1 /*- 2 * SPDX-License-Identifier: BSD-4-Clause 3 * 4 * Copyright (c) 1994, Sean Eric Fagan 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by Sean Eric Fagan. 18 * 4. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/ktr.h> 37 #include <sys/limits.h> 38 #include <sys/lock.h> 39 #include <sys/mman.h> 40 #include <sys/mutex.h> 41 #include <sys/reg.h> 42 #include <sys/sleepqueue.h> 43 #include <sys/syscallsubr.h> 44 #include <sys/sysent.h> 45 #include <sys/sysproto.h> 46 #include <sys/priv.h> 47 #include <sys/proc.h> 48 #include <sys/vnode.h> 49 #include <sys/ptrace.h> 50 #include <sys/rwlock.h> 51 #include <sys/sx.h> 52 #include <sys/malloc.h> 53 #include <sys/signalvar.h> 54 #include <sys/caprights.h> 55 #include <sys/filedesc.h> 56 57 #include <security/audit/audit.h> 58 59 #include <vm/vm.h> 60 #include <vm/pmap.h> 61 #include <vm/vm_extern.h> 62 #include <vm/vm_map.h> 63 #include <vm/vm_kern.h> 64 #include <vm/vm_object.h> 65 #include <vm/vm_page.h> 66 #include <vm/vm_param.h> 67 68 #ifdef COMPAT_FREEBSD32 69 #include <sys/procfs.h> 70 #endif 71 72 /* Assert it's safe to unlock a process, e.g. to allocate working memory */ 73 #define PROC_ASSERT_TRACEREQ(p) MPASS(((p)->p_flag2 & P2_PTRACEREQ) != 0) 74 75 #define PROC_PRIV_CHECK(priv) do { \ 76 int _error; \ 77 _error = priv_check(curthread, priv); \ 78 if (_error) \ 79 return (_error); \ 80 } while (0) 81 82 /* 83 * Functions implemented below: 84 * 85 * proc_read_regs(proc, regs) 86 * Get the current user-visible register set from the process 87 * and copy it into the regs structure (<machine/reg.h>). 88 * The process is stopped at the time read_regs is called. 89 * 90 * proc_write_regs(proc, regs) 91 * Update the current register set from the passed in regs 92 * structure. Take care to avoid clobbering special CPU 93 * registers or privileged bits in the PSL. 94 * Depending on the architecture this may have fix-up work to do, 95 * especially if the IAR or PCW are modified. 96 * The process is stopped at the time write_regs is called. 97 * 98 * proc_read_fpregs, proc_write_fpregs 99 * deal with the floating point register set, otherwise as above. 100 * 101 * proc_read_dbregs, proc_write_dbregs 102 * deal with the processor debug register set, otherwise as above. 103 * 104 * proc_sstep(proc) 105 * Arrange for the process to trap after executing a single instruction. 106 */ 107 108 int 109 proc_read_regs(struct thread *td, struct reg *regs) 110 { 111 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 112 return (fill_regs(td, regs)); 113 } 114 115 int 116 proc_write_regs(struct thread *td, struct reg *regs) 117 { 118 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 119 PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE); 120 return (set_regs(td, regs)); 121 } 122 123 int 124 proc_read_dbregs(struct thread *td, struct dbreg *dbregs) 125 { 126 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 127 return (fill_dbregs(td, dbregs)); 128 } 129 130 int 131 proc_write_dbregs(struct thread *td, struct dbreg *dbregs) 132 { 133 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 134 PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE); 135 return (set_dbregs(td, dbregs)); 136 } 137 138 /* 139 * Ptrace doesn't support fpregs at all, and there are no security holes 140 * or translations for fpregs, so we can just copy them. 141 */ 142 int 143 proc_read_fpregs(struct thread *td, struct fpreg *fpregs) 144 { 145 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 146 return (fill_fpregs(td, fpregs)); 147 } 148 149 int 150 proc_write_fpregs(struct thread *td, struct fpreg *fpregs) 151 { 152 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 153 PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE); 154 return (set_fpregs(td, fpregs)); 155 } 156 157 static struct regset * 158 proc_find_regset(struct thread *td, int note) 159 { 160 struct regset **regsetp, **regset_end, *regset; 161 struct sysentvec *sv; 162 163 sv = td->td_proc->p_sysent; 164 regsetp = sv->sv_regset_begin; 165 if (regsetp == NULL) 166 return (NULL); 167 regset_end = sv->sv_regset_end; 168 MPASS(regset_end != NULL); 169 for (; regsetp < regset_end; regsetp++) { 170 regset = *regsetp; 171 if (regset->note != note) 172 continue; 173 174 return (regset); 175 } 176 177 return (NULL); 178 } 179 180 static int 181 proc_read_regset(struct thread *td, int note, struct iovec *iov) 182 { 183 struct regset *regset; 184 struct proc *p; 185 void *buf; 186 size_t size; 187 int error; 188 189 regset = proc_find_regset(td, note); 190 if (regset == NULL) 191 return (EINVAL); 192 193 if (regset->get == NULL) 194 return (EINVAL); 195 196 size = regset->size; 197 /* 198 * The regset is dynamically sized, e.g. the size could change 199 * depending on the hardware, or may have a per-thread size. 200 */ 201 if (size == 0) { 202 if (!regset->get(regset, td, NULL, &size)) 203 return (EINVAL); 204 } 205 206 if (iov->iov_base == NULL) { 207 iov->iov_len = size; 208 if (iov->iov_len == 0) 209 return (EINVAL); 210 211 return (0); 212 } 213 214 /* The length is wrong, return an error */ 215 if (iov->iov_len != size) 216 return (EINVAL); 217 218 error = 0; 219 p = td->td_proc; 220 221 /* Drop the proc lock while allocating the temp buffer */ 222 PROC_ASSERT_TRACEREQ(p); 223 PROC_UNLOCK(p); 224 buf = malloc(size, M_TEMP, M_WAITOK); 225 PROC_LOCK(p); 226 227 if (!regset->get(regset, td, buf, &size)) { 228 error = EINVAL; 229 } else { 230 KASSERT(size == regset->size || regset->size == 0, 231 ("%s: Getter function changed the size", __func__)); 232 233 iov->iov_len = size; 234 PROC_UNLOCK(p); 235 error = copyout(buf, iov->iov_base, size); 236 PROC_LOCK(p); 237 } 238 239 free(buf, M_TEMP); 240 241 return (error); 242 } 243 244 static int 245 proc_write_regset(struct thread *td, int note, struct iovec *iov) 246 { 247 struct regset *regset; 248 struct proc *p; 249 void *buf; 250 size_t size; 251 int error; 252 253 regset = proc_find_regset(td, note); 254 if (regset == NULL) 255 return (EINVAL); 256 257 size = regset->size; 258 /* 259 * The regset is dynamically sized, e.g. the size could change 260 * depending on the hardware, or may have a per-thread size. 261 */ 262 if (size == 0) { 263 if (!regset->get(regset, td, NULL, &size)) 264 return (EINVAL); 265 } 266 267 /* The length is wrong, return an error */ 268 if (iov->iov_len != size) 269 return (EINVAL); 270 271 if (regset->set == NULL) 272 return (EINVAL); 273 274 PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE); 275 276 p = td->td_proc; 277 278 /* Drop the proc lock while allocating the temp buffer */ 279 PROC_ASSERT_TRACEREQ(p); 280 PROC_UNLOCK(p); 281 buf = malloc(size, M_TEMP, M_WAITOK); 282 error = copyin(iov->iov_base, buf, size); 283 PROC_LOCK(p); 284 285 if (error == 0) { 286 if (!regset->set(regset, td, buf, size)) { 287 error = EINVAL; 288 } 289 } 290 291 free(buf, M_TEMP); 292 293 return (error); 294 } 295 296 #ifdef COMPAT_FREEBSD32 297 /* For 32 bit binaries, we need to expose the 32 bit regs layouts. */ 298 int 299 proc_read_regs32(struct thread *td, struct reg32 *regs32) 300 { 301 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 302 return (fill_regs32(td, regs32)); 303 } 304 305 int 306 proc_write_regs32(struct thread *td, struct reg32 *regs32) 307 { 308 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 309 PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE); 310 return (set_regs32(td, regs32)); 311 } 312 313 int 314 proc_read_dbregs32(struct thread *td, struct dbreg32 *dbregs32) 315 { 316 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 317 return (fill_dbregs32(td, dbregs32)); 318 } 319 320 int 321 proc_write_dbregs32(struct thread *td, struct dbreg32 *dbregs32) 322 { 323 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 324 PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE); 325 return (set_dbregs32(td, dbregs32)); 326 } 327 328 int 329 proc_read_fpregs32(struct thread *td, struct fpreg32 *fpregs32) 330 { 331 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 332 return (fill_fpregs32(td, fpregs32)); 333 } 334 335 int 336 proc_write_fpregs32(struct thread *td, struct fpreg32 *fpregs32) 337 { 338 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 339 PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE); 340 return (set_fpregs32(td, fpregs32)); 341 } 342 #endif 343 344 int 345 proc_sstep(struct thread *td) 346 { 347 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); 348 return (ptrace_single_step(td)); 349 } 350 351 int 352 proc_rwmem(struct proc *p, struct uio *uio) 353 { 354 vm_map_t map; 355 vm_offset_t pageno; /* page number */ 356 vm_prot_t reqprot; 357 int error, fault_flags, page_offset, writing; 358 359 /* 360 * Make sure that the process' vmspace remains live. 361 */ 362 if (p != curproc) 363 PROC_ASSERT_HELD(p); 364 PROC_LOCK_ASSERT(p, MA_NOTOWNED); 365 366 /* 367 * The map we want... 368 */ 369 map = &p->p_vmspace->vm_map; 370 371 /* 372 * If we are writing, then we request vm_fault() to create a private 373 * copy of each page. Since these copies will not be writeable by the 374 * process, we must explicitly request that they be dirtied. 375 */ 376 writing = uio->uio_rw == UIO_WRITE; 377 reqprot = writing ? VM_PROT_COPY | VM_PROT_READ : VM_PROT_READ; 378 fault_flags = writing ? VM_FAULT_DIRTY : VM_FAULT_NORMAL; 379 380 if (writing) { 381 PROC_PRIV_CHECK(PRIV_PROC_MEM_WRITE); 382 } 383 384 /* 385 * Only map in one page at a time. We don't have to, but it 386 * makes things easier. This way is trivial - right? 387 */ 388 do { 389 vm_offset_t uva; 390 u_int len; 391 vm_page_t m; 392 393 uva = (vm_offset_t)uio->uio_offset; 394 395 /* 396 * Get the page number of this segment. 397 */ 398 pageno = trunc_page(uva); 399 page_offset = uva - pageno; 400 401 /* 402 * How many bytes to copy 403 */ 404 len = MIN(PAGE_SIZE - page_offset, uio->uio_resid); 405 406 /* 407 * Fault and hold the page on behalf of the process. 408 */ 409 error = vm_fault(map, pageno, reqprot, fault_flags, &m); 410 if (error != KERN_SUCCESS) { 411 if (error == KERN_RESOURCE_SHORTAGE) 412 error = ENOMEM; 413 else 414 error = EFAULT; 415 break; 416 } 417 418 /* 419 * Now do the i/o move. 420 */ 421 error = uiomove_fromphys(&m, page_offset, len, uio); 422 423 /* Make the I-cache coherent for breakpoints. */ 424 if (writing && error == 0) { 425 vm_map_lock_read(map); 426 if (vm_map_check_protection(map, pageno, pageno + 427 PAGE_SIZE, VM_PROT_EXECUTE)) 428 vm_sync_icache(map, uva, len); 429 vm_map_unlock_read(map); 430 } 431 432 /* 433 * Release the page. 434 */ 435 vm_page_unwire(m, PQ_ACTIVE); 436 437 } while (error == 0 && uio->uio_resid > 0); 438 439 return (error); 440 } 441 442 static ssize_t 443 proc_iop(struct thread *td, struct proc *p, vm_offset_t va, void *buf, 444 size_t len, enum uio_rw rw) 445 { 446 struct iovec iov; 447 struct uio uio; 448 ssize_t slen; 449 450 MPASS(len < SSIZE_MAX); 451 slen = (ssize_t)len; 452 453 iov.iov_base = (caddr_t)buf; 454 iov.iov_len = len; 455 uio.uio_iov = &iov; 456 uio.uio_iovcnt = 1; 457 uio.uio_offset = va; 458 uio.uio_resid = slen; 459 uio.uio_segflg = UIO_SYSSPACE; 460 uio.uio_rw = rw; 461 uio.uio_td = td; 462 proc_rwmem(p, &uio); 463 if (uio.uio_resid == slen) 464 return (-1); 465 return (slen - uio.uio_resid); 466 } 467 468 ssize_t 469 proc_readmem(struct thread *td, struct proc *p, vm_offset_t va, void *buf, 470 size_t len) 471 { 472 473 return (proc_iop(td, p, va, buf, len, UIO_READ)); 474 } 475 476 ssize_t 477 proc_writemem(struct thread *td, struct proc *p, vm_offset_t va, void *buf, 478 size_t len) 479 { 480 481 return (proc_iop(td, p, va, buf, len, UIO_WRITE)); 482 } 483 484 static int 485 ptrace_vm_entry(struct thread *td, struct proc *p, struct ptrace_vm_entry *pve) 486 { 487 struct vattr vattr; 488 vm_map_t map; 489 vm_map_entry_t entry; 490 vm_object_t obj, tobj, lobj; 491 struct vmspace *vm; 492 struct vnode *vp; 493 char *freepath, *fullpath; 494 u_int pathlen; 495 int error, index; 496 497 error = 0; 498 obj = NULL; 499 500 vm = vmspace_acquire_ref(p); 501 map = &vm->vm_map; 502 vm_map_lock_read(map); 503 504 do { 505 KASSERT((map->header.eflags & MAP_ENTRY_IS_SUB_MAP) == 0, 506 ("Submap in map header")); 507 index = 0; 508 VM_MAP_ENTRY_FOREACH(entry, map) { 509 if (index >= pve->pve_entry && 510 (entry->eflags & MAP_ENTRY_IS_SUB_MAP) == 0) 511 break; 512 index++; 513 } 514 if (index < pve->pve_entry) { 515 error = EINVAL; 516 break; 517 } 518 if (entry == &map->header) { 519 error = ENOENT; 520 break; 521 } 522 523 /* We got an entry. */ 524 pve->pve_entry = index + 1; 525 pve->pve_timestamp = map->timestamp; 526 pve->pve_start = entry->start; 527 pve->pve_end = entry->end - 1; 528 pve->pve_offset = entry->offset; 529 pve->pve_prot = entry->protection | 530 PROT_MAX(entry->max_protection); 531 532 /* Backing object's path needed? */ 533 if (pve->pve_pathlen == 0) 534 break; 535 536 pathlen = pve->pve_pathlen; 537 pve->pve_pathlen = 0; 538 539 obj = entry->object.vm_object; 540 if (obj != NULL) 541 VM_OBJECT_RLOCK(obj); 542 } while (0); 543 544 vm_map_unlock_read(map); 545 546 pve->pve_fsid = VNOVAL; 547 pve->pve_fileid = VNOVAL; 548 549 if (error == 0 && obj != NULL) { 550 lobj = obj; 551 for (tobj = obj; tobj != NULL; tobj = tobj->backing_object) { 552 if (tobj != obj) 553 VM_OBJECT_RLOCK(tobj); 554 if (lobj != obj) 555 VM_OBJECT_RUNLOCK(lobj); 556 lobj = tobj; 557 pve->pve_offset += tobj->backing_object_offset; 558 } 559 vp = vm_object_vnode(lobj); 560 if (vp != NULL) 561 vref(vp); 562 if (lobj != obj) 563 VM_OBJECT_RUNLOCK(lobj); 564 VM_OBJECT_RUNLOCK(obj); 565 566 if (vp != NULL) { 567 freepath = NULL; 568 fullpath = NULL; 569 vn_fullpath(vp, &fullpath, &freepath); 570 vn_lock(vp, LK_SHARED | LK_RETRY); 571 if (VOP_GETATTR(vp, &vattr, td->td_ucred) == 0) { 572 pve->pve_fileid = vattr.va_fileid; 573 pve->pve_fsid = vattr.va_fsid; 574 } 575 vput(vp); 576 577 if (fullpath != NULL) { 578 pve->pve_pathlen = strlen(fullpath) + 1; 579 if (pve->pve_pathlen <= pathlen) { 580 error = copyout(fullpath, pve->pve_path, 581 pve->pve_pathlen); 582 } else 583 error = ENAMETOOLONG; 584 } 585 if (freepath != NULL) 586 free(freepath, M_TEMP); 587 } 588 } 589 vmspace_free(vm); 590 if (error == 0) 591 CTR3(KTR_PTRACE, "PT_VM_ENTRY: pid %d, entry %d, start %p", 592 p->p_pid, pve->pve_entry, pve->pve_start); 593 594 return (error); 595 } 596 597 /* 598 * Process debugging system call. 599 */ 600 #ifndef _SYS_SYSPROTO_H_ 601 struct ptrace_args { 602 int req; 603 pid_t pid; 604 caddr_t addr; 605 int data; 606 }; 607 #endif 608 609 int 610 sys_ptrace(struct thread *td, struct ptrace_args *uap) 611 { 612 /* 613 * XXX this obfuscation is to reduce stack usage, but the register 614 * structs may be too large to put on the stack anyway. 615 */ 616 union { 617 struct ptrace_io_desc piod; 618 struct ptrace_lwpinfo pl; 619 struct ptrace_vm_entry pve; 620 struct ptrace_coredump pc; 621 struct ptrace_sc_remote sr; 622 struct dbreg dbreg; 623 struct fpreg fpreg; 624 struct reg reg; 625 struct iovec vec; 626 syscallarg_t args[nitems(td->td_sa.args)]; 627 struct ptrace_sc_ret psr; 628 int ptevents; 629 } r; 630 syscallarg_t pscr_args[nitems(td->td_sa.args)]; 631 void *addr; 632 int error; 633 634 if (!allow_ptrace) 635 return (ENOSYS); 636 error = 0; 637 638 AUDIT_ARG_PID(uap->pid); 639 AUDIT_ARG_CMD(uap->req); 640 AUDIT_ARG_VALUE(uap->data); 641 addr = &r; 642 switch (uap->req) { 643 case PT_GET_EVENT_MASK: 644 case PT_LWPINFO: 645 case PT_GET_SC_ARGS: 646 case PT_GET_SC_RET: 647 break; 648 case PT_GETREGS: 649 bzero(&r.reg, sizeof(r.reg)); 650 break; 651 case PT_GETFPREGS: 652 bzero(&r.fpreg, sizeof(r.fpreg)); 653 break; 654 case PT_GETDBREGS: 655 bzero(&r.dbreg, sizeof(r.dbreg)); 656 break; 657 case PT_GETREGSET: 658 case PT_SETREGSET: 659 error = copyin(uap->addr, &r.vec, sizeof(r.vec)); 660 break; 661 case PT_SETREGS: 662 error = copyin(uap->addr, &r.reg, sizeof(r.reg)); 663 break; 664 case PT_SETFPREGS: 665 error = copyin(uap->addr, &r.fpreg, sizeof(r.fpreg)); 666 break; 667 case PT_SETDBREGS: 668 error = copyin(uap->addr, &r.dbreg, sizeof(r.dbreg)); 669 break; 670 case PT_SET_EVENT_MASK: 671 if (uap->data != sizeof(r.ptevents)) 672 error = EINVAL; 673 else 674 error = copyin(uap->addr, &r.ptevents, uap->data); 675 break; 676 case PT_IO: 677 error = copyin(uap->addr, &r.piod, sizeof(r.piod)); 678 break; 679 case PT_VM_ENTRY: 680 error = copyin(uap->addr, &r.pve, sizeof(r.pve)); 681 break; 682 case PT_COREDUMP: 683 if (uap->data != sizeof(r.pc)) 684 error = EINVAL; 685 else 686 error = copyin(uap->addr, &r.pc, uap->data); 687 break; 688 case PT_SC_REMOTE: 689 if (uap->data != sizeof(r.sr)) { 690 error = EINVAL; 691 break; 692 } 693 error = copyin(uap->addr, &r.sr, uap->data); 694 if (error != 0) 695 break; 696 if (r.sr.pscr_nargs > nitems(td->td_sa.args)) { 697 error = EINVAL; 698 break; 699 } 700 error = copyin(r.sr.pscr_args, pscr_args, 701 sizeof(u_long) * r.sr.pscr_nargs); 702 if (error != 0) 703 break; 704 r.sr.pscr_args = pscr_args; 705 break; 706 case PTINTERNAL_FIRST ... PTINTERNAL_LAST: 707 error = EINVAL; 708 break; 709 default: 710 addr = uap->addr; 711 break; 712 } 713 if (error) 714 return (error); 715 716 error = kern_ptrace(td, uap->req, uap->pid, addr, uap->data); 717 if (error) 718 return (error); 719 720 switch (uap->req) { 721 case PT_VM_ENTRY: 722 error = copyout(&r.pve, uap->addr, sizeof(r.pve)); 723 break; 724 case PT_IO: 725 error = copyout(&r.piod, uap->addr, sizeof(r.piod)); 726 break; 727 case PT_GETREGS: 728 error = copyout(&r.reg, uap->addr, sizeof(r.reg)); 729 break; 730 case PT_GETFPREGS: 731 error = copyout(&r.fpreg, uap->addr, sizeof(r.fpreg)); 732 break; 733 case PT_GETDBREGS: 734 error = copyout(&r.dbreg, uap->addr, sizeof(r.dbreg)); 735 break; 736 case PT_GETREGSET: 737 error = copyout(&r.vec, uap->addr, sizeof(r.vec)); 738 break; 739 case PT_GET_EVENT_MASK: 740 /* NB: The size in uap->data is validated in kern_ptrace(). */ 741 error = copyout(&r.ptevents, uap->addr, uap->data); 742 break; 743 case PT_LWPINFO: 744 /* NB: The size in uap->data is validated in kern_ptrace(). */ 745 error = copyout(&r.pl, uap->addr, uap->data); 746 break; 747 case PT_GET_SC_ARGS: 748 error = copyout(r.args, uap->addr, MIN(uap->data, 749 sizeof(r.args))); 750 break; 751 case PT_GET_SC_RET: 752 error = copyout(&r.psr, uap->addr, MIN(uap->data, 753 sizeof(r.psr))); 754 break; 755 case PT_SC_REMOTE: 756 error = copyout(&r.sr.pscr_ret, uap->addr + 757 offsetof(struct ptrace_sc_remote, pscr_ret), 758 sizeof(r.sr.pscr_ret)); 759 break; 760 } 761 762 return (error); 763 } 764 765 #ifdef COMPAT_FREEBSD32 766 /* 767 * PROC_READ(regs, td2, addr); 768 * becomes either: 769 * proc_read_regs(td2, addr); 770 * or 771 * proc_read_regs32(td2, addr); 772 * .. except this is done at runtime. There is an additional 773 * complication in that PROC_WRITE disallows 32 bit consumers 774 * from writing to 64 bit address space targets. 775 */ 776 #define PROC_READ(w, t, a) wrap32 ? \ 777 proc_read_ ## w ## 32(t, a) : \ 778 proc_read_ ## w (t, a) 779 #define PROC_WRITE(w, t, a) wrap32 ? \ 780 (safe ? proc_write_ ## w ## 32(t, a) : EINVAL ) : \ 781 proc_write_ ## w (t, a) 782 #else 783 #define PROC_READ(w, t, a) proc_read_ ## w (t, a) 784 #define PROC_WRITE(w, t, a) proc_write_ ## w (t, a) 785 #endif 786 787 void 788 proc_set_traced(struct proc *p, bool stop) 789 { 790 791 sx_assert(&proctree_lock, SX_XLOCKED); 792 PROC_LOCK_ASSERT(p, MA_OWNED); 793 p->p_flag |= P_TRACED; 794 if (stop) 795 p->p_flag2 |= P2_PTRACE_FSTP; 796 p->p_ptevents = PTRACE_DEFAULT; 797 } 798 799 void 800 ptrace_unsuspend(struct proc *p) 801 { 802 PROC_LOCK_ASSERT(p, MA_OWNED); 803 804 PROC_SLOCK(p); 805 p->p_flag &= ~(P_STOPPED_TRACE | P_STOPPED_SIG | P_WAITED); 806 thread_unsuspend(p); 807 PROC_SUNLOCK(p); 808 itimer_proc_continue(p); 809 kqtimer_proc_continue(p); 810 } 811 812 static int 813 proc_can_ptrace(struct thread *td, struct proc *p) 814 { 815 int error; 816 817 PROC_LOCK_ASSERT(p, MA_OWNED); 818 819 if ((p->p_flag & P_WEXIT) != 0) 820 return (ESRCH); 821 822 if ((error = p_cansee(td, p)) != 0) 823 return (error); 824 if ((error = p_candebug(td, p)) != 0) 825 return (error); 826 827 /* not being traced... */ 828 if ((p->p_flag & P_TRACED) == 0) 829 return (EPERM); 830 831 /* not being traced by YOU */ 832 if (p->p_pptr != td->td_proc) 833 return (EBUSY); 834 835 /* not currently stopped */ 836 if ((p->p_flag & P_STOPPED_TRACE) == 0 || 837 p->p_suspcount != p->p_numthreads || 838 (p->p_flag & P_WAITED) == 0) 839 return (EBUSY); 840 841 return (0); 842 } 843 844 static struct thread * 845 ptrace_sel_coredump_thread(struct proc *p) 846 { 847 struct thread *td2; 848 849 PROC_LOCK_ASSERT(p, MA_OWNED); 850 MPASS((p->p_flag & P_STOPPED_TRACE) != 0); 851 852 FOREACH_THREAD_IN_PROC(p, td2) { 853 if ((td2->td_dbgflags & TDB_SSWITCH) != 0) 854 return (td2); 855 } 856 return (NULL); 857 } 858 859 int 860 kern_ptrace(struct thread *td, int req, pid_t pid, void *addr, int data) 861 { 862 struct iovec iov; 863 struct uio uio; 864 struct proc *curp, *p, *pp; 865 struct thread *td2 = NULL, *td3; 866 struct ptrace_io_desc *piod = NULL; 867 struct ptrace_lwpinfo *pl; 868 struct ptrace_sc_ret *psr; 869 struct ptrace_sc_remote *pscr; 870 struct file *fp; 871 struct ptrace_coredump *pc; 872 struct thr_coredump_req *tcq; 873 struct thr_syscall_req *tsr; 874 int error, num, tmp; 875 lwpid_t tid = 0, *buf; 876 #ifdef COMPAT_FREEBSD32 877 int wrap32 = 0, safe = 0; 878 #endif 879 bool proctree_locked, p2_req_set; 880 881 curp = td->td_proc; 882 proctree_locked = false; 883 p2_req_set = false; 884 885 /* Lock proctree before locking the process. */ 886 switch (req) { 887 case PT_TRACE_ME: 888 case PT_ATTACH: 889 case PT_STEP: 890 case PT_CONTINUE: 891 case PT_TO_SCE: 892 case PT_TO_SCX: 893 case PT_SYSCALL: 894 case PT_FOLLOW_FORK: 895 case PT_LWP_EVENTS: 896 case PT_GET_EVENT_MASK: 897 case PT_SET_EVENT_MASK: 898 case PT_DETACH: 899 case PT_GET_SC_ARGS: 900 sx_xlock(&proctree_lock); 901 proctree_locked = true; 902 break; 903 default: 904 break; 905 } 906 907 if (req == PT_TRACE_ME) { 908 p = td->td_proc; 909 PROC_LOCK(p); 910 } else { 911 if (pid <= PID_MAX) { 912 if ((p = pfind(pid)) == NULL) { 913 if (proctree_locked) 914 sx_xunlock(&proctree_lock); 915 return (ESRCH); 916 } 917 } else { 918 td2 = tdfind(pid, -1); 919 if (td2 == NULL) { 920 if (proctree_locked) 921 sx_xunlock(&proctree_lock); 922 return (ESRCH); 923 } 924 p = td2->td_proc; 925 tid = pid; 926 pid = p->p_pid; 927 } 928 } 929 AUDIT_ARG_PROCESS(p); 930 931 if ((p->p_flag & P_WEXIT) != 0) { 932 error = ESRCH; 933 goto fail; 934 } 935 if ((error = p_cansee(td, p)) != 0) 936 goto fail; 937 938 if ((error = p_candebug(td, p)) != 0) 939 goto fail; 940 941 /* 942 * System processes can't be debugged. 943 */ 944 if ((p->p_flag & P_SYSTEM) != 0) { 945 error = EINVAL; 946 goto fail; 947 } 948 949 if (tid == 0) { 950 if ((p->p_flag & P_STOPPED_TRACE) != 0) 951 td2 = p->p_xthread; 952 if (td2 == NULL) 953 td2 = FIRST_THREAD_IN_PROC(p); 954 tid = td2->td_tid; 955 } 956 957 #ifdef COMPAT_FREEBSD32 958 /* 959 * Test if we're a 32 bit client and what the target is. 960 * Set the wrap controls accordingly. 961 */ 962 if (SV_CURPROC_FLAG(SV_ILP32)) { 963 if (SV_PROC_FLAG(td2->td_proc, SV_ILP32)) 964 safe = 1; 965 wrap32 = 1; 966 } 967 #endif 968 /* 969 * Permissions check 970 */ 971 switch (req) { 972 case PT_TRACE_ME: 973 /* 974 * Always legal, when there is a parent process which 975 * could trace us. Otherwise, reject. 976 */ 977 if ((p->p_flag & P_TRACED) != 0) { 978 error = EBUSY; 979 goto fail; 980 } 981 if (p->p_pptr == initproc) { 982 error = EPERM; 983 goto fail; 984 } 985 break; 986 987 case PT_ATTACH: 988 /* Self */ 989 if (p == td->td_proc) { 990 error = EINVAL; 991 goto fail; 992 } 993 994 /* Already traced */ 995 if (p->p_flag & P_TRACED) { 996 error = EBUSY; 997 goto fail; 998 } 999 1000 /* Can't trace an ancestor if you're being traced. */ 1001 if (curp->p_flag & P_TRACED) { 1002 for (pp = curp->p_pptr; pp != NULL; pp = pp->p_pptr) { 1003 if (pp == p) { 1004 error = EINVAL; 1005 goto fail; 1006 } 1007 } 1008 } 1009 1010 /* OK */ 1011 break; 1012 1013 case PT_CLEARSTEP: 1014 /* Allow thread to clear single step for itself */ 1015 if (td->td_tid == tid) 1016 break; 1017 1018 /* FALLTHROUGH */ 1019 default: 1020 /* 1021 * Check for ptrace eligibility before waiting for 1022 * holds to drain. 1023 */ 1024 error = proc_can_ptrace(td, p); 1025 if (error != 0) 1026 goto fail; 1027 1028 /* 1029 * Block parallel ptrace requests. Most important, do 1030 * not allow other thread in debugger to continue the 1031 * debuggee until coredump finished. 1032 */ 1033 while ((p->p_flag2 & P2_PTRACEREQ) != 0) { 1034 if (proctree_locked) 1035 sx_xunlock(&proctree_lock); 1036 error = msleep(&p->p_flag2, &p->p_mtx, PPAUSE | PCATCH | 1037 (proctree_locked ? PDROP : 0), "pptrace", 0); 1038 if (proctree_locked) { 1039 sx_xlock(&proctree_lock); 1040 PROC_LOCK(p); 1041 } 1042 if (error == 0 && td2->td_proc != p) 1043 error = ESRCH; 1044 if (error == 0) 1045 error = proc_can_ptrace(td, p); 1046 if (error != 0) 1047 goto fail; 1048 } 1049 1050 /* Ok */ 1051 break; 1052 } 1053 1054 /* 1055 * Keep this process around and request parallel ptrace() 1056 * request to wait until we finish this request. 1057 */ 1058 MPASS((p->p_flag2 & P2_PTRACEREQ) == 0); 1059 p->p_flag2 |= P2_PTRACEREQ; 1060 p2_req_set = true; 1061 _PHOLD(p); 1062 1063 /* 1064 * Actually do the requests 1065 */ 1066 1067 td->td_retval[0] = 0; 1068 1069 switch (req) { 1070 case PT_TRACE_ME: 1071 /* set my trace flag and "owner" so it can read/write me */ 1072 proc_set_traced(p, false); 1073 if (p->p_flag & P_PPWAIT) 1074 p->p_flag |= P_PPTRACE; 1075 CTR1(KTR_PTRACE, "PT_TRACE_ME: pid %d", p->p_pid); 1076 break; 1077 1078 case PT_ATTACH: 1079 /* security check done above */ 1080 /* 1081 * It would be nice if the tracing relationship was separate 1082 * from the parent relationship but that would require 1083 * another set of links in the proc struct or for "wait" 1084 * to scan the entire proc table. To make life easier, 1085 * we just re-parent the process we're trying to trace. 1086 * The old parent is remembered so we can put things back 1087 * on a "detach". 1088 */ 1089 proc_set_traced(p, true); 1090 proc_reparent(p, td->td_proc, false); 1091 CTR2(KTR_PTRACE, "PT_ATTACH: pid %d, oppid %d", p->p_pid, 1092 p->p_oppid); 1093 1094 sx_xunlock(&proctree_lock); 1095 proctree_locked = false; 1096 MPASS(p->p_xthread == NULL); 1097 MPASS((p->p_flag & P_STOPPED_TRACE) == 0); 1098 1099 /* 1100 * If already stopped due to a stop signal, clear the 1101 * existing stop before triggering a traced SIGSTOP. 1102 */ 1103 if ((p->p_flag & P_STOPPED_SIG) != 0) { 1104 PROC_SLOCK(p); 1105 p->p_flag &= ~(P_STOPPED_SIG | P_WAITED); 1106 thread_unsuspend(p); 1107 PROC_SUNLOCK(p); 1108 } 1109 1110 kern_psignal(p, SIGSTOP); 1111 break; 1112 1113 case PT_CLEARSTEP: 1114 CTR2(KTR_PTRACE, "PT_CLEARSTEP: tid %d (pid %d)", td2->td_tid, 1115 p->p_pid); 1116 error = ptrace_clear_single_step(td2); 1117 break; 1118 1119 case PT_SETSTEP: 1120 CTR2(KTR_PTRACE, "PT_SETSTEP: tid %d (pid %d)", td2->td_tid, 1121 p->p_pid); 1122 error = ptrace_single_step(td2); 1123 break; 1124 1125 case PT_SUSPEND: 1126 CTR2(KTR_PTRACE, "PT_SUSPEND: tid %d (pid %d)", td2->td_tid, 1127 p->p_pid); 1128 td2->td_dbgflags |= TDB_SUSPEND; 1129 ast_sched(td2, TDA_SUSPEND); 1130 break; 1131 1132 case PT_RESUME: 1133 CTR2(KTR_PTRACE, "PT_RESUME: tid %d (pid %d)", td2->td_tid, 1134 p->p_pid); 1135 td2->td_dbgflags &= ~TDB_SUSPEND; 1136 break; 1137 1138 case PT_FOLLOW_FORK: 1139 CTR3(KTR_PTRACE, "PT_FOLLOW_FORK: pid %d %s -> %s", p->p_pid, 1140 p->p_ptevents & PTRACE_FORK ? "enabled" : "disabled", 1141 data ? "enabled" : "disabled"); 1142 if (data) 1143 p->p_ptevents |= PTRACE_FORK; 1144 else 1145 p->p_ptevents &= ~PTRACE_FORK; 1146 break; 1147 1148 case PT_LWP_EVENTS: 1149 CTR3(KTR_PTRACE, "PT_LWP_EVENTS: pid %d %s -> %s", p->p_pid, 1150 p->p_ptevents & PTRACE_LWP ? "enabled" : "disabled", 1151 data ? "enabled" : "disabled"); 1152 if (data) 1153 p->p_ptevents |= PTRACE_LWP; 1154 else 1155 p->p_ptevents &= ~PTRACE_LWP; 1156 break; 1157 1158 case PT_GET_EVENT_MASK: 1159 if (data != sizeof(p->p_ptevents)) { 1160 error = EINVAL; 1161 break; 1162 } 1163 CTR2(KTR_PTRACE, "PT_GET_EVENT_MASK: pid %d mask %#x", p->p_pid, 1164 p->p_ptevents); 1165 *(int *)addr = p->p_ptevents; 1166 break; 1167 1168 case PT_SET_EVENT_MASK: 1169 if (data != sizeof(p->p_ptevents)) { 1170 error = EINVAL; 1171 break; 1172 } 1173 tmp = *(int *)addr; 1174 if ((tmp & ~(PTRACE_EXEC | PTRACE_SCE | PTRACE_SCX | 1175 PTRACE_FORK | PTRACE_LWP | PTRACE_VFORK)) != 0) { 1176 error = EINVAL; 1177 break; 1178 } 1179 CTR3(KTR_PTRACE, "PT_SET_EVENT_MASK: pid %d mask %#x -> %#x", 1180 p->p_pid, p->p_ptevents, tmp); 1181 p->p_ptevents = tmp; 1182 break; 1183 1184 case PT_GET_SC_ARGS: 1185 case PTLINUX_GET_SC_ARGS: 1186 CTR2(KTR_PTRACE, "%s: pid %d", req == PT_GET_SC_ARGS ? 1187 "PT_GET_SC_ARGS" : "PT_LINUX_GET_SC_ARGS", p->p_pid); 1188 if (((td2->td_dbgflags & (TDB_SCE | TDB_SCX)) == 0 && 1189 td2->td_sa.code == 0) 1190 #ifdef COMPAT_FREEBSD32 1191 || (wrap32 && !safe) 1192 #endif 1193 ) { 1194 error = EINVAL; 1195 break; 1196 } 1197 if (req == PT_GET_SC_ARGS) { 1198 bzero(addr, sizeof(td2->td_sa.args)); 1199 bcopy(td2->td_sa.args, addr, td2->td_sa.callp->sy_narg * 1200 sizeof(syscallarg_t)); 1201 } else { 1202 /* 1203 * Emulate a Linux bug which which strace(1) depends on: 1204 * at initialization it tests whether ptrace works by 1205 * calling close(2), or some other single-argument 1206 * syscall, _with six arguments_, and then verifies 1207 * whether it can fetch them all using this API; 1208 * otherwise it bails out. 1209 */ 1210 bcopy(td2->td_sa.args, addr, 6 * sizeof(syscallarg_t)); 1211 } 1212 break; 1213 1214 case PT_GET_SC_RET: 1215 if ((td2->td_dbgflags & (TDB_SCX)) == 0 1216 #ifdef COMPAT_FREEBSD32 1217 || (wrap32 && !safe) 1218 #endif 1219 ) { 1220 error = EINVAL; 1221 break; 1222 } 1223 psr = addr; 1224 bzero(psr, sizeof(*psr)); 1225 psr->sr_error = td2->td_errno; 1226 if (psr->sr_error == 0) { 1227 psr->sr_retval[0] = td2->td_retval[0]; 1228 psr->sr_retval[1] = td2->td_retval[1]; 1229 } 1230 CTR4(KTR_PTRACE, 1231 "PT_GET_SC_RET: pid %d error %d retval %#lx,%#lx", 1232 p->p_pid, psr->sr_error, psr->sr_retval[0], 1233 psr->sr_retval[1]); 1234 break; 1235 1236 case PT_STEP: 1237 case PT_CONTINUE: 1238 case PT_TO_SCE: 1239 case PT_TO_SCX: 1240 case PT_SYSCALL: 1241 case PT_DETACH: 1242 /* Zero means do not send any signal */ 1243 if (data < 0 || data > _SIG_MAXSIG) { 1244 error = EINVAL; 1245 break; 1246 } 1247 1248 switch (req) { 1249 case PT_STEP: 1250 CTR3(KTR_PTRACE, "PT_STEP: tid %d (pid %d), sig = %d", 1251 td2->td_tid, p->p_pid, data); 1252 error = ptrace_single_step(td2); 1253 if (error) 1254 goto out; 1255 break; 1256 case PT_CONTINUE: 1257 case PT_TO_SCE: 1258 case PT_TO_SCX: 1259 case PT_SYSCALL: 1260 if (addr != (void *)1) { 1261 error = ptrace_set_pc(td2, 1262 (u_long)(uintfptr_t)addr); 1263 if (error) 1264 goto out; 1265 td2->td_dbgflags |= TDB_USERWR; 1266 } 1267 switch (req) { 1268 case PT_TO_SCE: 1269 p->p_ptevents |= PTRACE_SCE; 1270 CTR4(KTR_PTRACE, 1271 "PT_TO_SCE: pid %d, events = %#x, PC = %#lx, sig = %d", 1272 p->p_pid, p->p_ptevents, 1273 (u_long)(uintfptr_t)addr, data); 1274 break; 1275 case PT_TO_SCX: 1276 p->p_ptevents |= PTRACE_SCX; 1277 CTR4(KTR_PTRACE, 1278 "PT_TO_SCX: pid %d, events = %#x, PC = %#lx, sig = %d", 1279 p->p_pid, p->p_ptevents, 1280 (u_long)(uintfptr_t)addr, data); 1281 break; 1282 case PT_SYSCALL: 1283 p->p_ptevents |= PTRACE_SYSCALL; 1284 CTR4(KTR_PTRACE, 1285 "PT_SYSCALL: pid %d, events = %#x, PC = %#lx, sig = %d", 1286 p->p_pid, p->p_ptevents, 1287 (u_long)(uintfptr_t)addr, data); 1288 break; 1289 case PT_CONTINUE: 1290 CTR3(KTR_PTRACE, 1291 "PT_CONTINUE: pid %d, PC = %#lx, sig = %d", 1292 p->p_pid, (u_long)(uintfptr_t)addr, data); 1293 break; 1294 } 1295 break; 1296 case PT_DETACH: 1297 /* 1298 * Clear P_TRACED before reparenting 1299 * a detached process back to its original 1300 * parent. Otherwise the debugee will be set 1301 * as an orphan of the debugger. 1302 */ 1303 p->p_flag &= ~(P_TRACED | P_WAITED); 1304 1305 /* 1306 * Reset the process parent. 1307 */ 1308 if (p->p_oppid != p->p_pptr->p_pid) { 1309 PROC_LOCK(p->p_pptr); 1310 sigqueue_take(p->p_ksi); 1311 PROC_UNLOCK(p->p_pptr); 1312 1313 pp = proc_realparent(p); 1314 proc_reparent(p, pp, false); 1315 if (pp == initproc) 1316 p->p_sigparent = SIGCHLD; 1317 CTR3(KTR_PTRACE, 1318 "PT_DETACH: pid %d reparented to pid %d, sig %d", 1319 p->p_pid, pp->p_pid, data); 1320 } else { 1321 CTR2(KTR_PTRACE, "PT_DETACH: pid %d, sig %d", 1322 p->p_pid, data); 1323 } 1324 1325 p->p_ptevents = 0; 1326 FOREACH_THREAD_IN_PROC(p, td3) { 1327 if ((td3->td_dbgflags & TDB_FSTP) != 0) { 1328 sigqueue_delete(&td3->td_sigqueue, 1329 SIGSTOP); 1330 } 1331 td3->td_dbgflags &= ~(TDB_XSIG | TDB_FSTP | 1332 TDB_SUSPEND | TDB_BORN); 1333 } 1334 1335 if ((p->p_flag2 & P2_PTRACE_FSTP) != 0) { 1336 sigqueue_delete(&p->p_sigqueue, SIGSTOP); 1337 p->p_flag2 &= ~P2_PTRACE_FSTP; 1338 } 1339 1340 /* 1341 * Send SIGCHLD and wakeup the parent as needed. It 1342 * may be the case that they had stopped the child 1343 * before it got ptraced, and now they're in the middle 1344 * of a wait(2) for it to continue. 1345 */ 1346 PROC_LOCK(p->p_pptr); 1347 childproc_continued(p); 1348 PROC_UNLOCK(p->p_pptr); 1349 break; 1350 } 1351 1352 sx_xunlock(&proctree_lock); 1353 proctree_locked = false; 1354 1355 sendsig: 1356 MPASS(!proctree_locked); 1357 1358 /* 1359 * Clear the pending event for the thread that just 1360 * reported its event (p_xthread), if any. This may 1361 * not be the thread passed to PT_CONTINUE, PT_STEP, 1362 * etc. if the debugger is resuming a different 1363 * thread. There might be no reporting thread if 1364 * the process was just attached. 1365 * 1366 * Deliver any pending signal via the reporting thread. 1367 */ 1368 if (p->p_xthread != NULL) { 1369 p->p_xthread->td_dbgflags &= ~TDB_XSIG; 1370 p->p_xthread->td_xsig = data; 1371 p->p_xthread = NULL; 1372 } 1373 p->p_xsig = data; 1374 1375 /* 1376 * P_WKILLED is insurance that a PT_KILL/SIGKILL 1377 * always works immediately, even if another thread is 1378 * unsuspended first and attempts to handle a 1379 * different signal or if the POSIX.1b style signal 1380 * queue cannot accommodate any new signals. 1381 */ 1382 if (data == SIGKILL) 1383 proc_wkilled(p); 1384 1385 /* 1386 * If the PT_CONTINUE-like operation is attempted on 1387 * the thread on sleepq, this is possible only after 1388 * the transparent PT_ATTACH. In this case, if the 1389 * caller modified the thread state, e.g. by writing 1390 * register file or specifying the pc, make the thread 1391 * xstopped by waking it up. 1392 */ 1393 if ((td2->td_dbgflags & TDB_USERWR) != 0) { 1394 if (pt_attach_transparent) { 1395 thread_lock(td2); 1396 if (TD_ON_SLEEPQ(td2) && 1397 (td2->td_flags & TDF_SINTR) != 0) { 1398 sleepq_abort(td2, EINTR); 1399 } else { 1400 thread_unlock(td2); 1401 } 1402 } 1403 td2->td_dbgflags &= ~TDB_USERWR; 1404 } 1405 1406 /* 1407 * Unsuspend all threads. To leave a thread 1408 * suspended, use PT_SUSPEND to suspend it before 1409 * continuing the process. 1410 */ 1411 ptrace_unsuspend(p); 1412 break; 1413 1414 case PT_WRITE_I: 1415 case PT_WRITE_D: 1416 td2->td_dbgflags |= TDB_USERWR; 1417 PROC_UNLOCK(p); 1418 error = 0; 1419 if (proc_writemem(td, p, (off_t)(uintptr_t)addr, &data, 1420 sizeof(int)) != sizeof(int)) 1421 error = ENOMEM; 1422 else 1423 CTR3(KTR_PTRACE, "PT_WRITE: pid %d: %p <= %#x", 1424 p->p_pid, addr, data); 1425 PROC_LOCK(p); 1426 break; 1427 1428 case PT_READ_I: 1429 case PT_READ_D: 1430 PROC_UNLOCK(p); 1431 error = tmp = 0; 1432 if (proc_readmem(td, p, (off_t)(uintptr_t)addr, &tmp, 1433 sizeof(int)) != sizeof(int)) 1434 error = ENOMEM; 1435 else 1436 CTR3(KTR_PTRACE, "PT_READ: pid %d: %p >= %#x", 1437 p->p_pid, addr, tmp); 1438 td->td_retval[0] = tmp; 1439 PROC_LOCK(p); 1440 break; 1441 1442 case PT_IO: 1443 piod = addr; 1444 if (piod->piod_len > SSIZE_MAX) { 1445 error = EINVAL; 1446 goto out; 1447 } 1448 iov.iov_base = piod->piod_addr; 1449 iov.iov_len = piod->piod_len; 1450 uio.uio_offset = (off_t)(uintptr_t)piod->piod_offs; 1451 uio.uio_resid = piod->piod_len; 1452 uio.uio_iov = &iov; 1453 uio.uio_iovcnt = 1; 1454 uio.uio_segflg = UIO_USERSPACE; 1455 uio.uio_td = td; 1456 switch (piod->piod_op) { 1457 case PIOD_READ_D: 1458 case PIOD_READ_I: 1459 CTR3(KTR_PTRACE, "PT_IO: pid %d: READ (%p, %#x)", 1460 p->p_pid, (uintptr_t)uio.uio_offset, uio.uio_resid); 1461 uio.uio_rw = UIO_READ; 1462 break; 1463 case PIOD_WRITE_D: 1464 case PIOD_WRITE_I: 1465 CTR3(KTR_PTRACE, "PT_IO: pid %d: WRITE (%p, %#x)", 1466 p->p_pid, (uintptr_t)uio.uio_offset, uio.uio_resid); 1467 td2->td_dbgflags |= TDB_USERWR; 1468 uio.uio_rw = UIO_WRITE; 1469 break; 1470 default: 1471 error = EINVAL; 1472 goto out; 1473 } 1474 PROC_UNLOCK(p); 1475 error = proc_rwmem(p, &uio); 1476 piod->piod_len -= uio.uio_resid; 1477 PROC_LOCK(p); 1478 break; 1479 1480 case PT_KILL: 1481 CTR1(KTR_PTRACE, "PT_KILL: pid %d", p->p_pid); 1482 data = SIGKILL; 1483 goto sendsig; /* in PT_CONTINUE above */ 1484 1485 case PT_SETREGS: 1486 CTR2(KTR_PTRACE, "PT_SETREGS: tid %d (pid %d)", td2->td_tid, 1487 p->p_pid); 1488 td2->td_dbgflags |= TDB_USERWR; 1489 error = PROC_WRITE(regs, td2, addr); 1490 break; 1491 1492 case PT_GETREGS: 1493 CTR2(KTR_PTRACE, "PT_GETREGS: tid %d (pid %d)", td2->td_tid, 1494 p->p_pid); 1495 error = PROC_READ(regs, td2, addr); 1496 break; 1497 1498 case PT_SETFPREGS: 1499 CTR2(KTR_PTRACE, "PT_SETFPREGS: tid %d (pid %d)", td2->td_tid, 1500 p->p_pid); 1501 td2->td_dbgflags |= TDB_USERWR; 1502 error = PROC_WRITE(fpregs, td2, addr); 1503 break; 1504 1505 case PT_GETFPREGS: 1506 CTR2(KTR_PTRACE, "PT_GETFPREGS: tid %d (pid %d)", td2->td_tid, 1507 p->p_pid); 1508 error = PROC_READ(fpregs, td2, addr); 1509 break; 1510 1511 case PT_SETDBREGS: 1512 CTR2(KTR_PTRACE, "PT_SETDBREGS: tid %d (pid %d)", td2->td_tid, 1513 p->p_pid); 1514 td2->td_dbgflags |= TDB_USERWR; 1515 error = PROC_WRITE(dbregs, td2, addr); 1516 break; 1517 1518 case PT_GETDBREGS: 1519 CTR2(KTR_PTRACE, "PT_GETDBREGS: tid %d (pid %d)", td2->td_tid, 1520 p->p_pid); 1521 error = PROC_READ(dbregs, td2, addr); 1522 break; 1523 1524 case PT_SETREGSET: 1525 CTR2(KTR_PTRACE, "PT_SETREGSET: tid %d (pid %d)", td2->td_tid, 1526 p->p_pid); 1527 error = proc_write_regset(td2, data, addr); 1528 break; 1529 1530 case PT_GETREGSET: 1531 CTR2(KTR_PTRACE, "PT_GETREGSET: tid %d (pid %d)", td2->td_tid, 1532 p->p_pid); 1533 error = proc_read_regset(td2, data, addr); 1534 break; 1535 1536 case PT_LWPINFO: 1537 if (data <= 0 || data > sizeof(*pl)) { 1538 error = EINVAL; 1539 break; 1540 } 1541 pl = addr; 1542 bzero(pl, sizeof(*pl)); 1543 pl->pl_lwpid = td2->td_tid; 1544 pl->pl_event = PL_EVENT_NONE; 1545 pl->pl_flags = 0; 1546 if (td2->td_dbgflags & TDB_XSIG) { 1547 pl->pl_event = PL_EVENT_SIGNAL; 1548 if (td2->td_si.si_signo != 0 && 1549 data >= offsetof(struct ptrace_lwpinfo, pl_siginfo) 1550 + sizeof(pl->pl_siginfo)){ 1551 pl->pl_flags |= PL_FLAG_SI; 1552 pl->pl_siginfo = td2->td_si; 1553 } 1554 } 1555 if (td2->td_dbgflags & TDB_SCE) 1556 pl->pl_flags |= PL_FLAG_SCE; 1557 else if (td2->td_dbgflags & TDB_SCX) 1558 pl->pl_flags |= PL_FLAG_SCX; 1559 if (td2->td_dbgflags & TDB_EXEC) 1560 pl->pl_flags |= PL_FLAG_EXEC; 1561 if (td2->td_dbgflags & TDB_FORK) { 1562 pl->pl_flags |= PL_FLAG_FORKED; 1563 pl->pl_child_pid = td2->td_dbg_forked; 1564 if (td2->td_dbgflags & TDB_VFORK) 1565 pl->pl_flags |= PL_FLAG_VFORKED; 1566 } else if ((td2->td_dbgflags & (TDB_SCX | TDB_VFORK)) == 1567 TDB_VFORK) 1568 pl->pl_flags |= PL_FLAG_VFORK_DONE; 1569 if (td2->td_dbgflags & TDB_CHILD) 1570 pl->pl_flags |= PL_FLAG_CHILD; 1571 if (td2->td_dbgflags & TDB_BORN) 1572 pl->pl_flags |= PL_FLAG_BORN; 1573 if (td2->td_dbgflags & TDB_EXIT) 1574 pl->pl_flags |= PL_FLAG_EXITED; 1575 pl->pl_sigmask = td2->td_sigmask; 1576 pl->pl_siglist = td2->td_siglist; 1577 strcpy(pl->pl_tdname, td2->td_name); 1578 if (td2->td_sa.code != 0) { 1579 pl->pl_syscall_code = td2->td_sa.code; 1580 pl->pl_syscall_narg = td2->td_sa.callp->sy_narg; 1581 } 1582 CTR6(KTR_PTRACE, 1583 "PT_LWPINFO: tid %d (pid %d) event %d flags %#x child pid %d syscall %d", 1584 td2->td_tid, p->p_pid, pl->pl_event, pl->pl_flags, 1585 pl->pl_child_pid, pl->pl_syscall_code); 1586 break; 1587 1588 case PT_GETNUMLWPS: 1589 CTR2(KTR_PTRACE, "PT_GETNUMLWPS: pid %d: %d threads", p->p_pid, 1590 p->p_numthreads); 1591 td->td_retval[0] = p->p_numthreads; 1592 break; 1593 1594 case PT_GETLWPLIST: 1595 CTR3(KTR_PTRACE, "PT_GETLWPLIST: pid %d: data %d, actual %d", 1596 p->p_pid, data, p->p_numthreads); 1597 if (data <= 0) { 1598 error = EINVAL; 1599 break; 1600 } 1601 num = imin(p->p_numthreads, data); 1602 PROC_UNLOCK(p); 1603 buf = malloc(num * sizeof(lwpid_t), M_TEMP, M_WAITOK); 1604 tmp = 0; 1605 PROC_LOCK(p); 1606 FOREACH_THREAD_IN_PROC(p, td2) { 1607 if (tmp >= num) 1608 break; 1609 buf[tmp++] = td2->td_tid; 1610 } 1611 PROC_UNLOCK(p); 1612 error = copyout(buf, addr, tmp * sizeof(lwpid_t)); 1613 free(buf, M_TEMP); 1614 if (!error) 1615 td->td_retval[0] = tmp; 1616 PROC_LOCK(p); 1617 break; 1618 1619 case PT_VM_TIMESTAMP: 1620 CTR2(KTR_PTRACE, "PT_VM_TIMESTAMP: pid %d: timestamp %d", 1621 p->p_pid, p->p_vmspace->vm_map.timestamp); 1622 td->td_retval[0] = p->p_vmspace->vm_map.timestamp; 1623 break; 1624 1625 case PT_VM_ENTRY: 1626 PROC_UNLOCK(p); 1627 error = ptrace_vm_entry(td, p, addr); 1628 PROC_LOCK(p); 1629 break; 1630 1631 case PT_COREDUMP: 1632 pc = addr; 1633 CTR2(KTR_PTRACE, "PT_COREDUMP: pid %d, fd %d", 1634 p->p_pid, pc->pc_fd); 1635 1636 if ((pc->pc_flags & ~(PC_COMPRESS | PC_ALL)) != 0) { 1637 error = EINVAL; 1638 break; 1639 } 1640 PROC_UNLOCK(p); 1641 1642 tcq = malloc(sizeof(*tcq), M_TEMP, M_WAITOK | M_ZERO); 1643 fp = NULL; 1644 error = fget_write(td, pc->pc_fd, &cap_write_rights, &fp); 1645 if (error != 0) 1646 goto coredump_cleanup_nofp; 1647 if (fp->f_type != DTYPE_VNODE || fp->f_vnode->v_type != VREG) { 1648 error = EPIPE; 1649 goto coredump_cleanup; 1650 } 1651 1652 PROC_LOCK(p); 1653 error = proc_can_ptrace(td, p); 1654 if (error != 0) 1655 goto coredump_cleanup_locked; 1656 1657 td2 = ptrace_sel_coredump_thread(p); 1658 if (td2 == NULL) { 1659 error = EBUSY; 1660 goto coredump_cleanup_locked; 1661 } 1662 KASSERT((td2->td_dbgflags & (TDB_COREDUMPREQ | 1663 TDB_SCREMOTEREQ)) == 0, 1664 ("proc %d tid %d req coredump", p->p_pid, td2->td_tid)); 1665 1666 tcq->tc_vp = fp->f_vnode; 1667 tcq->tc_limit = pc->pc_limit == 0 ? OFF_MAX : pc->pc_limit; 1668 tcq->tc_flags = SVC_PT_COREDUMP; 1669 if ((pc->pc_flags & PC_COMPRESS) == 0) 1670 tcq->tc_flags |= SVC_NOCOMPRESS; 1671 if ((pc->pc_flags & PC_ALL) != 0) 1672 tcq->tc_flags |= SVC_ALL; 1673 td2->td_remotereq = tcq; 1674 td2->td_dbgflags |= TDB_COREDUMPREQ; 1675 thread_run_flash(td2); 1676 while ((td2->td_dbgflags & TDB_COREDUMPREQ) != 0) 1677 msleep(p, &p->p_mtx, PPAUSE, "crdmp", 0); 1678 error = tcq->tc_error; 1679 coredump_cleanup_locked: 1680 PROC_UNLOCK(p); 1681 coredump_cleanup: 1682 fdrop(fp, td); 1683 coredump_cleanup_nofp: 1684 free(tcq, M_TEMP); 1685 PROC_LOCK(p); 1686 break; 1687 1688 case PT_SC_REMOTE: 1689 pscr = addr; 1690 CTR2(KTR_PTRACE, "PT_SC_REMOTE: pid %d, syscall %d", 1691 p->p_pid, pscr->pscr_syscall); 1692 if ((td2->td_dbgflags & TDB_BOUNDARY) == 0) { 1693 error = EBUSY; 1694 break; 1695 } 1696 PROC_UNLOCK(p); 1697 MPASS(pscr->pscr_nargs <= nitems(td->td_sa.args)); 1698 1699 tsr = malloc(sizeof(struct thr_syscall_req), M_TEMP, 1700 M_WAITOK | M_ZERO); 1701 1702 tsr->ts_sa.code = pscr->pscr_syscall; 1703 tsr->ts_nargs = pscr->pscr_nargs; 1704 memcpy(&tsr->ts_sa.args, pscr->pscr_args, 1705 sizeof(syscallarg_t) * tsr->ts_nargs); 1706 1707 PROC_LOCK(p); 1708 error = proc_can_ptrace(td, p); 1709 if (error != 0) { 1710 free(tsr, M_TEMP); 1711 break; 1712 } 1713 if (td2->td_proc != p) { 1714 free(tsr, M_TEMP); 1715 error = ESRCH; 1716 break; 1717 } 1718 KASSERT((td2->td_dbgflags & (TDB_COREDUMPREQ | 1719 TDB_SCREMOTEREQ)) == 0, 1720 ("proc %d tid %d req coredump", p->p_pid, td2->td_tid)); 1721 1722 td2->td_remotereq = tsr; 1723 td2->td_dbgflags |= TDB_SCREMOTEREQ; 1724 thread_run_flash(td2); 1725 while ((td2->td_dbgflags & TDB_SCREMOTEREQ) != 0) 1726 msleep(p, &p->p_mtx, PPAUSE, "pscrx", 0); 1727 error = 0; 1728 memcpy(&pscr->pscr_ret, &tsr->ts_ret, sizeof(tsr->ts_ret)); 1729 free(tsr, M_TEMP); 1730 break; 1731 1732 default: 1733 #ifdef __HAVE_PTRACE_MACHDEP 1734 if (req >= PT_FIRSTMACH) { 1735 PROC_UNLOCK(p); 1736 error = cpu_ptrace(td2, req, addr, data); 1737 PROC_LOCK(p); 1738 } else 1739 #endif 1740 /* Unknown request. */ 1741 error = EINVAL; 1742 break; 1743 } 1744 out: 1745 /* Drop our hold on this process now that the request has completed. */ 1746 _PRELE(p); 1747 fail: 1748 if (p2_req_set) { 1749 if ((p->p_flag2 & P2_PTRACEREQ) != 0) 1750 wakeup(&p->p_flag2); 1751 p->p_flag2 &= ~P2_PTRACEREQ; 1752 } 1753 PROC_UNLOCK(p); 1754 if (proctree_locked) 1755 sx_xunlock(&proctree_lock); 1756 return (error); 1757 } 1758 #undef PROC_READ 1759 #undef PROC_WRITE 1760