1 /*- 2 * Copyright (c) 1994, Sean Eric Fagan 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. All advertising materials mentioning features or use of this software 14 * must display the following acknowledgement: 15 * This product includes software developed by Sean Eric Fagan. 16 * 4. The name of the author may not be used to endorse or promote products 17 * derived from this software without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 __FBSDID("$FreeBSD$"); 34 35 #include "opt_compat.h" 36 37 #include <sys/param.h> 38 #include <sys/systm.h> 39 #include <sys/lock.h> 40 #include <sys/mutex.h> 41 #include <sys/syscallsubr.h> 42 #include <sys/sysent.h> 43 #include <sys/sysproto.h> 44 #include <sys/proc.h> 45 #include <sys/vnode.h> 46 #include <sys/ptrace.h> 47 #include <sys/sx.h> 48 #include <sys/malloc.h> 49 #include <sys/signalvar.h> 50 51 #include <machine/reg.h> 52 53 #include <security/audit/audit.h> 54 55 #include <vm/vm.h> 56 #include <vm/pmap.h> 57 #include <vm/vm_extern.h> 58 #include <vm/vm_map.h> 59 #include <vm/vm_kern.h> 60 #include <vm/vm_object.h> 61 #include <vm/vm_page.h> 62 #include <vm/vm_pager.h> 63 #include <vm/vm_param.h> 64 65 #ifdef COMPAT_FREEBSD32 66 #include <sys/procfs.h> 67 #include <compat/freebsd32/freebsd32_signal.h> 68 69 struct ptrace_io_desc32 { 70 int piod_op; 71 uint32_t piod_offs; 72 uint32_t piod_addr; 73 uint32_t piod_len; 74 }; 75 76 struct ptrace_vm_entry32 { 77 int pve_entry; 78 int pve_timestamp; 79 uint32_t pve_start; 80 uint32_t pve_end; 81 uint32_t pve_offset; 82 u_int pve_prot; 83 u_int pve_pathlen; 84 int32_t pve_fileid; 85 u_int pve_fsid; 86 uint32_t pve_path; 87 }; 88 89 struct ptrace_lwpinfo32 { 90 lwpid_t pl_lwpid; /* LWP described. */ 91 int pl_event; /* Event that stopped the LWP. */ 92 int pl_flags; /* LWP flags. */ 93 sigset_t pl_sigmask; /* LWP signal mask */ 94 sigset_t pl_siglist; /* LWP pending signal */ 95 struct siginfo32 pl_siginfo; /* siginfo for signal */ 96 char pl_tdname[MAXCOMLEN + 1]; /* LWP name. */ 97 }; 98 99 #endif 100 101 /* 102 * Functions implemented using PROC_ACTION(): 103 * 104 * proc_read_regs(proc, regs) 105 * Get the current user-visible register set from the process 106 * and copy it into the regs structure (<machine/reg.h>). 107 * The process is stopped at the time read_regs is called. 108 * 109 * proc_write_regs(proc, regs) 110 * Update the current register set from the passed in regs 111 * structure. Take care to avoid clobbering special CPU 112 * registers or privileged bits in the PSL. 113 * Depending on the architecture this may have fix-up work to do, 114 * especially if the IAR or PCW are modified. 115 * The process is stopped at the time write_regs is called. 116 * 117 * proc_read_fpregs, proc_write_fpregs 118 * deal with the floating point register set, otherwise as above. 119 * 120 * proc_read_dbregs, proc_write_dbregs 121 * deal with the processor debug register set, otherwise as above. 122 * 123 * proc_sstep(proc) 124 * Arrange for the process to trap after executing a single instruction. 125 */ 126 127 #define PROC_ACTION(action) do { \ 128 int error; \ 129 \ 130 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); \ 131 if ((td->td_proc->p_flag & P_INMEM) == 0) \ 132 error = EIO; \ 133 else \ 134 error = (action); \ 135 return (error); \ 136 } while(0) 137 138 int 139 proc_read_regs(struct thread *td, struct reg *regs) 140 { 141 142 PROC_ACTION(fill_regs(td, regs)); 143 } 144 145 int 146 proc_write_regs(struct thread *td, struct reg *regs) 147 { 148 149 PROC_ACTION(set_regs(td, regs)); 150 } 151 152 int 153 proc_read_dbregs(struct thread *td, struct dbreg *dbregs) 154 { 155 156 PROC_ACTION(fill_dbregs(td, dbregs)); 157 } 158 159 int 160 proc_write_dbregs(struct thread *td, struct dbreg *dbregs) 161 { 162 163 PROC_ACTION(set_dbregs(td, dbregs)); 164 } 165 166 /* 167 * Ptrace doesn't support fpregs at all, and there are no security holes 168 * or translations for fpregs, so we can just copy them. 169 */ 170 int 171 proc_read_fpregs(struct thread *td, struct fpreg *fpregs) 172 { 173 174 PROC_ACTION(fill_fpregs(td, fpregs)); 175 } 176 177 int 178 proc_write_fpregs(struct thread *td, struct fpreg *fpregs) 179 { 180 181 PROC_ACTION(set_fpregs(td, fpregs)); 182 } 183 184 #ifdef COMPAT_FREEBSD32 185 /* For 32 bit binaries, we need to expose the 32 bit regs layouts. */ 186 int 187 proc_read_regs32(struct thread *td, struct reg32 *regs32) 188 { 189 190 PROC_ACTION(fill_regs32(td, regs32)); 191 } 192 193 int 194 proc_write_regs32(struct thread *td, struct reg32 *regs32) 195 { 196 197 PROC_ACTION(set_regs32(td, regs32)); 198 } 199 200 int 201 proc_read_dbregs32(struct thread *td, struct dbreg32 *dbregs32) 202 { 203 204 PROC_ACTION(fill_dbregs32(td, dbregs32)); 205 } 206 207 int 208 proc_write_dbregs32(struct thread *td, struct dbreg32 *dbregs32) 209 { 210 211 PROC_ACTION(set_dbregs32(td, dbregs32)); 212 } 213 214 int 215 proc_read_fpregs32(struct thread *td, struct fpreg32 *fpregs32) 216 { 217 218 PROC_ACTION(fill_fpregs32(td, fpregs32)); 219 } 220 221 int 222 proc_write_fpregs32(struct thread *td, struct fpreg32 *fpregs32) 223 { 224 225 PROC_ACTION(set_fpregs32(td, fpregs32)); 226 } 227 #endif 228 229 int 230 proc_sstep(struct thread *td) 231 { 232 233 PROC_ACTION(ptrace_single_step(td)); 234 } 235 236 int 237 proc_rwmem(struct proc *p, struct uio *uio) 238 { 239 vm_map_t map; 240 vm_object_t backing_object, object; 241 vm_offset_t pageno; /* page number */ 242 vm_prot_t reqprot; 243 int error, writing; 244 245 /* 246 * Assert that someone has locked this vmspace. (Should be 247 * curthread but we can't assert that.) This keeps the process 248 * from exiting out from under us until this operation completes. 249 */ 250 KASSERT(p->p_lock >= 1, ("%s: process %p (pid %d) not held", __func__, 251 p, p->p_pid)); 252 253 /* 254 * The map we want... 255 */ 256 map = &p->p_vmspace->vm_map; 257 258 writing = uio->uio_rw == UIO_WRITE; 259 reqprot = writing ? VM_PROT_COPY | VM_PROT_READ : VM_PROT_READ; 260 261 /* 262 * Only map in one page at a time. We don't have to, but it 263 * makes things easier. This way is trivial - right? 264 */ 265 do { 266 vm_map_t tmap; 267 vm_offset_t uva; 268 int page_offset; /* offset into page */ 269 vm_map_entry_t out_entry; 270 vm_prot_t out_prot; 271 boolean_t wired; 272 vm_pindex_t pindex; 273 u_int len; 274 vm_page_t m; 275 276 object = NULL; 277 278 uva = (vm_offset_t)uio->uio_offset; 279 280 /* 281 * Get the page number of this segment. 282 */ 283 pageno = trunc_page(uva); 284 page_offset = uva - pageno; 285 286 /* 287 * How many bytes to copy 288 */ 289 len = min(PAGE_SIZE - page_offset, uio->uio_resid); 290 291 /* 292 * Fault the page on behalf of the process 293 */ 294 error = vm_fault(map, pageno, reqprot, VM_FAULT_NORMAL); 295 if (error) { 296 if (error == KERN_RESOURCE_SHORTAGE) 297 error = ENOMEM; 298 else 299 error = EFAULT; 300 break; 301 } 302 303 /* 304 * Now we need to get the page. out_entry and wired 305 * aren't used. One would think the vm code 306 * would be a *bit* nicer... We use tmap because 307 * vm_map_lookup() can change the map argument. 308 */ 309 tmap = map; 310 error = vm_map_lookup(&tmap, pageno, reqprot, &out_entry, 311 &object, &pindex, &out_prot, &wired); 312 if (error) { 313 error = EFAULT; 314 break; 315 } 316 VM_OBJECT_LOCK(object); 317 while ((m = vm_page_lookup(object, pindex)) == NULL && 318 !writing && 319 (backing_object = object->backing_object) != NULL) { 320 /* 321 * Allow fallback to backing objects if we are reading. 322 */ 323 VM_OBJECT_LOCK(backing_object); 324 pindex += OFF_TO_IDX(object->backing_object_offset); 325 VM_OBJECT_UNLOCK(object); 326 object = backing_object; 327 } 328 if (writing && m != NULL) { 329 vm_page_dirty(m); 330 vm_pager_page_unswapped(m); 331 } 332 VM_OBJECT_UNLOCK(object); 333 if (m == NULL) { 334 vm_map_lookup_done(tmap, out_entry); 335 error = EFAULT; 336 break; 337 } 338 339 /* 340 * Hold the page in memory. 341 */ 342 vm_page_lock(m); 343 vm_page_hold(m); 344 vm_page_unlock(m); 345 346 /* 347 * We're done with tmap now. 348 */ 349 vm_map_lookup_done(tmap, out_entry); 350 351 /* 352 * Now do the i/o move. 353 */ 354 error = uiomove_fromphys(&m, page_offset, len, uio); 355 356 /* Make the I-cache coherent for breakpoints. */ 357 if (!error && writing && (out_prot & VM_PROT_EXECUTE)) 358 vm_sync_icache(map, uva, len); 359 360 /* 361 * Release the page. 362 */ 363 vm_page_lock(m); 364 vm_page_unhold(m); 365 vm_page_unlock(m); 366 367 } while (error == 0 && uio->uio_resid > 0); 368 369 return (error); 370 } 371 372 static int 373 ptrace_vm_entry(struct thread *td, struct proc *p, struct ptrace_vm_entry *pve) 374 { 375 struct vattr vattr; 376 vm_map_t map; 377 vm_map_entry_t entry; 378 vm_object_t obj, tobj, lobj; 379 struct vmspace *vm; 380 struct vnode *vp; 381 char *freepath, *fullpath; 382 u_int pathlen; 383 int error, index, vfslocked; 384 385 error = 0; 386 obj = NULL; 387 388 vm = vmspace_acquire_ref(p); 389 map = &vm->vm_map; 390 vm_map_lock_read(map); 391 392 do { 393 entry = map->header.next; 394 index = 0; 395 while (index < pve->pve_entry && entry != &map->header) { 396 entry = entry->next; 397 index++; 398 } 399 if (index != pve->pve_entry) { 400 error = EINVAL; 401 break; 402 } 403 while (entry != &map->header && 404 (entry->eflags & MAP_ENTRY_IS_SUB_MAP) != 0) { 405 entry = entry->next; 406 index++; 407 } 408 if (entry == &map->header) { 409 error = ENOENT; 410 break; 411 } 412 413 /* We got an entry. */ 414 pve->pve_entry = index + 1; 415 pve->pve_timestamp = map->timestamp; 416 pve->pve_start = entry->start; 417 pve->pve_end = entry->end - 1; 418 pve->pve_offset = entry->offset; 419 pve->pve_prot = entry->protection; 420 421 /* Backing object's path needed? */ 422 if (pve->pve_pathlen == 0) 423 break; 424 425 pathlen = pve->pve_pathlen; 426 pve->pve_pathlen = 0; 427 428 obj = entry->object.vm_object; 429 if (obj != NULL) 430 VM_OBJECT_LOCK(obj); 431 } while (0); 432 433 vm_map_unlock_read(map); 434 vmspace_free(vm); 435 436 pve->pve_fsid = VNOVAL; 437 pve->pve_fileid = VNOVAL; 438 439 if (error == 0 && obj != NULL) { 440 lobj = obj; 441 for (tobj = obj; tobj != NULL; tobj = tobj->backing_object) { 442 if (tobj != obj) 443 VM_OBJECT_LOCK(tobj); 444 if (lobj != obj) 445 VM_OBJECT_UNLOCK(lobj); 446 lobj = tobj; 447 pve->pve_offset += tobj->backing_object_offset; 448 } 449 vp = (lobj->type == OBJT_VNODE) ? lobj->handle : NULL; 450 if (vp != NULL) 451 vref(vp); 452 if (lobj != obj) 453 VM_OBJECT_UNLOCK(lobj); 454 VM_OBJECT_UNLOCK(obj); 455 456 if (vp != NULL) { 457 freepath = NULL; 458 fullpath = NULL; 459 vn_fullpath(td, vp, &fullpath, &freepath); 460 vfslocked = VFS_LOCK_GIANT(vp->v_mount); 461 vn_lock(vp, LK_SHARED | LK_RETRY); 462 if (VOP_GETATTR(vp, &vattr, td->td_ucred) == 0) { 463 pve->pve_fileid = vattr.va_fileid; 464 pve->pve_fsid = vattr.va_fsid; 465 } 466 vput(vp); 467 VFS_UNLOCK_GIANT(vfslocked); 468 469 if (fullpath != NULL) { 470 pve->pve_pathlen = strlen(fullpath) + 1; 471 if (pve->pve_pathlen <= pathlen) { 472 error = copyout(fullpath, pve->pve_path, 473 pve->pve_pathlen); 474 } else 475 error = ENAMETOOLONG; 476 } 477 if (freepath != NULL) 478 free(freepath, M_TEMP); 479 } 480 } 481 482 return (error); 483 } 484 485 #ifdef COMPAT_FREEBSD32 486 static int 487 ptrace_vm_entry32(struct thread *td, struct proc *p, 488 struct ptrace_vm_entry32 *pve32) 489 { 490 struct ptrace_vm_entry pve; 491 int error; 492 493 pve.pve_entry = pve32->pve_entry; 494 pve.pve_pathlen = pve32->pve_pathlen; 495 pve.pve_path = (void *)(uintptr_t)pve32->pve_path; 496 497 error = ptrace_vm_entry(td, p, &pve); 498 if (error == 0) { 499 pve32->pve_entry = pve.pve_entry; 500 pve32->pve_timestamp = pve.pve_timestamp; 501 pve32->pve_start = pve.pve_start; 502 pve32->pve_end = pve.pve_end; 503 pve32->pve_offset = pve.pve_offset; 504 pve32->pve_prot = pve.pve_prot; 505 pve32->pve_fileid = pve.pve_fileid; 506 pve32->pve_fsid = pve.pve_fsid; 507 } 508 509 pve32->pve_pathlen = pve.pve_pathlen; 510 return (error); 511 } 512 513 static void 514 ptrace_lwpinfo_to32(const struct ptrace_lwpinfo *pl, 515 struct ptrace_lwpinfo32 *pl32) 516 { 517 518 pl32->pl_lwpid = pl->pl_lwpid; 519 pl32->pl_event = pl->pl_event; 520 pl32->pl_flags = pl->pl_flags; 521 pl32->pl_sigmask = pl->pl_sigmask; 522 pl32->pl_siglist = pl->pl_siglist; 523 siginfo_to_siginfo32(&pl->pl_siginfo, &pl32->pl_siginfo); 524 strcpy(pl32->pl_tdname, pl->pl_tdname); 525 } 526 #endif /* COMPAT_FREEBSD32 */ 527 528 /* 529 * Process debugging system call. 530 */ 531 #ifndef _SYS_SYSPROTO_H_ 532 struct ptrace_args { 533 int req; 534 pid_t pid; 535 caddr_t addr; 536 int data; 537 }; 538 #endif 539 540 #ifdef COMPAT_FREEBSD32 541 /* 542 * This CPP subterfuge is to try and reduce the number of ifdefs in 543 * the body of the code. 544 * COPYIN(uap->addr, &r.reg, sizeof r.reg); 545 * becomes either: 546 * copyin(uap->addr, &r.reg, sizeof r.reg); 547 * or 548 * copyin(uap->addr, &r.reg32, sizeof r.reg32); 549 * .. except this is done at runtime. 550 */ 551 #define COPYIN(u, k, s) wrap32 ? \ 552 copyin(u, k ## 32, s ## 32) : \ 553 copyin(u, k, s) 554 #define COPYOUT(k, u, s) wrap32 ? \ 555 copyout(k ## 32, u, s ## 32) : \ 556 copyout(k, u, s) 557 #else 558 #define COPYIN(u, k, s) copyin(u, k, s) 559 #define COPYOUT(k, u, s) copyout(k, u, s) 560 #endif 561 int 562 ptrace(struct thread *td, struct ptrace_args *uap) 563 { 564 /* 565 * XXX this obfuscation is to reduce stack usage, but the register 566 * structs may be too large to put on the stack anyway. 567 */ 568 union { 569 struct ptrace_io_desc piod; 570 struct ptrace_lwpinfo pl; 571 struct ptrace_vm_entry pve; 572 struct dbreg dbreg; 573 struct fpreg fpreg; 574 struct reg reg; 575 #ifdef COMPAT_FREEBSD32 576 struct dbreg32 dbreg32; 577 struct fpreg32 fpreg32; 578 struct reg32 reg32; 579 struct ptrace_io_desc32 piod32; 580 struct ptrace_lwpinfo32 pl32; 581 struct ptrace_vm_entry32 pve32; 582 #endif 583 } r; 584 void *addr; 585 int error = 0; 586 #ifdef COMPAT_FREEBSD32 587 int wrap32 = 0; 588 589 if (SV_CURPROC_FLAG(SV_ILP32)) 590 wrap32 = 1; 591 #endif 592 AUDIT_ARG_PID(uap->pid); 593 AUDIT_ARG_CMD(uap->req); 594 AUDIT_ARG_VALUE(uap->data); 595 addr = &r; 596 switch (uap->req) { 597 case PT_GETREGS: 598 case PT_GETFPREGS: 599 case PT_GETDBREGS: 600 case PT_LWPINFO: 601 break; 602 case PT_SETREGS: 603 error = COPYIN(uap->addr, &r.reg, sizeof r.reg); 604 break; 605 case PT_SETFPREGS: 606 error = COPYIN(uap->addr, &r.fpreg, sizeof r.fpreg); 607 break; 608 case PT_SETDBREGS: 609 error = COPYIN(uap->addr, &r.dbreg, sizeof r.dbreg); 610 break; 611 case PT_IO: 612 error = COPYIN(uap->addr, &r.piod, sizeof r.piod); 613 break; 614 case PT_VM_ENTRY: 615 error = COPYIN(uap->addr, &r.pve, sizeof r.pve); 616 break; 617 default: 618 addr = uap->addr; 619 break; 620 } 621 if (error) 622 return (error); 623 624 error = kern_ptrace(td, uap->req, uap->pid, addr, uap->data); 625 if (error) 626 return (error); 627 628 switch (uap->req) { 629 case PT_VM_ENTRY: 630 error = COPYOUT(&r.pve, uap->addr, sizeof r.pve); 631 break; 632 case PT_IO: 633 error = COPYOUT(&r.piod, uap->addr, sizeof r.piod); 634 break; 635 case PT_GETREGS: 636 error = COPYOUT(&r.reg, uap->addr, sizeof r.reg); 637 break; 638 case PT_GETFPREGS: 639 error = COPYOUT(&r.fpreg, uap->addr, sizeof r.fpreg); 640 break; 641 case PT_GETDBREGS: 642 error = COPYOUT(&r.dbreg, uap->addr, sizeof r.dbreg); 643 break; 644 case PT_LWPINFO: 645 error = copyout(&r.pl, uap->addr, uap->data); 646 break; 647 } 648 649 return (error); 650 } 651 #undef COPYIN 652 #undef COPYOUT 653 654 #ifdef COMPAT_FREEBSD32 655 /* 656 * PROC_READ(regs, td2, addr); 657 * becomes either: 658 * proc_read_regs(td2, addr); 659 * or 660 * proc_read_regs32(td2, addr); 661 * .. except this is done at runtime. There is an additional 662 * complication in that PROC_WRITE disallows 32 bit consumers 663 * from writing to 64 bit address space targets. 664 */ 665 #define PROC_READ(w, t, a) wrap32 ? \ 666 proc_read_ ## w ## 32(t, a) : \ 667 proc_read_ ## w (t, a) 668 #define PROC_WRITE(w, t, a) wrap32 ? \ 669 (safe ? proc_write_ ## w ## 32(t, a) : EINVAL ) : \ 670 proc_write_ ## w (t, a) 671 #else 672 #define PROC_READ(w, t, a) proc_read_ ## w (t, a) 673 #define PROC_WRITE(w, t, a) proc_write_ ## w (t, a) 674 #endif 675 676 int 677 kern_ptrace(struct thread *td, int req, pid_t pid, void *addr, int data) 678 { 679 struct iovec iov; 680 struct uio uio; 681 struct proc *curp, *p, *pp; 682 struct thread *td2 = NULL; 683 struct ptrace_io_desc *piod = NULL; 684 struct ptrace_lwpinfo *pl; 685 int error, write, tmp, num; 686 int proctree_locked = 0; 687 lwpid_t tid = 0, *buf; 688 #ifdef COMPAT_FREEBSD32 689 int wrap32 = 0, safe = 0; 690 struct ptrace_io_desc32 *piod32 = NULL; 691 struct ptrace_lwpinfo32 *pl32 = NULL; 692 struct ptrace_lwpinfo plr; 693 #endif 694 695 curp = td->td_proc; 696 697 /* Lock proctree before locking the process. */ 698 switch (req) { 699 case PT_TRACE_ME: 700 case PT_ATTACH: 701 case PT_STEP: 702 case PT_CONTINUE: 703 case PT_TO_SCE: 704 case PT_TO_SCX: 705 case PT_SYSCALL: 706 case PT_DETACH: 707 sx_xlock(&proctree_lock); 708 proctree_locked = 1; 709 break; 710 default: 711 break; 712 } 713 714 write = 0; 715 if (req == PT_TRACE_ME) { 716 p = td->td_proc; 717 PROC_LOCK(p); 718 } else { 719 if (pid <= PID_MAX) { 720 if ((p = pfind(pid)) == NULL) { 721 if (proctree_locked) 722 sx_xunlock(&proctree_lock); 723 return (ESRCH); 724 } 725 } else { 726 td2 = tdfind(pid, -1); 727 if (td2 == NULL) { 728 if (proctree_locked) 729 sx_xunlock(&proctree_lock); 730 return (ESRCH); 731 } 732 p = td2->td_proc; 733 tid = pid; 734 pid = p->p_pid; 735 } 736 } 737 AUDIT_ARG_PROCESS(p); 738 739 if ((p->p_flag & P_WEXIT) != 0) { 740 error = ESRCH; 741 goto fail; 742 } 743 if ((error = p_cansee(td, p)) != 0) 744 goto fail; 745 746 if ((error = p_candebug(td, p)) != 0) 747 goto fail; 748 749 /* 750 * System processes can't be debugged. 751 */ 752 if ((p->p_flag & P_SYSTEM) != 0) { 753 error = EINVAL; 754 goto fail; 755 } 756 757 if (tid == 0) { 758 if ((p->p_flag & P_STOPPED_TRACE) != 0) { 759 KASSERT(p->p_xthread != NULL, ("NULL p_xthread")); 760 td2 = p->p_xthread; 761 } else { 762 td2 = FIRST_THREAD_IN_PROC(p); 763 } 764 tid = td2->td_tid; 765 } 766 767 #ifdef COMPAT_FREEBSD32 768 /* 769 * Test if we're a 32 bit client and what the target is. 770 * Set the wrap controls accordingly. 771 */ 772 if (SV_CURPROC_FLAG(SV_ILP32)) { 773 if (td2->td_proc->p_sysent->sv_flags & SV_ILP32) 774 safe = 1; 775 wrap32 = 1; 776 } 777 #endif 778 /* 779 * Permissions check 780 */ 781 switch (req) { 782 case PT_TRACE_ME: 783 /* Always legal. */ 784 break; 785 786 case PT_ATTACH: 787 /* Self */ 788 if (p->p_pid == td->td_proc->p_pid) { 789 error = EINVAL; 790 goto fail; 791 } 792 793 /* Already traced */ 794 if (p->p_flag & P_TRACED) { 795 error = EBUSY; 796 goto fail; 797 } 798 799 /* Can't trace an ancestor if you're being traced. */ 800 if (curp->p_flag & P_TRACED) { 801 for (pp = curp->p_pptr; pp != NULL; pp = pp->p_pptr) { 802 if (pp == p) { 803 error = EINVAL; 804 goto fail; 805 } 806 } 807 } 808 809 810 /* OK */ 811 break; 812 813 case PT_CLEARSTEP: 814 /* Allow thread to clear single step for itself */ 815 if (td->td_tid == tid) 816 break; 817 818 /* FALLTHROUGH */ 819 default: 820 /* not being traced... */ 821 if ((p->p_flag & P_TRACED) == 0) { 822 error = EPERM; 823 goto fail; 824 } 825 826 /* not being traced by YOU */ 827 if (p->p_pptr != td->td_proc) { 828 error = EBUSY; 829 goto fail; 830 } 831 832 /* not currently stopped */ 833 if ((p->p_flag & (P_STOPPED_SIG | P_STOPPED_TRACE)) == 0 || 834 p->p_suspcount != p->p_numthreads || 835 (p->p_flag & P_WAITED) == 0) { 836 error = EBUSY; 837 goto fail; 838 } 839 840 if ((p->p_flag & P_STOPPED_TRACE) == 0) { 841 static int count = 0; 842 if (count++ == 0) 843 printf("P_STOPPED_TRACE not set.\n"); 844 } 845 846 /* OK */ 847 break; 848 } 849 850 /* Keep this process around until we finish this request. */ 851 _PHOLD(p); 852 853 #ifdef FIX_SSTEP 854 /* 855 * Single step fixup ala procfs 856 */ 857 FIX_SSTEP(td2); 858 #endif 859 860 /* 861 * Actually do the requests 862 */ 863 864 td->td_retval[0] = 0; 865 866 switch (req) { 867 case PT_TRACE_ME: 868 /* set my trace flag and "owner" so it can read/write me */ 869 p->p_flag |= P_TRACED; 870 p->p_oppid = p->p_pptr->p_pid; 871 break; 872 873 case PT_ATTACH: 874 /* security check done above */ 875 p->p_flag |= P_TRACED; 876 p->p_oppid = p->p_pptr->p_pid; 877 if (p->p_pptr != td->td_proc) 878 proc_reparent(p, td->td_proc); 879 data = SIGSTOP; 880 goto sendsig; /* in PT_CONTINUE below */ 881 882 case PT_CLEARSTEP: 883 error = ptrace_clear_single_step(td2); 884 break; 885 886 case PT_SETSTEP: 887 error = ptrace_single_step(td2); 888 break; 889 890 case PT_SUSPEND: 891 td2->td_dbgflags |= TDB_SUSPEND; 892 thread_lock(td2); 893 td2->td_flags |= TDF_NEEDSUSPCHK; 894 thread_unlock(td2); 895 break; 896 897 case PT_RESUME: 898 td2->td_dbgflags &= ~TDB_SUSPEND; 899 break; 900 901 case PT_STEP: 902 case PT_CONTINUE: 903 case PT_TO_SCE: 904 case PT_TO_SCX: 905 case PT_SYSCALL: 906 case PT_DETACH: 907 /* Zero means do not send any signal */ 908 if (data < 0 || data > _SIG_MAXSIG) { 909 error = EINVAL; 910 break; 911 } 912 913 switch (req) { 914 case PT_STEP: 915 error = ptrace_single_step(td2); 916 if (error) 917 goto out; 918 break; 919 case PT_CONTINUE: 920 case PT_TO_SCE: 921 case PT_TO_SCX: 922 case PT_SYSCALL: 923 if (addr != (void *)1) { 924 error = ptrace_set_pc(td2, 925 (u_long)(uintfptr_t)addr); 926 if (error) 927 goto out; 928 } 929 switch (req) { 930 case PT_TO_SCE: 931 p->p_stops |= S_PT_SCE; 932 break; 933 case PT_TO_SCX: 934 p->p_stops |= S_PT_SCX; 935 break; 936 case PT_SYSCALL: 937 p->p_stops |= S_PT_SCE | S_PT_SCX; 938 break; 939 } 940 break; 941 case PT_DETACH: 942 /* reset process parent */ 943 if (p->p_oppid != p->p_pptr->p_pid) { 944 struct proc *pp; 945 946 PROC_LOCK(p->p_pptr); 947 sigqueue_take(p->p_ksi); 948 PROC_UNLOCK(p->p_pptr); 949 950 PROC_UNLOCK(p); 951 pp = pfind(p->p_oppid); 952 if (pp == NULL) 953 pp = initproc; 954 else 955 PROC_UNLOCK(pp); 956 PROC_LOCK(p); 957 proc_reparent(p, pp); 958 if (pp == initproc) 959 p->p_sigparent = SIGCHLD; 960 } 961 p->p_flag &= ~(P_TRACED | P_WAITED); 962 p->p_oppid = 0; 963 964 /* should we send SIGCHLD? */ 965 /* childproc_continued(p); */ 966 break; 967 } 968 969 sendsig: 970 if (proctree_locked) { 971 sx_xunlock(&proctree_lock); 972 proctree_locked = 0; 973 } 974 p->p_xstat = data; 975 p->p_xthread = NULL; 976 if ((p->p_flag & (P_STOPPED_SIG | P_STOPPED_TRACE)) != 0) { 977 /* deliver or queue signal */ 978 td2->td_dbgflags &= ~TDB_XSIG; 979 td2->td_xsig = data; 980 981 if (req == PT_DETACH) { 982 struct thread *td3; 983 FOREACH_THREAD_IN_PROC(p, td3) { 984 td3->td_dbgflags &= ~TDB_SUSPEND; 985 } 986 } 987 /* 988 * unsuspend all threads, to not let a thread run, 989 * you should use PT_SUSPEND to suspend it before 990 * continuing process. 991 */ 992 PROC_SLOCK(p); 993 p->p_flag &= ~(P_STOPPED_TRACE|P_STOPPED_SIG|P_WAITED); 994 thread_unsuspend(p); 995 PROC_SUNLOCK(p); 996 } else { 997 if (data) 998 psignal(p, data); 999 } 1000 break; 1001 1002 case PT_WRITE_I: 1003 case PT_WRITE_D: 1004 td2->td_dbgflags |= TDB_USERWR; 1005 write = 1; 1006 /* FALLTHROUGH */ 1007 case PT_READ_I: 1008 case PT_READ_D: 1009 PROC_UNLOCK(p); 1010 tmp = 0; 1011 /* write = 0 set above */ 1012 iov.iov_base = write ? (caddr_t)&data : (caddr_t)&tmp; 1013 iov.iov_len = sizeof(int); 1014 uio.uio_iov = &iov; 1015 uio.uio_iovcnt = 1; 1016 uio.uio_offset = (off_t)(uintptr_t)addr; 1017 uio.uio_resid = sizeof(int); 1018 uio.uio_segflg = UIO_SYSSPACE; /* i.e.: the uap */ 1019 uio.uio_rw = write ? UIO_WRITE : UIO_READ; 1020 uio.uio_td = td; 1021 error = proc_rwmem(p, &uio); 1022 if (uio.uio_resid != 0) { 1023 /* 1024 * XXX proc_rwmem() doesn't currently return ENOSPC, 1025 * so I think write() can bogusly return 0. 1026 * XXX what happens for short writes? We don't want 1027 * to write partial data. 1028 * XXX proc_rwmem() returns EPERM for other invalid 1029 * addresses. Convert this to EINVAL. Does this 1030 * clobber returns of EPERM for other reasons? 1031 */ 1032 if (error == 0 || error == ENOSPC || error == EPERM) 1033 error = EINVAL; /* EOF */ 1034 } 1035 if (!write) 1036 td->td_retval[0] = tmp; 1037 PROC_LOCK(p); 1038 break; 1039 1040 case PT_IO: 1041 #ifdef COMPAT_FREEBSD32 1042 if (wrap32) { 1043 piod32 = addr; 1044 iov.iov_base = (void *)(uintptr_t)piod32->piod_addr; 1045 iov.iov_len = piod32->piod_len; 1046 uio.uio_offset = (off_t)(uintptr_t)piod32->piod_offs; 1047 uio.uio_resid = piod32->piod_len; 1048 } else 1049 #endif 1050 { 1051 piod = addr; 1052 iov.iov_base = piod->piod_addr; 1053 iov.iov_len = piod->piod_len; 1054 uio.uio_offset = (off_t)(uintptr_t)piod->piod_offs; 1055 uio.uio_resid = piod->piod_len; 1056 } 1057 uio.uio_iov = &iov; 1058 uio.uio_iovcnt = 1; 1059 uio.uio_segflg = UIO_USERSPACE; 1060 uio.uio_td = td; 1061 #ifdef COMPAT_FREEBSD32 1062 tmp = wrap32 ? piod32->piod_op : piod->piod_op; 1063 #else 1064 tmp = piod->piod_op; 1065 #endif 1066 switch (tmp) { 1067 case PIOD_READ_D: 1068 case PIOD_READ_I: 1069 uio.uio_rw = UIO_READ; 1070 break; 1071 case PIOD_WRITE_D: 1072 case PIOD_WRITE_I: 1073 td2->td_dbgflags |= TDB_USERWR; 1074 uio.uio_rw = UIO_WRITE; 1075 break; 1076 default: 1077 error = EINVAL; 1078 goto out; 1079 } 1080 PROC_UNLOCK(p); 1081 error = proc_rwmem(p, &uio); 1082 #ifdef COMPAT_FREEBSD32 1083 if (wrap32) 1084 piod32->piod_len -= uio.uio_resid; 1085 else 1086 #endif 1087 piod->piod_len -= uio.uio_resid; 1088 PROC_LOCK(p); 1089 break; 1090 1091 case PT_KILL: 1092 data = SIGKILL; 1093 goto sendsig; /* in PT_CONTINUE above */ 1094 1095 case PT_SETREGS: 1096 td2->td_dbgflags |= TDB_USERWR; 1097 error = PROC_WRITE(regs, td2, addr); 1098 break; 1099 1100 case PT_GETREGS: 1101 error = PROC_READ(regs, td2, addr); 1102 break; 1103 1104 case PT_SETFPREGS: 1105 td2->td_dbgflags |= TDB_USERWR; 1106 error = PROC_WRITE(fpregs, td2, addr); 1107 break; 1108 1109 case PT_GETFPREGS: 1110 error = PROC_READ(fpregs, td2, addr); 1111 break; 1112 1113 case PT_SETDBREGS: 1114 td2->td_dbgflags |= TDB_USERWR; 1115 error = PROC_WRITE(dbregs, td2, addr); 1116 break; 1117 1118 case PT_GETDBREGS: 1119 error = PROC_READ(dbregs, td2, addr); 1120 break; 1121 1122 case PT_LWPINFO: 1123 if (data <= 0 || 1124 #ifdef COMPAT_FREEBSD32 1125 (!wrap32 && data > sizeof(*pl)) || 1126 (wrap32 && data > sizeof(*pl32))) { 1127 #else 1128 data > sizeof(*pl)) { 1129 #endif 1130 error = EINVAL; 1131 break; 1132 } 1133 #ifdef COMPAT_FREEBSD32 1134 if (wrap32) { 1135 pl = &plr; 1136 pl32 = addr; 1137 } else 1138 #endif 1139 pl = addr; 1140 pl->pl_lwpid = td2->td_tid; 1141 pl->pl_flags = 0; 1142 if (td2->td_dbgflags & TDB_XSIG) { 1143 pl->pl_event = PL_EVENT_SIGNAL; 1144 if (td2->td_dbgksi.ksi_signo != 0 && 1145 #ifdef COMPAT_FREEBSD32 1146 ((!wrap32 && data >= offsetof(struct ptrace_lwpinfo, 1147 pl_siginfo) + sizeof(pl->pl_siginfo)) || 1148 (wrap32 && data >= offsetof(struct ptrace_lwpinfo32, 1149 pl_siginfo) + sizeof(struct siginfo32))) 1150 #else 1151 data >= offsetof(struct ptrace_lwpinfo, pl_siginfo) 1152 + sizeof(pl->pl_siginfo) 1153 #endif 1154 ){ 1155 pl->pl_flags |= PL_FLAG_SI; 1156 pl->pl_siginfo = td2->td_dbgksi.ksi_info; 1157 } 1158 } 1159 if ((pl->pl_flags & PL_FLAG_SI) == 0) 1160 bzero(&pl->pl_siginfo, sizeof(pl->pl_siginfo)); 1161 if (td2->td_dbgflags & TDB_SCE) 1162 pl->pl_flags |= PL_FLAG_SCE; 1163 else if (td2->td_dbgflags & TDB_SCX) 1164 pl->pl_flags |= PL_FLAG_SCX; 1165 if (td2->td_dbgflags & TDB_EXEC) 1166 pl->pl_flags |= PL_FLAG_EXEC; 1167 pl->pl_sigmask = td2->td_sigmask; 1168 pl->pl_siglist = td2->td_siglist; 1169 strcpy(pl->pl_tdname, td2->td_name); 1170 #ifdef COMPAT_FREEBSD32 1171 if (wrap32) 1172 ptrace_lwpinfo_to32(pl, pl32); 1173 #endif 1174 break; 1175 1176 case PT_GETNUMLWPS: 1177 td->td_retval[0] = p->p_numthreads; 1178 break; 1179 1180 case PT_GETLWPLIST: 1181 if (data <= 0) { 1182 error = EINVAL; 1183 break; 1184 } 1185 num = imin(p->p_numthreads, data); 1186 PROC_UNLOCK(p); 1187 buf = malloc(num * sizeof(lwpid_t), M_TEMP, M_WAITOK); 1188 tmp = 0; 1189 PROC_LOCK(p); 1190 FOREACH_THREAD_IN_PROC(p, td2) { 1191 if (tmp >= num) 1192 break; 1193 buf[tmp++] = td2->td_tid; 1194 } 1195 PROC_UNLOCK(p); 1196 error = copyout(buf, addr, tmp * sizeof(lwpid_t)); 1197 free(buf, M_TEMP); 1198 if (!error) 1199 td->td_retval[0] = tmp; 1200 PROC_LOCK(p); 1201 break; 1202 1203 case PT_VM_TIMESTAMP: 1204 td->td_retval[0] = p->p_vmspace->vm_map.timestamp; 1205 break; 1206 1207 case PT_VM_ENTRY: 1208 PROC_UNLOCK(p); 1209 #ifdef COMPAT_FREEBSD32 1210 if (wrap32) 1211 error = ptrace_vm_entry32(td, p, addr); 1212 else 1213 #endif 1214 error = ptrace_vm_entry(td, p, addr); 1215 PROC_LOCK(p); 1216 break; 1217 1218 default: 1219 #ifdef __HAVE_PTRACE_MACHDEP 1220 if (req >= PT_FIRSTMACH) { 1221 PROC_UNLOCK(p); 1222 error = cpu_ptrace(td2, req, addr, data); 1223 PROC_LOCK(p); 1224 } else 1225 #endif 1226 /* Unknown request. */ 1227 error = EINVAL; 1228 break; 1229 } 1230 1231 out: 1232 /* Drop our hold on this process now that the request has completed. */ 1233 _PRELE(p); 1234 fail: 1235 PROC_UNLOCK(p); 1236 if (proctree_locked) 1237 sx_xunlock(&proctree_lock); 1238 return (error); 1239 } 1240 #undef PROC_READ 1241 #undef PROC_WRITE 1242 1243 /* 1244 * Stop a process because of a debugging event; 1245 * stay stopped until p->p_step is cleared 1246 * (cleared by PIOCCONT in procfs). 1247 */ 1248 void 1249 stopevent(struct proc *p, unsigned int event, unsigned int val) 1250 { 1251 1252 PROC_LOCK_ASSERT(p, MA_OWNED); 1253 p->p_step = 1; 1254 do { 1255 p->p_xstat = val; 1256 p->p_xthread = NULL; 1257 p->p_stype = event; /* Which event caused the stop? */ 1258 wakeup(&p->p_stype); /* Wake up any PIOCWAIT'ing procs */ 1259 msleep(&p->p_step, &p->p_mtx, PWAIT, "stopevent", 0); 1260 } while (p->p_step); 1261 } 1262