1 /*- 2 * SPDX-License-Identifier: BSD-4-Clause 3 * 4 * Copyright (c) 1994, Sean Eric Fagan 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by Sean Eric Fagan. 18 * 4. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __FBSDID("$FreeBSD$"); 36 37 #include <sys/param.h> 38 #include <sys/systm.h> 39 #include <sys/ktr.h> 40 #include <sys/limits.h> 41 #include <sys/lock.h> 42 #include <sys/mutex.h> 43 #include <sys/reg.h> 44 #include <sys/syscallsubr.h> 45 #include <sys/sysent.h> 46 #include <sys/sysproto.h> 47 #include <sys/priv.h> 48 #include <sys/proc.h> 49 #include <sys/vnode.h> 50 #include <sys/ptrace.h> 51 #include <sys/rwlock.h> 52 #include <sys/sx.h> 53 #include <sys/malloc.h> 54 #include <sys/signalvar.h> 55 #include <sys/caprights.h> 56 #include <sys/filedesc.h> 57 58 #include <security/audit/audit.h> 59 60 #include <vm/vm.h> 61 #include <vm/pmap.h> 62 #include <vm/vm_extern.h> 63 #include <vm/vm_map.h> 64 #include <vm/vm_kern.h> 65 #include <vm/vm_object.h> 66 #include <vm/vm_page.h> 67 #include <vm/vm_param.h> 68 69 #ifdef COMPAT_FREEBSD32 70 #include <sys/procfs.h> 71 #endif 72 73 /* Assert it's safe to unlock a process, e.g. to allocate working memory */ 74 #define PROC_ASSERT_TRACEREQ(p) MPASS(((p)->p_flag2 & P2_PTRACEREQ) != 0) 75 76 /* 77 * Functions implemented using PROC_ACTION(): 78 * 79 * proc_read_regs(proc, regs) 80 * Get the current user-visible register set from the process 81 * and copy it into the regs structure (<machine/reg.h>). 82 * The process is stopped at the time read_regs is called. 83 * 84 * proc_write_regs(proc, regs) 85 * Update the current register set from the passed in regs 86 * structure. Take care to avoid clobbering special CPU 87 * registers or privileged bits in the PSL. 88 * Depending on the architecture this may have fix-up work to do, 89 * especially if the IAR or PCW are modified. 90 * The process is stopped at the time write_regs is called. 91 * 92 * proc_read_fpregs, proc_write_fpregs 93 * deal with the floating point register set, otherwise as above. 94 * 95 * proc_read_dbregs, proc_write_dbregs 96 * deal with the processor debug register set, otherwise as above. 97 * 98 * proc_sstep(proc) 99 * Arrange for the process to trap after executing a single instruction. 100 */ 101 102 #define PROC_ACTION(action) do { \ 103 int error; \ 104 \ 105 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); \ 106 if ((td->td_proc->p_flag & P_INMEM) == 0) \ 107 error = EIO; \ 108 else \ 109 error = (action); \ 110 return (error); \ 111 } while (0) 112 113 int 114 proc_read_regs(struct thread *td, struct reg *regs) 115 { 116 117 PROC_ACTION(fill_regs(td, regs)); 118 } 119 120 int 121 proc_write_regs(struct thread *td, struct reg *regs) 122 { 123 124 PROC_ACTION(set_regs(td, regs)); 125 } 126 127 int 128 proc_read_dbregs(struct thread *td, struct dbreg *dbregs) 129 { 130 131 PROC_ACTION(fill_dbregs(td, dbregs)); 132 } 133 134 int 135 proc_write_dbregs(struct thread *td, struct dbreg *dbregs) 136 { 137 138 PROC_ACTION(set_dbregs(td, dbregs)); 139 } 140 141 /* 142 * Ptrace doesn't support fpregs at all, and there are no security holes 143 * or translations for fpregs, so we can just copy them. 144 */ 145 int 146 proc_read_fpregs(struct thread *td, struct fpreg *fpregs) 147 { 148 149 PROC_ACTION(fill_fpregs(td, fpregs)); 150 } 151 152 int 153 proc_write_fpregs(struct thread *td, struct fpreg *fpregs) 154 { 155 156 PROC_ACTION(set_fpregs(td, fpregs)); 157 } 158 159 static struct regset * 160 proc_find_regset(struct thread *td, int note) 161 { 162 struct regset **regsetp, **regset_end, *regset; 163 struct sysentvec *sv; 164 165 sv = td->td_proc->p_sysent; 166 regsetp = sv->sv_regset_begin; 167 if (regsetp == NULL) 168 return (NULL); 169 regset_end = sv->sv_regset_end; 170 MPASS(regset_end != NULL); 171 for (; regsetp < regset_end; regsetp++) { 172 regset = *regsetp; 173 if (regset->note != note) 174 continue; 175 176 return (regset); 177 } 178 179 return (NULL); 180 } 181 182 static int 183 proc_read_regset(struct thread *td, int note, struct iovec *iov) 184 { 185 struct regset *regset; 186 struct proc *p; 187 void *buf; 188 size_t size; 189 int error; 190 191 regset = proc_find_regset(td, note); 192 if (regset == NULL) 193 return (EINVAL); 194 195 if (iov->iov_base == NULL) { 196 iov->iov_len = regset->size; 197 if (iov->iov_len == 0) 198 return (EINVAL); 199 200 return (0); 201 } 202 203 /* The length is wrong, return an error */ 204 if (iov->iov_len != regset->size) 205 return (EINVAL); 206 207 if (regset->get == NULL) 208 return (EINVAL); 209 210 error = 0; 211 size = regset->size; 212 p = td->td_proc; 213 214 /* Drop the proc lock while allocating the temp buffer */ 215 PROC_ASSERT_TRACEREQ(p); 216 PROC_UNLOCK(p); 217 buf = malloc(size, M_TEMP, M_WAITOK); 218 PROC_LOCK(p); 219 220 if (!regset->get(regset, td, buf, &size)) { 221 error = EINVAL; 222 } else { 223 KASSERT(size == regset->size, 224 ("%s: Getter function changed the size", __func__)); 225 226 iov->iov_len = size; 227 PROC_UNLOCK(p); 228 error = copyout(buf, iov->iov_base, size); 229 PROC_LOCK(p); 230 } 231 232 free(buf, M_TEMP); 233 234 return (error); 235 } 236 237 static int 238 proc_write_regset(struct thread *td, int note, struct iovec *iov) 239 { 240 struct regset *regset; 241 struct proc *p; 242 void *buf; 243 size_t size; 244 int error; 245 246 regset = proc_find_regset(td, note); 247 if (regset == NULL) 248 return (EINVAL); 249 250 /* The length is wrong, return an error */ 251 if (iov->iov_len != regset->size) 252 return (EINVAL); 253 254 if (regset->set == NULL) 255 return (EINVAL); 256 257 size = regset->size; 258 p = td->td_proc; 259 260 /* Drop the proc lock while allocating the temp buffer */ 261 PROC_ASSERT_TRACEREQ(p); 262 PROC_UNLOCK(p); 263 buf = malloc(size, M_TEMP, M_WAITOK); 264 error = copyin(iov->iov_base, buf, size); 265 PROC_LOCK(p); 266 267 if (error == 0) { 268 if (!regset->set(regset, td, buf, size)) { 269 error = EINVAL; 270 } 271 } 272 273 free(buf, M_TEMP); 274 275 return (error); 276 } 277 278 #ifdef COMPAT_FREEBSD32 279 /* For 32 bit binaries, we need to expose the 32 bit regs layouts. */ 280 int 281 proc_read_regs32(struct thread *td, struct reg32 *regs32) 282 { 283 284 PROC_ACTION(fill_regs32(td, regs32)); 285 } 286 287 int 288 proc_write_regs32(struct thread *td, struct reg32 *regs32) 289 { 290 291 PROC_ACTION(set_regs32(td, regs32)); 292 } 293 294 int 295 proc_read_dbregs32(struct thread *td, struct dbreg32 *dbregs32) 296 { 297 298 PROC_ACTION(fill_dbregs32(td, dbregs32)); 299 } 300 301 int 302 proc_write_dbregs32(struct thread *td, struct dbreg32 *dbregs32) 303 { 304 305 PROC_ACTION(set_dbregs32(td, dbregs32)); 306 } 307 308 int 309 proc_read_fpregs32(struct thread *td, struct fpreg32 *fpregs32) 310 { 311 312 PROC_ACTION(fill_fpregs32(td, fpregs32)); 313 } 314 315 int 316 proc_write_fpregs32(struct thread *td, struct fpreg32 *fpregs32) 317 { 318 319 PROC_ACTION(set_fpregs32(td, fpregs32)); 320 } 321 #endif 322 323 int 324 proc_sstep(struct thread *td) 325 { 326 327 PROC_ACTION(ptrace_single_step(td)); 328 } 329 330 int 331 proc_rwmem(struct proc *p, struct uio *uio) 332 { 333 vm_map_t map; 334 vm_offset_t pageno; /* page number */ 335 vm_prot_t reqprot; 336 int error, fault_flags, page_offset, writing; 337 338 /* 339 * Make sure that the process' vmspace remains live. 340 */ 341 if (p != curproc) 342 PROC_ASSERT_HELD(p); 343 KASSERT((p->p_flag & P_WEXIT) == 0, 344 ("%s: process %p is exiting", __func__, p)); 345 PROC_LOCK_ASSERT(p, MA_NOTOWNED); 346 347 /* 348 * The map we want... 349 */ 350 map = &p->p_vmspace->vm_map; 351 352 /* 353 * If we are writing, then we request vm_fault() to create a private 354 * copy of each page. Since these copies will not be writeable by the 355 * process, we must explicity request that they be dirtied. 356 */ 357 writing = uio->uio_rw == UIO_WRITE; 358 reqprot = writing ? VM_PROT_COPY | VM_PROT_READ : VM_PROT_READ; 359 fault_flags = writing ? VM_FAULT_DIRTY : VM_FAULT_NORMAL; 360 361 /* 362 * Only map in one page at a time. We don't have to, but it 363 * makes things easier. This way is trivial - right? 364 */ 365 do { 366 vm_offset_t uva; 367 u_int len; 368 vm_page_t m; 369 370 uva = (vm_offset_t)uio->uio_offset; 371 372 /* 373 * Get the page number of this segment. 374 */ 375 pageno = trunc_page(uva); 376 page_offset = uva - pageno; 377 378 /* 379 * How many bytes to copy 380 */ 381 len = min(PAGE_SIZE - page_offset, uio->uio_resid); 382 383 /* 384 * Fault and hold the page on behalf of the process. 385 */ 386 error = vm_fault(map, pageno, reqprot, fault_flags, &m); 387 if (error != KERN_SUCCESS) { 388 if (error == KERN_RESOURCE_SHORTAGE) 389 error = ENOMEM; 390 else 391 error = EFAULT; 392 break; 393 } 394 395 /* 396 * Now do the i/o move. 397 */ 398 error = uiomove_fromphys(&m, page_offset, len, uio); 399 400 /* Make the I-cache coherent for breakpoints. */ 401 if (writing && error == 0) { 402 vm_map_lock_read(map); 403 if (vm_map_check_protection(map, pageno, pageno + 404 PAGE_SIZE, VM_PROT_EXECUTE)) 405 vm_sync_icache(map, uva, len); 406 vm_map_unlock_read(map); 407 } 408 409 /* 410 * Release the page. 411 */ 412 vm_page_unwire(m, PQ_ACTIVE); 413 414 } while (error == 0 && uio->uio_resid > 0); 415 416 return (error); 417 } 418 419 static ssize_t 420 proc_iop(struct thread *td, struct proc *p, vm_offset_t va, void *buf, 421 size_t len, enum uio_rw rw) 422 { 423 struct iovec iov; 424 struct uio uio; 425 ssize_t slen; 426 427 MPASS(len < SSIZE_MAX); 428 slen = (ssize_t)len; 429 430 iov.iov_base = (caddr_t)buf; 431 iov.iov_len = len; 432 uio.uio_iov = &iov; 433 uio.uio_iovcnt = 1; 434 uio.uio_offset = va; 435 uio.uio_resid = slen; 436 uio.uio_segflg = UIO_SYSSPACE; 437 uio.uio_rw = rw; 438 uio.uio_td = td; 439 proc_rwmem(p, &uio); 440 if (uio.uio_resid == slen) 441 return (-1); 442 return (slen - uio.uio_resid); 443 } 444 445 ssize_t 446 proc_readmem(struct thread *td, struct proc *p, vm_offset_t va, void *buf, 447 size_t len) 448 { 449 450 return (proc_iop(td, p, va, buf, len, UIO_READ)); 451 } 452 453 ssize_t 454 proc_writemem(struct thread *td, struct proc *p, vm_offset_t va, void *buf, 455 size_t len) 456 { 457 458 return (proc_iop(td, p, va, buf, len, UIO_WRITE)); 459 } 460 461 static int 462 ptrace_vm_entry(struct thread *td, struct proc *p, struct ptrace_vm_entry *pve) 463 { 464 struct vattr vattr; 465 vm_map_t map; 466 vm_map_entry_t entry; 467 vm_object_t obj, tobj, lobj; 468 struct vmspace *vm; 469 struct vnode *vp; 470 char *freepath, *fullpath; 471 u_int pathlen; 472 int error, index; 473 474 error = 0; 475 obj = NULL; 476 477 vm = vmspace_acquire_ref(p); 478 map = &vm->vm_map; 479 vm_map_lock_read(map); 480 481 do { 482 KASSERT((map->header.eflags & MAP_ENTRY_IS_SUB_MAP) == 0, 483 ("Submap in map header")); 484 index = 0; 485 VM_MAP_ENTRY_FOREACH(entry, map) { 486 if (index >= pve->pve_entry && 487 (entry->eflags & MAP_ENTRY_IS_SUB_MAP) == 0) 488 break; 489 index++; 490 } 491 if (index < pve->pve_entry) { 492 error = EINVAL; 493 break; 494 } 495 if (entry == &map->header) { 496 error = ENOENT; 497 break; 498 } 499 500 /* We got an entry. */ 501 pve->pve_entry = index + 1; 502 pve->pve_timestamp = map->timestamp; 503 pve->pve_start = entry->start; 504 pve->pve_end = entry->end - 1; 505 pve->pve_offset = entry->offset; 506 pve->pve_prot = entry->protection; 507 508 /* Backing object's path needed? */ 509 if (pve->pve_pathlen == 0) 510 break; 511 512 pathlen = pve->pve_pathlen; 513 pve->pve_pathlen = 0; 514 515 obj = entry->object.vm_object; 516 if (obj != NULL) 517 VM_OBJECT_RLOCK(obj); 518 } while (0); 519 520 vm_map_unlock_read(map); 521 522 pve->pve_fsid = VNOVAL; 523 pve->pve_fileid = VNOVAL; 524 525 if (error == 0 && obj != NULL) { 526 lobj = obj; 527 for (tobj = obj; tobj != NULL; tobj = tobj->backing_object) { 528 if (tobj != obj) 529 VM_OBJECT_RLOCK(tobj); 530 if (lobj != obj) 531 VM_OBJECT_RUNLOCK(lobj); 532 lobj = tobj; 533 pve->pve_offset += tobj->backing_object_offset; 534 } 535 vp = vm_object_vnode(lobj); 536 if (vp != NULL) 537 vref(vp); 538 if (lobj != obj) 539 VM_OBJECT_RUNLOCK(lobj); 540 VM_OBJECT_RUNLOCK(obj); 541 542 if (vp != NULL) { 543 freepath = NULL; 544 fullpath = NULL; 545 vn_fullpath(vp, &fullpath, &freepath); 546 vn_lock(vp, LK_SHARED | LK_RETRY); 547 if (VOP_GETATTR(vp, &vattr, td->td_ucred) == 0) { 548 pve->pve_fileid = vattr.va_fileid; 549 pve->pve_fsid = vattr.va_fsid; 550 } 551 vput(vp); 552 553 if (fullpath != NULL) { 554 pve->pve_pathlen = strlen(fullpath) + 1; 555 if (pve->pve_pathlen <= pathlen) { 556 error = copyout(fullpath, pve->pve_path, 557 pve->pve_pathlen); 558 } else 559 error = ENAMETOOLONG; 560 } 561 if (freepath != NULL) 562 free(freepath, M_TEMP); 563 } 564 } 565 vmspace_free(vm); 566 if (error == 0) 567 CTR3(KTR_PTRACE, "PT_VM_ENTRY: pid %d, entry %d, start %p", 568 p->p_pid, pve->pve_entry, pve->pve_start); 569 570 return (error); 571 } 572 573 /* 574 * Process debugging system call. 575 */ 576 #ifndef _SYS_SYSPROTO_H_ 577 struct ptrace_args { 578 int req; 579 pid_t pid; 580 caddr_t addr; 581 int data; 582 }; 583 #endif 584 585 int 586 sys_ptrace(struct thread *td, struct ptrace_args *uap) 587 { 588 /* 589 * XXX this obfuscation is to reduce stack usage, but the register 590 * structs may be too large to put on the stack anyway. 591 */ 592 union { 593 struct ptrace_io_desc piod; 594 struct ptrace_lwpinfo pl; 595 struct ptrace_vm_entry pve; 596 struct ptrace_coredump pc; 597 struct dbreg dbreg; 598 struct fpreg fpreg; 599 struct reg reg; 600 struct iovec vec; 601 char args[sizeof(td->td_sa.args)]; 602 struct ptrace_sc_ret psr; 603 int ptevents; 604 } r; 605 void *addr; 606 int error; 607 608 if (!allow_ptrace) 609 return (ENOSYS); 610 error = 0; 611 612 AUDIT_ARG_PID(uap->pid); 613 AUDIT_ARG_CMD(uap->req); 614 AUDIT_ARG_VALUE(uap->data); 615 addr = &r; 616 switch (uap->req) { 617 case PT_GET_EVENT_MASK: 618 case PT_LWPINFO: 619 case PT_GET_SC_ARGS: 620 case PT_GET_SC_RET: 621 break; 622 case PT_GETREGS: 623 bzero(&r.reg, sizeof(r.reg)); 624 break; 625 case PT_GETFPREGS: 626 bzero(&r.fpreg, sizeof(r.fpreg)); 627 break; 628 case PT_GETDBREGS: 629 bzero(&r.dbreg, sizeof(r.dbreg)); 630 break; 631 case PT_GETREGSET: 632 case PT_SETREGSET: 633 error = copyin(uap->addr, &r.vec, sizeof(r.vec)); 634 break; 635 case PT_SETREGS: 636 error = copyin(uap->addr, &r.reg, sizeof(r.reg)); 637 break; 638 case PT_SETFPREGS: 639 error = copyin(uap->addr, &r.fpreg, sizeof(r.fpreg)); 640 break; 641 case PT_SETDBREGS: 642 error = copyin(uap->addr, &r.dbreg, sizeof(r.dbreg)); 643 break; 644 case PT_SET_EVENT_MASK: 645 if (uap->data != sizeof(r.ptevents)) 646 error = EINVAL; 647 else 648 error = copyin(uap->addr, &r.ptevents, uap->data); 649 break; 650 case PT_IO: 651 error = copyin(uap->addr, &r.piod, sizeof(r.piod)); 652 break; 653 case PT_VM_ENTRY: 654 error = copyin(uap->addr, &r.pve, sizeof(r.pve)); 655 break; 656 case PT_COREDUMP: 657 if (uap->data != sizeof(r.pc)) 658 error = EINVAL; 659 else 660 error = copyin(uap->addr, &r.pc, uap->data); 661 break; 662 default: 663 addr = uap->addr; 664 break; 665 } 666 if (error) 667 return (error); 668 669 error = kern_ptrace(td, uap->req, uap->pid, addr, uap->data); 670 if (error) 671 return (error); 672 673 switch (uap->req) { 674 case PT_VM_ENTRY: 675 error = copyout(&r.pve, uap->addr, sizeof(r.pve)); 676 break; 677 case PT_IO: 678 error = copyout(&r.piod, uap->addr, sizeof(r.piod)); 679 break; 680 case PT_GETREGS: 681 error = copyout(&r.reg, uap->addr, sizeof(r.reg)); 682 break; 683 case PT_GETFPREGS: 684 error = copyout(&r.fpreg, uap->addr, sizeof(r.fpreg)); 685 break; 686 case PT_GETDBREGS: 687 error = copyout(&r.dbreg, uap->addr, sizeof(r.dbreg)); 688 break; 689 case PT_GETREGSET: 690 error = copyout(&r.vec, uap->addr, sizeof(r.vec)); 691 break; 692 case PT_GET_EVENT_MASK: 693 /* NB: The size in uap->data is validated in kern_ptrace(). */ 694 error = copyout(&r.ptevents, uap->addr, uap->data); 695 break; 696 case PT_LWPINFO: 697 /* NB: The size in uap->data is validated in kern_ptrace(). */ 698 error = copyout(&r.pl, uap->addr, uap->data); 699 break; 700 case PT_GET_SC_ARGS: 701 error = copyout(r.args, uap->addr, MIN(uap->data, 702 sizeof(r.args))); 703 break; 704 case PT_GET_SC_RET: 705 error = copyout(&r.psr, uap->addr, MIN(uap->data, 706 sizeof(r.psr))); 707 break; 708 } 709 710 return (error); 711 } 712 713 #ifdef COMPAT_FREEBSD32 714 /* 715 * PROC_READ(regs, td2, addr); 716 * becomes either: 717 * proc_read_regs(td2, addr); 718 * or 719 * proc_read_regs32(td2, addr); 720 * .. except this is done at runtime. There is an additional 721 * complication in that PROC_WRITE disallows 32 bit consumers 722 * from writing to 64 bit address space targets. 723 */ 724 #define PROC_READ(w, t, a) wrap32 ? \ 725 proc_read_ ## w ## 32(t, a) : \ 726 proc_read_ ## w (t, a) 727 #define PROC_WRITE(w, t, a) wrap32 ? \ 728 (safe ? proc_write_ ## w ## 32(t, a) : EINVAL ) : \ 729 proc_write_ ## w (t, a) 730 #else 731 #define PROC_READ(w, t, a) proc_read_ ## w (t, a) 732 #define PROC_WRITE(w, t, a) proc_write_ ## w (t, a) 733 #endif 734 735 void 736 proc_set_traced(struct proc *p, bool stop) 737 { 738 739 sx_assert(&proctree_lock, SX_XLOCKED); 740 PROC_LOCK_ASSERT(p, MA_OWNED); 741 p->p_flag |= P_TRACED; 742 if (stop) 743 p->p_flag2 |= P2_PTRACE_FSTP; 744 p->p_ptevents = PTRACE_DEFAULT; 745 } 746 747 void 748 ptrace_unsuspend(struct proc *p) 749 { 750 PROC_LOCK_ASSERT(p, MA_OWNED); 751 752 PROC_SLOCK(p); 753 p->p_flag &= ~(P_STOPPED_TRACE | P_STOPPED_SIG | P_WAITED); 754 thread_unsuspend(p); 755 PROC_SUNLOCK(p); 756 itimer_proc_continue(p); 757 kqtimer_proc_continue(p); 758 } 759 760 static int 761 proc_can_ptrace(struct thread *td, struct proc *p) 762 { 763 int error; 764 765 PROC_LOCK_ASSERT(p, MA_OWNED); 766 767 if ((p->p_flag & P_WEXIT) != 0) 768 return (ESRCH); 769 770 if ((error = p_cansee(td, p)) != 0) 771 return (error); 772 if ((error = p_candebug(td, p)) != 0) 773 return (error); 774 775 /* not being traced... */ 776 if ((p->p_flag & P_TRACED) == 0) 777 return (EPERM); 778 779 /* not being traced by YOU */ 780 if (p->p_pptr != td->td_proc) 781 return (EBUSY); 782 783 /* not currently stopped */ 784 if ((p->p_flag & P_STOPPED_TRACE) == 0 || 785 p->p_suspcount != p->p_numthreads || 786 (p->p_flag & P_WAITED) == 0) 787 return (EBUSY); 788 789 return (0); 790 } 791 792 static struct thread * 793 ptrace_sel_coredump_thread(struct proc *p) 794 { 795 struct thread *td2; 796 797 PROC_LOCK_ASSERT(p, MA_OWNED); 798 MPASS((p->p_flag & P_STOPPED_TRACE) != 0); 799 800 FOREACH_THREAD_IN_PROC(p, td2) { 801 if ((td2->td_dbgflags & TDB_SSWITCH) != 0) 802 return (td2); 803 } 804 return (NULL); 805 } 806 807 int 808 kern_ptrace(struct thread *td, int req, pid_t pid, void *addr, int data) 809 { 810 struct iovec iov; 811 struct uio uio; 812 struct proc *curp, *p, *pp; 813 struct thread *td2 = NULL, *td3; 814 struct ptrace_io_desc *piod = NULL; 815 struct ptrace_lwpinfo *pl; 816 struct ptrace_sc_ret *psr; 817 struct file *fp; 818 struct ptrace_coredump *pc; 819 struct thr_coredump_req *tcq; 820 int error, num, tmp; 821 lwpid_t tid = 0, *buf; 822 #ifdef COMPAT_FREEBSD32 823 int wrap32 = 0, safe = 0; 824 #endif 825 bool proctree_locked, p2_req_set; 826 827 curp = td->td_proc; 828 proctree_locked = false; 829 p2_req_set = false; 830 831 /* Lock proctree before locking the process. */ 832 switch (req) { 833 case PT_TRACE_ME: 834 case PT_ATTACH: 835 case PT_STEP: 836 case PT_CONTINUE: 837 case PT_TO_SCE: 838 case PT_TO_SCX: 839 case PT_SYSCALL: 840 case PT_FOLLOW_FORK: 841 case PT_LWP_EVENTS: 842 case PT_GET_EVENT_MASK: 843 case PT_SET_EVENT_MASK: 844 case PT_DETACH: 845 case PT_GET_SC_ARGS: 846 sx_xlock(&proctree_lock); 847 proctree_locked = true; 848 break; 849 default: 850 break; 851 } 852 853 if (req == PT_TRACE_ME) { 854 p = td->td_proc; 855 PROC_LOCK(p); 856 } else { 857 if (pid <= PID_MAX) { 858 if ((p = pfind(pid)) == NULL) { 859 if (proctree_locked) 860 sx_xunlock(&proctree_lock); 861 return (ESRCH); 862 } 863 } else { 864 td2 = tdfind(pid, -1); 865 if (td2 == NULL) { 866 if (proctree_locked) 867 sx_xunlock(&proctree_lock); 868 return (ESRCH); 869 } 870 p = td2->td_proc; 871 tid = pid; 872 pid = p->p_pid; 873 } 874 } 875 AUDIT_ARG_PROCESS(p); 876 877 if ((p->p_flag & P_WEXIT) != 0) { 878 error = ESRCH; 879 goto fail; 880 } 881 if ((error = p_cansee(td, p)) != 0) 882 goto fail; 883 884 if ((error = p_candebug(td, p)) != 0) 885 goto fail; 886 887 /* 888 * System processes can't be debugged. 889 */ 890 if ((p->p_flag & P_SYSTEM) != 0) { 891 error = EINVAL; 892 goto fail; 893 } 894 895 if (tid == 0) { 896 if ((p->p_flag & P_STOPPED_TRACE) != 0) { 897 KASSERT(p->p_xthread != NULL, ("NULL p_xthread")); 898 td2 = p->p_xthread; 899 } else { 900 td2 = FIRST_THREAD_IN_PROC(p); 901 } 902 tid = td2->td_tid; 903 } 904 905 #ifdef COMPAT_FREEBSD32 906 /* 907 * Test if we're a 32 bit client and what the target is. 908 * Set the wrap controls accordingly. 909 */ 910 if (SV_CURPROC_FLAG(SV_ILP32)) { 911 if (SV_PROC_FLAG(td2->td_proc, SV_ILP32)) 912 safe = 1; 913 wrap32 = 1; 914 } 915 #endif 916 /* 917 * Permissions check 918 */ 919 switch (req) { 920 case PT_TRACE_ME: 921 /* 922 * Always legal, when there is a parent process which 923 * could trace us. Otherwise, reject. 924 */ 925 if ((p->p_flag & P_TRACED) != 0) { 926 error = EBUSY; 927 goto fail; 928 } 929 if (p->p_pptr == initproc) { 930 error = EPERM; 931 goto fail; 932 } 933 break; 934 935 case PT_ATTACH: 936 /* Self */ 937 if (p == td->td_proc) { 938 error = EINVAL; 939 goto fail; 940 } 941 942 /* Already traced */ 943 if (p->p_flag & P_TRACED) { 944 error = EBUSY; 945 goto fail; 946 } 947 948 /* Can't trace an ancestor if you're being traced. */ 949 if (curp->p_flag & P_TRACED) { 950 for (pp = curp->p_pptr; pp != NULL; pp = pp->p_pptr) { 951 if (pp == p) { 952 error = EINVAL; 953 goto fail; 954 } 955 } 956 } 957 958 /* OK */ 959 break; 960 961 case PT_CLEARSTEP: 962 /* Allow thread to clear single step for itself */ 963 if (td->td_tid == tid) 964 break; 965 966 /* FALLTHROUGH */ 967 default: 968 /* 969 * Check for ptrace eligibility before waiting for 970 * holds to drain. 971 */ 972 error = proc_can_ptrace(td, p); 973 if (error != 0) 974 goto fail; 975 976 /* 977 * Block parallel ptrace requests. Most important, do 978 * not allow other thread in debugger to continue the 979 * debuggee until coredump finished. 980 */ 981 while ((p->p_flag2 & P2_PTRACEREQ) != 0) { 982 if (proctree_locked) 983 sx_xunlock(&proctree_lock); 984 error = msleep(&p->p_flag2, &p->p_mtx, PPAUSE | PCATCH | 985 (proctree_locked ? PDROP : 0), "pptrace", 0); 986 if (proctree_locked) { 987 sx_xlock(&proctree_lock); 988 PROC_LOCK(p); 989 } 990 if (error == 0 && td2->td_proc != p) 991 error = ESRCH; 992 if (error == 0) 993 error = proc_can_ptrace(td, p); 994 if (error != 0) 995 goto fail; 996 } 997 998 /* Ok */ 999 break; 1000 } 1001 1002 /* 1003 * Keep this process around and request parallel ptrace() 1004 * request to wait until we finish this request. 1005 */ 1006 MPASS((p->p_flag2 & P2_PTRACEREQ) == 0); 1007 p->p_flag2 |= P2_PTRACEREQ; 1008 p2_req_set = true; 1009 _PHOLD(p); 1010 1011 /* 1012 * Actually do the requests 1013 */ 1014 1015 td->td_retval[0] = 0; 1016 1017 switch (req) { 1018 case PT_TRACE_ME: 1019 /* set my trace flag and "owner" so it can read/write me */ 1020 proc_set_traced(p, false); 1021 if (p->p_flag & P_PPWAIT) 1022 p->p_flag |= P_PPTRACE; 1023 CTR1(KTR_PTRACE, "PT_TRACE_ME: pid %d", p->p_pid); 1024 break; 1025 1026 case PT_ATTACH: 1027 /* security check done above */ 1028 /* 1029 * It would be nice if the tracing relationship was separate 1030 * from the parent relationship but that would require 1031 * another set of links in the proc struct or for "wait" 1032 * to scan the entire proc table. To make life easier, 1033 * we just re-parent the process we're trying to trace. 1034 * The old parent is remembered so we can put things back 1035 * on a "detach". 1036 */ 1037 proc_set_traced(p, true); 1038 proc_reparent(p, td->td_proc, false); 1039 CTR2(KTR_PTRACE, "PT_ATTACH: pid %d, oppid %d", p->p_pid, 1040 p->p_oppid); 1041 1042 sx_xunlock(&proctree_lock); 1043 proctree_locked = false; 1044 MPASS(p->p_xthread == NULL); 1045 MPASS((p->p_flag & P_STOPPED_TRACE) == 0); 1046 1047 /* 1048 * If already stopped due to a stop signal, clear the 1049 * existing stop before triggering a traced SIGSTOP. 1050 */ 1051 if ((p->p_flag & P_STOPPED_SIG) != 0) { 1052 PROC_SLOCK(p); 1053 p->p_flag &= ~(P_STOPPED_SIG | P_WAITED); 1054 thread_unsuspend(p); 1055 PROC_SUNLOCK(p); 1056 } 1057 1058 kern_psignal(p, SIGSTOP); 1059 break; 1060 1061 case PT_CLEARSTEP: 1062 CTR2(KTR_PTRACE, "PT_CLEARSTEP: tid %d (pid %d)", td2->td_tid, 1063 p->p_pid); 1064 error = ptrace_clear_single_step(td2); 1065 break; 1066 1067 case PT_SETSTEP: 1068 CTR2(KTR_PTRACE, "PT_SETSTEP: tid %d (pid %d)", td2->td_tid, 1069 p->p_pid); 1070 error = ptrace_single_step(td2); 1071 break; 1072 1073 case PT_SUSPEND: 1074 CTR2(KTR_PTRACE, "PT_SUSPEND: tid %d (pid %d)", td2->td_tid, 1075 p->p_pid); 1076 td2->td_dbgflags |= TDB_SUSPEND; 1077 thread_lock(td2); 1078 td2->td_flags |= TDF_NEEDSUSPCHK; 1079 thread_unlock(td2); 1080 break; 1081 1082 case PT_RESUME: 1083 CTR2(KTR_PTRACE, "PT_RESUME: tid %d (pid %d)", td2->td_tid, 1084 p->p_pid); 1085 td2->td_dbgflags &= ~TDB_SUSPEND; 1086 break; 1087 1088 case PT_FOLLOW_FORK: 1089 CTR3(KTR_PTRACE, "PT_FOLLOW_FORK: pid %d %s -> %s", p->p_pid, 1090 p->p_ptevents & PTRACE_FORK ? "enabled" : "disabled", 1091 data ? "enabled" : "disabled"); 1092 if (data) 1093 p->p_ptevents |= PTRACE_FORK; 1094 else 1095 p->p_ptevents &= ~PTRACE_FORK; 1096 break; 1097 1098 case PT_LWP_EVENTS: 1099 CTR3(KTR_PTRACE, "PT_LWP_EVENTS: pid %d %s -> %s", p->p_pid, 1100 p->p_ptevents & PTRACE_LWP ? "enabled" : "disabled", 1101 data ? "enabled" : "disabled"); 1102 if (data) 1103 p->p_ptevents |= PTRACE_LWP; 1104 else 1105 p->p_ptevents &= ~PTRACE_LWP; 1106 break; 1107 1108 case PT_GET_EVENT_MASK: 1109 if (data != sizeof(p->p_ptevents)) { 1110 error = EINVAL; 1111 break; 1112 } 1113 CTR2(KTR_PTRACE, "PT_GET_EVENT_MASK: pid %d mask %#x", p->p_pid, 1114 p->p_ptevents); 1115 *(int *)addr = p->p_ptevents; 1116 break; 1117 1118 case PT_SET_EVENT_MASK: 1119 if (data != sizeof(p->p_ptevents)) { 1120 error = EINVAL; 1121 break; 1122 } 1123 tmp = *(int *)addr; 1124 if ((tmp & ~(PTRACE_EXEC | PTRACE_SCE | PTRACE_SCX | 1125 PTRACE_FORK | PTRACE_LWP | PTRACE_VFORK)) != 0) { 1126 error = EINVAL; 1127 break; 1128 } 1129 CTR3(KTR_PTRACE, "PT_SET_EVENT_MASK: pid %d mask %#x -> %#x", 1130 p->p_pid, p->p_ptevents, tmp); 1131 p->p_ptevents = tmp; 1132 break; 1133 1134 case PT_GET_SC_ARGS: 1135 CTR1(KTR_PTRACE, "PT_GET_SC_ARGS: pid %d", p->p_pid); 1136 if ((td2->td_dbgflags & (TDB_SCE | TDB_SCX)) == 0 1137 #ifdef COMPAT_FREEBSD32 1138 || (wrap32 && !safe) 1139 #endif 1140 ) { 1141 error = EINVAL; 1142 break; 1143 } 1144 bzero(addr, sizeof(td2->td_sa.args)); 1145 /* See the explanation in linux_ptrace_get_syscall_info(). */ 1146 bcopy(td2->td_sa.args, addr, SV_PROC_ABI(td->td_proc) == 1147 SV_ABI_LINUX ? sizeof(td2->td_sa.args) : 1148 td2->td_sa.callp->sy_narg * sizeof(register_t)); 1149 break; 1150 1151 case PT_GET_SC_RET: 1152 if ((td2->td_dbgflags & (TDB_SCX)) == 0 1153 #ifdef COMPAT_FREEBSD32 1154 || (wrap32 && !safe) 1155 #endif 1156 ) { 1157 error = EINVAL; 1158 break; 1159 } 1160 psr = addr; 1161 bzero(psr, sizeof(*psr)); 1162 psr->sr_error = td2->td_errno; 1163 if (psr->sr_error == 0) { 1164 psr->sr_retval[0] = td2->td_retval[0]; 1165 psr->sr_retval[1] = td2->td_retval[1]; 1166 } 1167 CTR4(KTR_PTRACE, 1168 "PT_GET_SC_RET: pid %d error %d retval %#lx,%#lx", 1169 p->p_pid, psr->sr_error, psr->sr_retval[0], 1170 psr->sr_retval[1]); 1171 break; 1172 1173 case PT_STEP: 1174 case PT_CONTINUE: 1175 case PT_TO_SCE: 1176 case PT_TO_SCX: 1177 case PT_SYSCALL: 1178 case PT_DETACH: 1179 /* Zero means do not send any signal */ 1180 if (data < 0 || data > _SIG_MAXSIG) { 1181 error = EINVAL; 1182 break; 1183 } 1184 1185 switch (req) { 1186 case PT_STEP: 1187 CTR3(KTR_PTRACE, "PT_STEP: tid %d (pid %d), sig = %d", 1188 td2->td_tid, p->p_pid, data); 1189 error = ptrace_single_step(td2); 1190 if (error) 1191 goto out; 1192 break; 1193 case PT_CONTINUE: 1194 case PT_TO_SCE: 1195 case PT_TO_SCX: 1196 case PT_SYSCALL: 1197 if (addr != (void *)1) { 1198 error = ptrace_set_pc(td2, 1199 (u_long)(uintfptr_t)addr); 1200 if (error) 1201 goto out; 1202 } 1203 switch (req) { 1204 case PT_TO_SCE: 1205 p->p_ptevents |= PTRACE_SCE; 1206 CTR4(KTR_PTRACE, 1207 "PT_TO_SCE: pid %d, events = %#x, PC = %#lx, sig = %d", 1208 p->p_pid, p->p_ptevents, 1209 (u_long)(uintfptr_t)addr, data); 1210 break; 1211 case PT_TO_SCX: 1212 p->p_ptevents |= PTRACE_SCX; 1213 CTR4(KTR_PTRACE, 1214 "PT_TO_SCX: pid %d, events = %#x, PC = %#lx, sig = %d", 1215 p->p_pid, p->p_ptevents, 1216 (u_long)(uintfptr_t)addr, data); 1217 break; 1218 case PT_SYSCALL: 1219 p->p_ptevents |= PTRACE_SYSCALL; 1220 CTR4(KTR_PTRACE, 1221 "PT_SYSCALL: pid %d, events = %#x, PC = %#lx, sig = %d", 1222 p->p_pid, p->p_ptevents, 1223 (u_long)(uintfptr_t)addr, data); 1224 break; 1225 case PT_CONTINUE: 1226 CTR3(KTR_PTRACE, 1227 "PT_CONTINUE: pid %d, PC = %#lx, sig = %d", 1228 p->p_pid, (u_long)(uintfptr_t)addr, data); 1229 break; 1230 } 1231 break; 1232 case PT_DETACH: 1233 /* 1234 * Clear P_TRACED before reparenting 1235 * a detached process back to its original 1236 * parent. Otherwise the debugee will be set 1237 * as an orphan of the debugger. 1238 */ 1239 p->p_flag &= ~(P_TRACED | P_WAITED); 1240 1241 /* 1242 * Reset the process parent. 1243 */ 1244 if (p->p_oppid != p->p_pptr->p_pid) { 1245 PROC_LOCK(p->p_pptr); 1246 sigqueue_take(p->p_ksi); 1247 PROC_UNLOCK(p->p_pptr); 1248 1249 pp = proc_realparent(p); 1250 proc_reparent(p, pp, false); 1251 if (pp == initproc) 1252 p->p_sigparent = SIGCHLD; 1253 CTR3(KTR_PTRACE, 1254 "PT_DETACH: pid %d reparented to pid %d, sig %d", 1255 p->p_pid, pp->p_pid, data); 1256 } else { 1257 CTR2(KTR_PTRACE, "PT_DETACH: pid %d, sig %d", 1258 p->p_pid, data); 1259 } 1260 1261 p->p_ptevents = 0; 1262 FOREACH_THREAD_IN_PROC(p, td3) { 1263 if ((td3->td_dbgflags & TDB_FSTP) != 0) { 1264 sigqueue_delete(&td3->td_sigqueue, 1265 SIGSTOP); 1266 } 1267 td3->td_dbgflags &= ~(TDB_XSIG | TDB_FSTP | 1268 TDB_SUSPEND); 1269 } 1270 1271 if ((p->p_flag2 & P2_PTRACE_FSTP) != 0) { 1272 sigqueue_delete(&p->p_sigqueue, SIGSTOP); 1273 p->p_flag2 &= ~P2_PTRACE_FSTP; 1274 } 1275 1276 /* should we send SIGCHLD? */ 1277 /* childproc_continued(p); */ 1278 break; 1279 } 1280 1281 sx_xunlock(&proctree_lock); 1282 proctree_locked = false; 1283 1284 sendsig: 1285 MPASS(!proctree_locked); 1286 1287 /* 1288 * Clear the pending event for the thread that just 1289 * reported its event (p_xthread). This may not be 1290 * the thread passed to PT_CONTINUE, PT_STEP, etc. if 1291 * the debugger is resuming a different thread. 1292 * 1293 * Deliver any pending signal via the reporting thread. 1294 */ 1295 MPASS(p->p_xthread != NULL); 1296 p->p_xthread->td_dbgflags &= ~TDB_XSIG; 1297 p->p_xthread->td_xsig = data; 1298 p->p_xthread = NULL; 1299 p->p_xsig = data; 1300 1301 /* 1302 * P_WKILLED is insurance that a PT_KILL/SIGKILL 1303 * always works immediately, even if another thread is 1304 * unsuspended first and attempts to handle a 1305 * different signal or if the POSIX.1b style signal 1306 * queue cannot accommodate any new signals. 1307 */ 1308 if (data == SIGKILL) 1309 proc_wkilled(p); 1310 1311 /* 1312 * Unsuspend all threads. To leave a thread 1313 * suspended, use PT_SUSPEND to suspend it before 1314 * continuing the process. 1315 */ 1316 ptrace_unsuspend(p); 1317 break; 1318 1319 case PT_WRITE_I: 1320 case PT_WRITE_D: 1321 td2->td_dbgflags |= TDB_USERWR; 1322 PROC_UNLOCK(p); 1323 error = 0; 1324 if (proc_writemem(td, p, (off_t)(uintptr_t)addr, &data, 1325 sizeof(int)) != sizeof(int)) 1326 error = ENOMEM; 1327 else 1328 CTR3(KTR_PTRACE, "PT_WRITE: pid %d: %p <= %#x", 1329 p->p_pid, addr, data); 1330 PROC_LOCK(p); 1331 break; 1332 1333 case PT_READ_I: 1334 case PT_READ_D: 1335 PROC_UNLOCK(p); 1336 error = tmp = 0; 1337 if (proc_readmem(td, p, (off_t)(uintptr_t)addr, &tmp, 1338 sizeof(int)) != sizeof(int)) 1339 error = ENOMEM; 1340 else 1341 CTR3(KTR_PTRACE, "PT_READ: pid %d: %p >= %#x", 1342 p->p_pid, addr, tmp); 1343 td->td_retval[0] = tmp; 1344 PROC_LOCK(p); 1345 break; 1346 1347 case PT_IO: 1348 piod = addr; 1349 iov.iov_base = piod->piod_addr; 1350 iov.iov_len = piod->piod_len; 1351 uio.uio_offset = (off_t)(uintptr_t)piod->piod_offs; 1352 uio.uio_resid = piod->piod_len; 1353 uio.uio_iov = &iov; 1354 uio.uio_iovcnt = 1; 1355 uio.uio_segflg = UIO_USERSPACE; 1356 uio.uio_td = td; 1357 switch (piod->piod_op) { 1358 case PIOD_READ_D: 1359 case PIOD_READ_I: 1360 CTR3(KTR_PTRACE, "PT_IO: pid %d: READ (%p, %#x)", 1361 p->p_pid, (uintptr_t)uio.uio_offset, uio.uio_resid); 1362 uio.uio_rw = UIO_READ; 1363 break; 1364 case PIOD_WRITE_D: 1365 case PIOD_WRITE_I: 1366 CTR3(KTR_PTRACE, "PT_IO: pid %d: WRITE (%p, %#x)", 1367 p->p_pid, (uintptr_t)uio.uio_offset, uio.uio_resid); 1368 td2->td_dbgflags |= TDB_USERWR; 1369 uio.uio_rw = UIO_WRITE; 1370 break; 1371 default: 1372 error = EINVAL; 1373 goto out; 1374 } 1375 PROC_UNLOCK(p); 1376 error = proc_rwmem(p, &uio); 1377 piod->piod_len -= uio.uio_resid; 1378 PROC_LOCK(p); 1379 break; 1380 1381 case PT_KILL: 1382 CTR1(KTR_PTRACE, "PT_KILL: pid %d", p->p_pid); 1383 data = SIGKILL; 1384 goto sendsig; /* in PT_CONTINUE above */ 1385 1386 case PT_SETREGS: 1387 CTR2(KTR_PTRACE, "PT_SETREGS: tid %d (pid %d)", td2->td_tid, 1388 p->p_pid); 1389 td2->td_dbgflags |= TDB_USERWR; 1390 error = PROC_WRITE(regs, td2, addr); 1391 break; 1392 1393 case PT_GETREGS: 1394 CTR2(KTR_PTRACE, "PT_GETREGS: tid %d (pid %d)", td2->td_tid, 1395 p->p_pid); 1396 error = PROC_READ(regs, td2, addr); 1397 break; 1398 1399 case PT_SETFPREGS: 1400 CTR2(KTR_PTRACE, "PT_SETFPREGS: tid %d (pid %d)", td2->td_tid, 1401 p->p_pid); 1402 td2->td_dbgflags |= TDB_USERWR; 1403 error = PROC_WRITE(fpregs, td2, addr); 1404 break; 1405 1406 case PT_GETFPREGS: 1407 CTR2(KTR_PTRACE, "PT_GETFPREGS: tid %d (pid %d)", td2->td_tid, 1408 p->p_pid); 1409 error = PROC_READ(fpregs, td2, addr); 1410 break; 1411 1412 case PT_SETDBREGS: 1413 CTR2(KTR_PTRACE, "PT_SETDBREGS: tid %d (pid %d)", td2->td_tid, 1414 p->p_pid); 1415 td2->td_dbgflags |= TDB_USERWR; 1416 error = PROC_WRITE(dbregs, td2, addr); 1417 break; 1418 1419 case PT_GETDBREGS: 1420 CTR2(KTR_PTRACE, "PT_GETDBREGS: tid %d (pid %d)", td2->td_tid, 1421 p->p_pid); 1422 error = PROC_READ(dbregs, td2, addr); 1423 break; 1424 1425 case PT_SETREGSET: 1426 CTR2(KTR_PTRACE, "PT_SETREGSET: tid %d (pid %d)", td2->td_tid, 1427 p->p_pid); 1428 error = proc_write_regset(td2, data, addr); 1429 break; 1430 1431 case PT_GETREGSET: 1432 CTR2(KTR_PTRACE, "PT_GETREGSET: tid %d (pid %d)", td2->td_tid, 1433 p->p_pid); 1434 error = proc_read_regset(td2, data, addr); 1435 break; 1436 1437 case PT_LWPINFO: 1438 if (data <= 0 || data > sizeof(*pl)) { 1439 error = EINVAL; 1440 break; 1441 } 1442 pl = addr; 1443 bzero(pl, sizeof(*pl)); 1444 pl->pl_lwpid = td2->td_tid; 1445 pl->pl_event = PL_EVENT_NONE; 1446 pl->pl_flags = 0; 1447 if (td2->td_dbgflags & TDB_XSIG) { 1448 pl->pl_event = PL_EVENT_SIGNAL; 1449 if (td2->td_si.si_signo != 0 && 1450 data >= offsetof(struct ptrace_lwpinfo, pl_siginfo) 1451 + sizeof(pl->pl_siginfo)){ 1452 pl->pl_flags |= PL_FLAG_SI; 1453 pl->pl_siginfo = td2->td_si; 1454 } 1455 } 1456 if (td2->td_dbgflags & TDB_SCE) 1457 pl->pl_flags |= PL_FLAG_SCE; 1458 else if (td2->td_dbgflags & TDB_SCX) 1459 pl->pl_flags |= PL_FLAG_SCX; 1460 if (td2->td_dbgflags & TDB_EXEC) 1461 pl->pl_flags |= PL_FLAG_EXEC; 1462 if (td2->td_dbgflags & TDB_FORK) { 1463 pl->pl_flags |= PL_FLAG_FORKED; 1464 pl->pl_child_pid = td2->td_dbg_forked; 1465 if (td2->td_dbgflags & TDB_VFORK) 1466 pl->pl_flags |= PL_FLAG_VFORKED; 1467 } else if ((td2->td_dbgflags & (TDB_SCX | TDB_VFORK)) == 1468 TDB_VFORK) 1469 pl->pl_flags |= PL_FLAG_VFORK_DONE; 1470 if (td2->td_dbgflags & TDB_CHILD) 1471 pl->pl_flags |= PL_FLAG_CHILD; 1472 if (td2->td_dbgflags & TDB_BORN) 1473 pl->pl_flags |= PL_FLAG_BORN; 1474 if (td2->td_dbgflags & TDB_EXIT) 1475 pl->pl_flags |= PL_FLAG_EXITED; 1476 pl->pl_sigmask = td2->td_sigmask; 1477 pl->pl_siglist = td2->td_siglist; 1478 strcpy(pl->pl_tdname, td2->td_name); 1479 if ((td2->td_dbgflags & (TDB_SCE | TDB_SCX)) != 0) { 1480 pl->pl_syscall_code = td2->td_sa.code; 1481 pl->pl_syscall_narg = td2->td_sa.callp->sy_narg; 1482 } else { 1483 pl->pl_syscall_code = 0; 1484 pl->pl_syscall_narg = 0; 1485 } 1486 CTR6(KTR_PTRACE, 1487 "PT_LWPINFO: tid %d (pid %d) event %d flags %#x child pid %d syscall %d", 1488 td2->td_tid, p->p_pid, pl->pl_event, pl->pl_flags, 1489 pl->pl_child_pid, pl->pl_syscall_code); 1490 break; 1491 1492 case PT_GETNUMLWPS: 1493 CTR2(KTR_PTRACE, "PT_GETNUMLWPS: pid %d: %d threads", p->p_pid, 1494 p->p_numthreads); 1495 td->td_retval[0] = p->p_numthreads; 1496 break; 1497 1498 case PT_GETLWPLIST: 1499 CTR3(KTR_PTRACE, "PT_GETLWPLIST: pid %d: data %d, actual %d", 1500 p->p_pid, data, p->p_numthreads); 1501 if (data <= 0) { 1502 error = EINVAL; 1503 break; 1504 } 1505 num = imin(p->p_numthreads, data); 1506 PROC_UNLOCK(p); 1507 buf = malloc(num * sizeof(lwpid_t), M_TEMP, M_WAITOK); 1508 tmp = 0; 1509 PROC_LOCK(p); 1510 FOREACH_THREAD_IN_PROC(p, td2) { 1511 if (tmp >= num) 1512 break; 1513 buf[tmp++] = td2->td_tid; 1514 } 1515 PROC_UNLOCK(p); 1516 error = copyout(buf, addr, tmp * sizeof(lwpid_t)); 1517 free(buf, M_TEMP); 1518 if (!error) 1519 td->td_retval[0] = tmp; 1520 PROC_LOCK(p); 1521 break; 1522 1523 case PT_VM_TIMESTAMP: 1524 CTR2(KTR_PTRACE, "PT_VM_TIMESTAMP: pid %d: timestamp %d", 1525 p->p_pid, p->p_vmspace->vm_map.timestamp); 1526 td->td_retval[0] = p->p_vmspace->vm_map.timestamp; 1527 break; 1528 1529 case PT_VM_ENTRY: 1530 PROC_UNLOCK(p); 1531 error = ptrace_vm_entry(td, p, addr); 1532 PROC_LOCK(p); 1533 break; 1534 1535 case PT_COREDUMP: 1536 pc = addr; 1537 CTR2(KTR_PTRACE, "PT_COREDUMP: pid %d, fd %d", 1538 p->p_pid, pc->pc_fd); 1539 1540 if ((pc->pc_flags & ~(PC_COMPRESS | PC_ALL)) != 0) { 1541 error = EINVAL; 1542 break; 1543 } 1544 PROC_UNLOCK(p); 1545 1546 tcq = malloc(sizeof(*tcq), M_TEMP, M_WAITOK | M_ZERO); 1547 fp = NULL; 1548 error = fget_write(td, pc->pc_fd, &cap_write_rights, &fp); 1549 if (error != 0) 1550 goto coredump_cleanup_nofp; 1551 if (fp->f_type != DTYPE_VNODE || fp->f_vnode->v_type != VREG) { 1552 error = EPIPE; 1553 goto coredump_cleanup; 1554 } 1555 1556 PROC_LOCK(p); 1557 error = proc_can_ptrace(td, p); 1558 if (error != 0) 1559 goto coredump_cleanup_locked; 1560 1561 td2 = ptrace_sel_coredump_thread(p); 1562 if (td2 == NULL) { 1563 error = EBUSY; 1564 goto coredump_cleanup_locked; 1565 } 1566 KASSERT((td2->td_dbgflags & TDB_COREDUMPRQ) == 0, 1567 ("proc %d tid %d req coredump", p->p_pid, td2->td_tid)); 1568 1569 tcq->tc_vp = fp->f_vnode; 1570 tcq->tc_limit = pc->pc_limit == 0 ? OFF_MAX : pc->pc_limit; 1571 tcq->tc_flags = SVC_PT_COREDUMP; 1572 if ((pc->pc_flags & PC_COMPRESS) == 0) 1573 tcq->tc_flags |= SVC_NOCOMPRESS; 1574 if ((pc->pc_flags & PC_ALL) != 0) 1575 tcq->tc_flags |= SVC_ALL; 1576 td2->td_coredump = tcq; 1577 td2->td_dbgflags |= TDB_COREDUMPRQ; 1578 thread_run_flash(td2); 1579 while ((td2->td_dbgflags & TDB_COREDUMPRQ) != 0) 1580 msleep(p, &p->p_mtx, PPAUSE, "crdmp", 0); 1581 error = tcq->tc_error; 1582 coredump_cleanup_locked: 1583 PROC_UNLOCK(p); 1584 coredump_cleanup: 1585 fdrop(fp, td); 1586 coredump_cleanup_nofp: 1587 free(tcq, M_TEMP); 1588 PROC_LOCK(p); 1589 break; 1590 1591 default: 1592 #ifdef __HAVE_PTRACE_MACHDEP 1593 if (req >= PT_FIRSTMACH) { 1594 PROC_UNLOCK(p); 1595 error = cpu_ptrace(td2, req, addr, data); 1596 PROC_LOCK(p); 1597 } else 1598 #endif 1599 /* Unknown request. */ 1600 error = EINVAL; 1601 break; 1602 } 1603 out: 1604 /* Drop our hold on this process now that the request has completed. */ 1605 _PRELE(p); 1606 fail: 1607 if (p2_req_set) { 1608 if ((p->p_flag2 & P2_PTRACEREQ) != 0) 1609 wakeup(&p->p_flag2); 1610 p->p_flag2 &= ~P2_PTRACEREQ; 1611 } 1612 PROC_UNLOCK(p); 1613 if (proctree_locked) 1614 sx_xunlock(&proctree_lock); 1615 return (error); 1616 } 1617 #undef PROC_READ 1618 #undef PROC_WRITE 1619