %d", p->p_pid, 1113 p->p_oppid); 1114 1115 sx_xunlock(&proctree_lock); 1116 proctree_locked = false; 1117 MPASS(p->p_xthread == NULL); 1118 MPASS((p->p_flag & P_STOPPED_TRACE) == 0); 1119 1120 /* 1121 * If already stopped due to a stop signal, clear the 1122 * existing stop before triggering a traced SIGSTOP. 1123 */ 1124 if ((p->p_flag & P_STOPPED_SIG) != 0) { 1125 PROC_SLOCK(p); 1126 p->p_flag &= ~(P_STOPPED_SIG | P_WAITED); 1127 thread_unsuspend(p); 1128 PROC_SUNLOCK(p); 1129 } 1130 1131 kern_psignal(p, SIGSTOP); 1132 break; 1133 1134 case PT_CLEARSTEP: 1135 CTR2(KTR_PTRACE, "PT_CLEARSTEP: tid %d (pid %d)", td2->td_tid, 1136 p->p_pid); 1137 error = ptrace_clear_single_step(td2); 1138 break; 1139 1140 case PT_SETSTEP: 1141 CTR2(KTR_PTRACE, "PT_SETSTEP: tid %d (pid %d)", td2->td_tid, 1142 p->p_pid); 1143 error = ptrace_single_step(td2); 1144 break; 1145 1146 case PT_SUSPEND: 1147 CTR2(KTR_PTRACE, "PT_SUSPEND: tid %d (pid %d)", td2->td_tid, 1148 p->p_pid); 1149 td2->td_dbgflags |= TDB_SUSPEND; 1150 ast_sched(td2, TDA_SUSPEND); 1151 break; 1152 1153 case PT_RESUME: 1154 CTR2(KTR_PTRACE, "PT_RESUME: tid %d (pid %d)", td2->td_tid, 1155 p->p_pid); 1156 td2->td_dbgflags &= ~TDB_SUSPEND; 1157 break; 1158 1159 case PT_FOLLOW_FORK: 1160 CTR3(KTR_PTRACE, "PT_FOLLOW_FORK: pid %d %s -> %s", p->p_pid, 1161 p->p_ptevents & PTRACE_FORK ? "enabled" : "disabled", 1162 data ? "enabled" : "disabled"); 1163 if (data) 1164 p->p_ptevents |= PTRACE_FORK; 1165 else 1166 p->p_ptevents &= ~PTRACE_FORK; 1167 break; 1168 1169 case PT_LWP_EVENTS: 1170 CTR3(KTR_PTRACE, "PT_LWP_EVENTS: pid %d %s -> %s", p->p_pid, 1171 p->p_ptevents & PTRACE_LWP ? "enabled" : "disabled", 1172 data ? "enabled" : "disabled"); 1173 if (data) 1174 p->p_ptevents |= PTRACE_LWP; 1175 else 1176 p->p_ptevents &= ~PTRACE_LWP; 1177 break; 1178 1179 case PT_GET_EVENT_MASK: 1180 if (data != sizeof(p->p_ptevents)) { 1181 error = EINVAL; 1182 break; 1183 } 1184 CTR2(KTR_PTRACE, "PT_GET_EVENT_MASK: pid %d mask %#x", p->p_pid, 1185 p->p_ptevents); 1186 *(int *)addr = p->p_ptevents; 1187 break; 1188 1189 case PT_SET_EVENT_MASK: 1190 if (data != sizeof(p->p_ptevents)) { 1191 error = EINVAL; 1192 break; 1193 } 1194 tmp = *(int *)addr; 1195 if ((tmp & ~(PTRACE_EXEC | PTRACE_SCE | PTRACE_SCX | 1196 PTRACE_FORK | PTRACE_LWP | PTRACE_VFORK)) != 0) { 1197 error = EINVAL; 1198 break; 1199 } 1200 CTR3(KTR_PTRACE, "PT_SET_EVENT_MASK: pid %d mask %#x -> %#x", 1201 p->p_pid, p->p_ptevents, tmp); 1202 p->p_ptevents = tmp; 1203 break; 1204 1205 case PT_GET_SC_ARGS: 1206 case PTLINUX_GET_SC_ARGS: 1207 CTR2(KTR_PTRACE, "%s: pid %d", req == PT_GET_SC_ARGS ? 1208 "PT_GET_SC_ARGS" : "PT_LINUX_GET_SC_ARGS", p->p_pid); 1209 if (((td2->td_dbgflags & (TDB_SCE | TDB_SCX)) == 0 && 1210 td2->td_sa.code == 0) 1211 #ifdef COMPAT_FREEBSD32 1212 || (wrap32 && !safe) 1213 #endif 1214 ) { 1215 error = EINVAL; 1216 break; 1217 } 1218 if (req == PT_GET_SC_ARGS) { 1219 bzero(addr, sizeof(td2->td_sa.args)); 1220 bcopy(td2->td_sa.args, addr, td2->td_sa.callp->sy_narg * 1221 sizeof(syscallarg_t)); 1222 } else { 1223 /* 1224 * Emulate a Linux bug which which strace(1) depends on: 1225 * at initialization it tests whether ptrace works by 1226 * calling close(2), or some other single-argument 1227 * syscall, _with six arguments_, and then verifies 1228 * whether it can fetch them all using this API; 1229 * otherwise it bails out. 1230 */ 1231 bcopy(td2->td_sa.args, addr, 6 * sizeof(syscallarg_t)); 1232 } 1233 break; 1234 1235 case PT_GET_SC_RET: 1236 if ((td2->td_dbgflags & (TDB_SCX)) == 0 1237 #ifdef COMPAT_FREEBSD32 1238 || (wrap32 && !safe) 1239 #endif 1240 ) { 1241 error = EINVAL; 1242 break; 1243 } 1244 psr = addr; 1245 bzero(psr, sizeof(*psr)); 1246 psr->sr_error = td2->td_errno; 1247 if (psr->sr_error == 0) { 1248 psr->sr_retval[0] = td2->td_retval[0]; 1249 psr->sr_retval[1] = td2->td_retval[1]; 1250 } 1251 CTR4(KTR_PTRACE, 1252 "PT_GET_SC_RET: pid %d error %d retval %#lx,%#lx", 1253 p->p_pid, psr->sr_error, psr->sr_retval[0], 1254 psr->sr_retval[1]); 1255 break; 1256 1257 case PT_STEP: 1258 case PT_CONTINUE: 1259 case PT_TO_SCE: 1260 case PT_TO_SCX: 1261 case PT_SYSCALL: 1262 case PT_DETACH: 1263 /* Zero means do not send any signal */ 1264 if (data < 0 || data > _SIG_MAXSIG) { 1265 error = EINVAL; 1266 break; 1267 } 1268 1269 switch (req) { 1270 case PT_STEP: 1271 CTR3(KTR_PTRACE, "PT_STEP: tid %d (pid %d), sig = %d", 1272 td2->td_tid, p->p_pid, data); 1273 error = ptrace_single_step(td2); 1274 if (error != 0) 1275 goto out; 1276 break; 1277 case PT_CONTINUE: 1278 case PT_TO_SCE: 1279 case PT_TO_SCX: 1280 case PT_SYSCALL: 1281 if (addr != (void *)1) { 1282 error = ptrace_set_pc(td2, 1283 (u_long)(uintfptr_t)addr); 1284 if (error != 0) 1285 goto out; 1286 td2->td_dbgflags |= TDB_USERWR; 1287 } 1288 switch (req) { 1289 case PT_TO_SCE: 1290 p->p_ptevents |= PTRACE_SCE; 1291 CTR4(KTR_PTRACE, 1292 "PT_TO_SCE: pid %d, events = %#x, PC = %#lx, sig = %d", 1293 p->p_pid, p->p_ptevents, 1294 (u_long)(uintfptr_t)addr, data); 1295 break; 1296 case PT_TO_SCX: 1297 p->p_ptevents |= PTRACE_SCX; 1298 CTR4(KTR_PTRACE, 1299 "PT_TO_SCX: pid %d, events = %#x, PC = %#lx, sig = %d", 1300 p->p_pid, p->p_ptevents, 1301 (u_long)(uintfptr_t)addr, data); 1302 break; 1303 case PT_SYSCALL: 1304 p->p_ptevents |= PTRACE_SYSCALL; 1305 CTR4(KTR_PTRACE, 1306 "PT_SYSCALL: pid %d, events = %#x, PC = %#lx, sig = %d", 1307 p->p_pid, p->p_ptevents, 1308 (u_long)(uintfptr_t)addr, data); 1309 break; 1310 case PT_CONTINUE: 1311 CTR3(KTR_PTRACE, 1312 "PT_CONTINUE: pid %d, PC = %#lx, sig = %d", 1313 p->p_pid, (u_long)(uintfptr_t)addr, data); 1314 break; 1315 } 1316 break; 1317 case PT_DETACH: 1318 /* 1319 * Clear P_TRACED before reparenting 1320 * a detached process back to its original 1321 * parent. Otherwise the debugee will be set 1322 * as an orphan of the debugger. 1323 */ 1324 p->p_flag &= ~(P_TRACED | P_WAITED); 1325 1326 /* 1327 * Reset the process parent. 1328 */ 1329 if (p->p_oppid != p->p_pptr->p_pid) { 1330 PROC_LOCK(p->p_pptr); 1331 sigqueue_take(p->p_ksi); 1332 PROC_UNLOCK(p->p_pptr); 1333 1334 pp = proc_realparent(p); 1335 proc_reparent(p, pp, false); 1336 if (pp == initproc) 1337 p->p_sigparent = SIGCHLD; 1338 CTR3(KTR_PTRACE, 1339 "PT_DETACH: pid %d reparented to pid %d, sig %d", 1340 p->p_pid, pp->p_pid, data); 1341 } else { 1342 CTR2(KTR_PTRACE, "PT_DETACH: pid %d, sig %d", 1343 p->p_pid, data); 1344 } 1345 1346 p->p_ptevents = 0; 1347 FOREACH_THREAD_IN_PROC(p, td3) { 1348 if ((td3->td_dbgflags & TDB_FSTP) != 0) { 1349 sigqueue_delete(&td3->td_sigqueue, 1350 SIGSTOP); 1351 } 1352 td3->td_dbgflags &= ~(TDB_XSIG | TDB_FSTP | 1353 TDB_SUSPEND | TDB_BORN); 1354 } 1355 1356 if ((p->p_flag2 & P2_PTRACE_FSTP) != 0) { 1357 sigqueue_delete(&p->p_sigqueue, SIGSTOP); 1358 p->p_flag2 &= ~P2_PTRACE_FSTP; 1359 } 1360 1361 /* 1362 * Send SIGCHLD and wakeup the parent as needed. It 1363 * may be the case that they had stopped the child 1364 * before it got ptraced, and now they're in the middle 1365 * of a wait(2) for it to continue. 1366 */ 1367 PROC_LOCK(p->p_pptr); 1368 childproc_continued(p); 1369 PROC_UNLOCK(p->p_pptr); 1370 break; 1371 } 1372 1373 sx_xunlock(&proctree_lock); 1374 proctree_locked = false; 1375 1376 sendsig: 1377 MPASS(!proctree_locked); 1378 1379 /* 1380 * Clear the pending event for the thread that just 1381 * reported its event (p_xthread), if any. This may 1382 * not be the thread passed to PT_CONTINUE, PT_STEP, 1383 * etc. if the debugger is resuming a different 1384 * thread. There might be no reporting thread if 1385 * the process was just attached. 1386 * 1387 * Deliver any pending signal via the reporting thread. 1388 */ 1389 if (p->p_xthread != NULL) { 1390 p->p_xthread->td_dbgflags &= ~TDB_XSIG; 1391 p->p_xthread->td_xsig = data; 1392 p->p_xthread = NULL; 1393 } 1394 p->p_xsig = data; 1395 1396 /* 1397 * P_WKILLED is insurance that a PT_KILL/SIGKILL 1398 * always works immediately, even if another thread is 1399 * unsuspended first and attempts to handle a 1400 * different signal or if the POSIX.1b style signal 1401 * queue cannot accommodate any new signals. 1402 */ 1403 if (data == SIGKILL) 1404 proc_wkilled(p); 1405 1406 /* 1407 * If the PT_CONTINUE-like operation is attempted on 1408 * the thread on sleepq, this is possible only after 1409 * the transparent PT_ATTACH. In this case, if the 1410 * caller modified the thread state, e.g. by writing 1411 * register file or specifying the pc, make the thread 1412 * xstopped by waking it up. 1413 */ 1414 if ((td2->td_dbgflags & TDB_USERWR) != 0) { 1415 if (pt_attach_transparent) { 1416 thread_lock(td2); 1417 if (TD_ON_SLEEPQ(td2) && 1418 (td2->td_flags & TDF_SINTR) != 0) { 1419 sleepq_abort(td2, EINTR); 1420 } else { 1421 thread_unlock(td2); 1422 } 1423 } 1424 td2->td_dbgflags &= ~TDB_USERWR; 1425 } 1426 1427 /* 1428 * Unsuspend all threads. To leave a thread 1429 * suspended, use PT_SUSPEND to suspend it before 1430 * continuing the process. 1431 */ 1432 ptrace_unsuspend(p); 1433 break; 1434 1435 case PT_WRITE_I: 1436 case PT_WRITE_D: 1437 td2->td_dbgflags |= TDB_USERWR; 1438 PROC_UNLOCK(p); 1439 error = 0; 1440 if (proc_writemem(td, p, (off_t)(uintptr_t)addr, &data, 1441 sizeof(int)) != sizeof(int)) 1442 error = ENOMEM; 1443 else 1444 CTR3(KTR_PTRACE, "PT_WRITE: pid %d: %p <= %#x", 1445 p->p_pid, addr, data); 1446 PROC_LOCK(p); 1447 break; 1448 1449 case PT_READ_I: 1450 case PT_READ_D: 1451 PROC_UNLOCK(p); 1452 error = tmp = 0; 1453 if (proc_readmem(td, p, (off_t)(uintptr_t)addr, &tmp, 1454 sizeof(int)) != sizeof(int)) 1455 error = ENOMEM; 1456 else 1457 CTR3(KTR_PTRACE, "PT_READ: pid %d: %p >= %#x", 1458 p->p_pid, addr, tmp); 1459 td->td_retval[0] = tmp; 1460 PROC_LOCK(p); 1461 break; 1462 1463 case PT_IO: 1464 piod = addr; 1465 if (piod->piod_len > SSIZE_MAX) { 1466 error = EINVAL; 1467 goto out; 1468 } 1469 iov.iov_base = piod->piod_addr; 1470 iov.iov_len = piod->piod_len; 1471 uio.uio_offset = (off_t)(uintptr_t)piod->piod_offs; 1472 uio.uio_resid = piod->piod_len; 1473 uio.uio_iov = &iov; 1474 uio.uio_iovcnt = 1; 1475 uio.uio_segflg = UIO_USERSPACE; 1476 uio.uio_td = td; 1477 switch (piod->piod_op) { 1478 case PIOD_READ_D: 1479 case PIOD_READ_I: 1480 CTR3(KTR_PTRACE, "PT_IO: pid %d: READ (%p, %#x)", 1481 p->p_pid, (uintptr_t)uio.uio_offset, uio.uio_resid); 1482 uio.uio_rw = UIO_READ; 1483 break; 1484 case PIOD_WRITE_D: 1485 case PIOD_WRITE_I: 1486 CTR3(KTR_PTRACE, "PT_IO: pid %d: WRITE (%p, %#x)", 1487 p->p_pid, (uintptr_t)uio.uio_offset, uio.uio_resid); 1488 td2->td_dbgflags |= TDB_USERWR; 1489 uio.uio_rw = UIO_WRITE; 1490 break; 1491 default: 1492 error = EINVAL; 1493 goto out; 1494 } 1495 PROC_UNLOCK(p); 1496 error = proc_rwmem(p, &uio); 1497 piod->piod_len -= uio.uio_resid; 1498 PROC_LOCK(p); 1499 break; 1500 1501 case PT_KILL: 1502 CTR1(KTR_PTRACE, "PT_KILL: pid %d", p->p_pid); 1503 data = SIGKILL; 1504 goto sendsig; /* in PT_CONTINUE above */ 1505 1506 case PT_SETREGS: 1507 CTR2(KTR_PTRACE, "PT_SETREGS: tid %d (pid %d)", td2->td_tid, 1508 p->p_pid); 1509 td2->td_dbgflags |= TDB_USERWR; 1510 error = PROC_WRITE(regs, td2, addr); 1511 break; 1512 1513 case PT_GETREGS: 1514 CTR2(KTR_PTRACE, "PT_GETREGS: tid %d (pid %d)", td2->td_tid, 1515 p->p_pid); 1516 error = PROC_READ(regs, td2, addr); 1517 break; 1518 1519 case PT_SETFPREGS: 1520 CTR2(KTR_PTRACE, "PT_SETFPREGS: tid %d (pid %d)", td2->td_tid, 1521 p->p_pid); 1522 td2->td_dbgflags |= TDB_USERWR; 1523 error = PROC_WRITE(fpregs, td2, addr); 1524 break; 1525 1526 case PT_GETFPREGS: 1527 CTR2(KTR_PTRACE, "PT_GETFPREGS: tid %d (pid %d)", td2->td_tid, 1528 p->p_pid); 1529 error = PROC_READ(fpregs, td2, addr); 1530 break; 1531 1532 case PT_SETDBREGS: 1533 CTR2(KTR_PTRACE, "PT_SETDBREGS: tid %d (pid %d)", td2->td_tid, 1534 p->p_pid); 1535 td2->td_dbgflags |= TDB_USERWR; 1536 error = PROC_WRITE(dbregs, td2, addr); 1537 break; 1538 1539 case PT_GETDBREGS: 1540 CTR2(KTR_PTRACE, "PT_GETDBREGS: tid %d (pid %d)", td2->td_tid, 1541 p->p_pid); 1542 error = PROC_READ(dbregs, td2, addr); 1543 break; 1544 1545 case PT_SETREGSET: 1546 CTR2(KTR_PTRACE, "PT_SETREGSET: tid %d (pid %d)", td2->td_tid, 1547 p->p_pid); 1548 error = proc_write_regset(td2, data, addr); 1549 break; 1550 1551 case PT_GETREGSET: 1552 CTR2(KTR_PTRACE, "PT_GETREGSET: tid %d (pid %d)", td2->td_tid, 1553 p->p_pid); 1554 error = proc_read_regset(td2, data, addr); 1555 break; 1556 1557 case PT_LWPINFO: 1558 if (data <= 0 || data > sizeof(*pl)) { 1559 error = EINVAL; 1560 break; 1561 } 1562 pl = addr; 1563 bzero(pl, sizeof(*pl)); 1564 pl->pl_lwpid = td2->td_tid; 1565 pl->pl_event = PL_EVENT_NONE; 1566 pl->pl_flags = 0; 1567 if (td2->td_dbgflags & TDB_XSIG) { 1568 pl->pl_event = PL_EVENT_SIGNAL; 1569 if (td2->td_si.si_signo != 0 && 1570 data >= offsetof(struct ptrace_lwpinfo, pl_siginfo) 1571 + sizeof(pl->pl_siginfo)){ 1572 pl->pl_flags |= PL_FLAG_SI; 1573 pl->pl_siginfo = td2->td_si; 1574 } 1575 } 1576 if (td2->td_dbgflags & TDB_SCE) 1577 pl->pl_flags |= PL_FLAG_SCE; 1578 else if (td2->td_dbgflags & TDB_SCX) 1579 pl->pl_flags |= PL_FLAG_SCX; 1580 if (td2->td_dbgflags & TDB_EXEC) 1581 pl->pl_flags |= PL_FLAG_EXEC; 1582 if (td2->td_dbgflags & TDB_FORK) { 1583 pl->pl_flags |= PL_FLAG_FORKED; 1584 pl->pl_child_pid = td2->td_dbg_forked; 1585 if (td2->td_dbgflags & TDB_VFORK) 1586 pl->pl_flags |= PL_FLAG_VFORKED; 1587 } else if ((td2->td_dbgflags & (TDB_SCX | TDB_VFORK)) == 1588 TDB_VFORK) 1589 pl->pl_flags |= PL_FLAG_VFORK_DONE; 1590 if (td2->td_dbgflags & TDB_CHILD) 1591 pl->pl_flags |= PL_FLAG_CHILD; 1592 if (td2->td_dbgflags & TDB_BORN) 1593 pl->pl_flags |= PL_FLAG_BORN; 1594 if (td2->td_dbgflags & TDB_EXIT) 1595 pl->pl_flags |= PL_FLAG_EXITED; 1596 pl->pl_sigmask = td2->td_sigmask; 1597 pl->pl_siglist = td2->td_siglist; 1598 strcpy(pl->pl_tdname, td2->td_name); 1599 if (td2->td_sa.code != 0) { 1600 pl->pl_syscall_code = td2->td_sa.code; 1601 pl->pl_syscall_narg = td2->td_sa.callp->sy_narg; 1602 } 1603 CTR6(KTR_PTRACE, 1604 "PT_LWPINFO: tid %d (pid %d) event %d flags %#x child pid %d syscall %d", 1605 td2->td_tid, p->p_pid, pl->pl_event, pl->pl_flags, 1606 pl->pl_child_pid, pl->pl_syscall_code); 1607 break; 1608 1609 case PT_GETNUMLWPS: 1610 CTR2(KTR_PTRACE, "PT_GETNUMLWPS: pid %d: %d threads", p->p_pid, 1611 p->p_numthreads); 1612 td->td_retval[0] = p->p_numthreads; 1613 break; 1614 1615 case PT_GETLWPLIST: 1616 CTR3(KTR_PTRACE, "PT_GETLWPLIST: pid %d: data %d, actual %d", 1617 p->p_pid, data, p->p_numthreads); 1618 if (data <= 0) { 1619 error = EINVAL; 1620 break; 1621 } 1622 num = imin(p->p_numthreads, data); 1623 PROC_UNLOCK(p); 1624 buf = malloc(num * sizeof(lwpid_t), M_TEMP, M_WAITOK); 1625 tmp = 0; 1626 PROC_LOCK(p); 1627 FOREACH_THREAD_IN_PROC(p, td2) { 1628 if (tmp >= num) 1629 break; 1630 buf[tmp++] = td2->td_tid; 1631 } 1632 PROC_UNLOCK(p); 1633 error = copyout(buf, addr, tmp * sizeof(lwpid_t)); 1634 free(buf, M_TEMP); 1635 if (!error) 1636 td->td_retval[0] = tmp; 1637 PROC_LOCK(p); 1638 break; 1639 1640 case PT_VM_TIMESTAMP: 1641 CTR2(KTR_PTRACE, "PT_VM_TIMESTAMP: pid %d: timestamp %d", 1642 p->p_pid, p->p_vmspace->vm_map.timestamp); 1643 td->td_retval[0] = p->p_vmspace->vm_map.timestamp; 1644 break; 1645 1646 case PT_VM_ENTRY: 1647 PROC_UNLOCK(p); 1648 error = ptrace_vm_entry(td, p, addr); 1649 PROC_LOCK(p); 1650 break; 1651 1652 case PT_COREDUMP: 1653 pc = addr; 1654 CTR2(KTR_PTRACE, "PT_COREDUMP: pid %d, fd %d", 1655 p->p_pid, pc->pc_fd); 1656 1657 if ((pc->pc_flags & ~(PC_COMPRESS | PC_ALL)) != 0) { 1658 error = EINVAL; 1659 break; 1660 } 1661 PROC_UNLOCK(p); 1662 1663 tcq = malloc(sizeof(*tcq), M_TEMP, M_WAITOK | M_ZERO); 1664 fp = NULL; 1665 error = fget_write(td, pc->pc_fd, &cap_write_rights, &fp); 1666 if (error != 0) 1667 goto coredump_cleanup_nofp; 1668 if (fp->f_type != DTYPE_VNODE || fp->f_vnode->v_type != VREG) { 1669 error = EPIPE; 1670 goto coredump_cleanup; 1671 } 1672 1673 PROC_LOCK(p); 1674 error = proc_can_ptrace(td, p); 1675 if (error != 0) 1676 goto coredump_cleanup_locked; 1677 1678 td2 = ptrace_sel_coredump_thread(p); 1679 if (td2 == NULL) { 1680 error = EBUSY; 1681 goto coredump_cleanup_locked; 1682 } 1683 KASSERT((td2->td_dbgflags & (TDB_COREDUMPREQ | 1684 TDB_SCREMOTEREQ)) == 0, 1685 ("proc %d tid %d req coredump", p->p_pid, td2->td_tid)); 1686 1687 tcq->tc_vp = fp->f_vnode; 1688 tcq->tc_limit = pc->pc_limit == 0 ? OFF_MAX : pc->pc_limit; 1689 tcq->tc_flags = SVC_PT_COREDUMP; 1690 if ((pc->pc_flags & PC_COMPRESS) == 0) 1691 tcq->tc_flags |= SVC_NOCOMPRESS; 1692 if ((pc->pc_flags & PC_ALL) != 0) 1693 tcq->tc_flags |= SVC_ALL; 1694 td2->td_remotereq = tcq; 1695 td2->td_dbgflags |= TDB_COREDUMPREQ; 1696 thread_run_flash(td2); 1697 while ((td2->td_dbgflags & TDB_COREDUMPREQ) != 0) 1698 msleep(p, &p->p_mtx, PPAUSE, "crdmp", 0); 1699 error = tcq->tc_error; 1700 coredump_cleanup_locked: 1701 PROC_UNLOCK(p); 1702 coredump_cleanup: 1703 fdrop(fp, td); 1704 coredump_cleanup_nofp: 1705 free(tcq, M_TEMP); 1706 PROC_LOCK(p); 1707 break; 1708 1709 case PT_SC_REMOTE: 1710 pscr = addr; 1711 CTR2(KTR_PTRACE, "PT_SC_REMOTE: pid %d, syscall %d", 1712 p->p_pid, pscr->pscr_syscall); 1713 if ((td2->td_dbgflags & TDB_BOUNDARY) == 0) { 1714 error = EBUSY; 1715 break; 1716 } 1717 PROC_UNLOCK(p); 1718 MPASS(pscr->pscr_nargs <= nitems(td->td_sa.args)); 1719 1720 tsr = malloc(sizeof(struct thr_syscall_req), M_TEMP, 1721 M_WAITOK | M_ZERO); 1722 1723 tsr->ts_sa.code = pscr->pscr_syscall; 1724 tsr->ts_nargs = pscr->pscr_nargs; 1725 memcpy(&tsr->ts_sa.args, pscr->pscr_args, 1726 sizeof(syscallarg_t) * tsr->ts_nargs); 1727 1728 PROC_LOCK(p); 1729 error = proc_can_ptrace(td, p); 1730 if (error != 0) { 1731 free(tsr, M_TEMP); 1732 break; 1733 } 1734 if (td2->td_proc != p) { 1735 free(tsr, M_TEMP); 1736 error = ESRCH; 1737 break; 1738 } 1739 KASSERT((td2->td_dbgflags & (TDB_COREDUMPREQ | 1740 TDB_SCREMOTEREQ)) == 0, 1741 ("proc %d tid %d req coredump", p->p_pid, td2->td_tid)); 1742 1743 td2->td_remotereq = tsr; 1744 td2->td_dbgflags |= TDB_SCREMOTEREQ; 1745 thread_run_flash(td2); 1746 while ((td2->td_dbgflags & TDB_SCREMOTEREQ) != 0) 1747 msleep(p, &p->p_mtx, PPAUSE, "pscrx", 0); 1748 error = 0; 1749 memcpy(&pscr->pscr_ret, &tsr->ts_ret, sizeof(tsr->ts_ret)); 1750 free(tsr, M_TEMP); 1751 break; 1752 1753 default: 1754 #ifdef __HAVE_PTRACE_MACHDEP 1755 if (req >= PT_FIRSTMACH) { 1756 PROC_UNLOCK(p); 1757 error = cpu_ptrace(td2, req, addr, data); 1758 PROC_LOCK(p); 1759 } else 1760 #endif 1761 /* Unknown request. */ 1762 error = EINVAL; 1763 break; 1764 } 1765 out: 1766 /* Drop our hold on this process now that the request has completed. */ 1767 _PRELE(p); 1768 fail: 1769 if (p2_req_set) { 1770 if ((p->p_flag2 & P2_PTRACEREQ) != 0) 1771 wakeup(&p->p_flag2); 1772 p->p_flag2 &= ~P2_PTRACEREQ; 1773 } 1774 PROC_UNLOCK(p); 1775 if (proctree_locked) 1776 sx_xunlock(&proctree_lock); 1777 return (error); 1778 } 1779 #undef PROC_READ 1780 #undef PROC_WRITE 1781