1 /*- 2 * Copyright (c) 1994, Sean Eric Fagan 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. All advertising materials mentioning features or use of this software 14 * must display the following acknowledgement: 15 * This product includes software developed by Sean Eric Fagan. 16 * 4. The name of the author may not be used to endorse or promote products 17 * derived from this software without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 __FBSDID("$FreeBSD$"); 34 35 #include "opt_compat.h" 36 37 #include <sys/param.h> 38 #include <sys/systm.h> 39 #include <sys/lock.h> 40 #include <sys/mutex.h> 41 #include <sys/syscallsubr.h> 42 #include <sys/sysent.h> 43 #include <sys/sysproto.h> 44 #include <sys/pioctl.h> 45 #include <sys/priv.h> 46 #include <sys/proc.h> 47 #include <sys/vnode.h> 48 #include <sys/ptrace.h> 49 #include <sys/rwlock.h> 50 #include <sys/sx.h> 51 #include <sys/malloc.h> 52 #include <sys/signalvar.h> 53 54 #include <machine/reg.h> 55 56 #include <security/audit/audit.h> 57 58 #include <vm/vm.h> 59 #include <vm/pmap.h> 60 #include <vm/vm_extern.h> 61 #include <vm/vm_map.h> 62 #include <vm/vm_kern.h> 63 #include <vm/vm_object.h> 64 #include <vm/vm_page.h> 65 #include <vm/vm_param.h> 66 67 #ifdef COMPAT_FREEBSD32 68 #include <sys/procfs.h> 69 #include <compat/freebsd32/freebsd32_signal.h> 70 71 struct ptrace_io_desc32 { 72 int piod_op; 73 uint32_t piod_offs; 74 uint32_t piod_addr; 75 uint32_t piod_len; 76 }; 77 78 struct ptrace_vm_entry32 { 79 int pve_entry; 80 int pve_timestamp; 81 uint32_t pve_start; 82 uint32_t pve_end; 83 uint32_t pve_offset; 84 u_int pve_prot; 85 u_int pve_pathlen; 86 int32_t pve_fileid; 87 u_int pve_fsid; 88 uint32_t pve_path; 89 }; 90 91 struct ptrace_lwpinfo32 { 92 lwpid_t pl_lwpid; /* LWP described. */ 93 int pl_event; /* Event that stopped the LWP. */ 94 int pl_flags; /* LWP flags. */ 95 sigset_t pl_sigmask; /* LWP signal mask */ 96 sigset_t pl_siglist; /* LWP pending signal */ 97 struct siginfo32 pl_siginfo; /* siginfo for signal */ 98 char pl_tdname[MAXCOMLEN + 1]; /* LWP name. */ 99 int pl_child_pid; /* New child pid */ 100 }; 101 102 #endif 103 104 /* 105 * Functions implemented using PROC_ACTION(): 106 * 107 * proc_read_regs(proc, regs) 108 * Get the current user-visible register set from the process 109 * and copy it into the regs structure (<machine/reg.h>). 110 * The process is stopped at the time read_regs is called. 111 * 112 * proc_write_regs(proc, regs) 113 * Update the current register set from the passed in regs 114 * structure. Take care to avoid clobbering special CPU 115 * registers or privileged bits in the PSL. 116 * Depending on the architecture this may have fix-up work to do, 117 * especially if the IAR or PCW are modified. 118 * The process is stopped at the time write_regs is called. 119 * 120 * proc_read_fpregs, proc_write_fpregs 121 * deal with the floating point register set, otherwise as above. 122 * 123 * proc_read_dbregs, proc_write_dbregs 124 * deal with the processor debug register set, otherwise as above. 125 * 126 * proc_sstep(proc) 127 * Arrange for the process to trap after executing a single instruction. 128 */ 129 130 #define PROC_ACTION(action) do { \ 131 int error; \ 132 \ 133 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); \ 134 if ((td->td_proc->p_flag & P_INMEM) == 0) \ 135 error = EIO; \ 136 else \ 137 error = (action); \ 138 return (error); \ 139 } while(0) 140 141 int 142 proc_read_regs(struct thread *td, struct reg *regs) 143 { 144 145 PROC_ACTION(fill_regs(td, regs)); 146 } 147 148 int 149 proc_write_regs(struct thread *td, struct reg *regs) 150 { 151 152 PROC_ACTION(set_regs(td, regs)); 153 } 154 155 int 156 proc_read_dbregs(struct thread *td, struct dbreg *dbregs) 157 { 158 159 PROC_ACTION(fill_dbregs(td, dbregs)); 160 } 161 162 int 163 proc_write_dbregs(struct thread *td, struct dbreg *dbregs) 164 { 165 166 PROC_ACTION(set_dbregs(td, dbregs)); 167 } 168 169 /* 170 * Ptrace doesn't support fpregs at all, and there are no security holes 171 * or translations for fpregs, so we can just copy them. 172 */ 173 int 174 proc_read_fpregs(struct thread *td, struct fpreg *fpregs) 175 { 176 177 PROC_ACTION(fill_fpregs(td, fpregs)); 178 } 179 180 int 181 proc_write_fpregs(struct thread *td, struct fpreg *fpregs) 182 { 183 184 PROC_ACTION(set_fpregs(td, fpregs)); 185 } 186 187 #ifdef COMPAT_FREEBSD32 188 /* For 32 bit binaries, we need to expose the 32 bit regs layouts. */ 189 int 190 proc_read_regs32(struct thread *td, struct reg32 *regs32) 191 { 192 193 PROC_ACTION(fill_regs32(td, regs32)); 194 } 195 196 int 197 proc_write_regs32(struct thread *td, struct reg32 *regs32) 198 { 199 200 PROC_ACTION(set_regs32(td, regs32)); 201 } 202 203 int 204 proc_read_dbregs32(struct thread *td, struct dbreg32 *dbregs32) 205 { 206 207 PROC_ACTION(fill_dbregs32(td, dbregs32)); 208 } 209 210 int 211 proc_write_dbregs32(struct thread *td, struct dbreg32 *dbregs32) 212 { 213 214 PROC_ACTION(set_dbregs32(td, dbregs32)); 215 } 216 217 int 218 proc_read_fpregs32(struct thread *td, struct fpreg32 *fpregs32) 219 { 220 221 PROC_ACTION(fill_fpregs32(td, fpregs32)); 222 } 223 224 int 225 proc_write_fpregs32(struct thread *td, struct fpreg32 *fpregs32) 226 { 227 228 PROC_ACTION(set_fpregs32(td, fpregs32)); 229 } 230 #endif 231 232 int 233 proc_sstep(struct thread *td) 234 { 235 236 PROC_ACTION(ptrace_single_step(td)); 237 } 238 239 int 240 proc_rwmem(struct proc *p, struct uio *uio) 241 { 242 vm_map_t map; 243 vm_offset_t pageno; /* page number */ 244 vm_prot_t reqprot; 245 int error, fault_flags, page_offset, writing; 246 247 /* 248 * Assert that someone has locked this vmspace. (Should be 249 * curthread but we can't assert that.) This keeps the process 250 * from exiting out from under us until this operation completes. 251 */ 252 KASSERT(p->p_lock >= 1, ("%s: process %p (pid %d) not held", __func__, 253 p, p->p_pid)); 254 255 /* 256 * The map we want... 257 */ 258 map = &p->p_vmspace->vm_map; 259 260 /* 261 * If we are writing, then we request vm_fault() to create a private 262 * copy of each page. Since these copies will not be writeable by the 263 * process, we must explicity request that they be dirtied. 264 */ 265 writing = uio->uio_rw == UIO_WRITE; 266 reqprot = writing ? VM_PROT_COPY | VM_PROT_READ : VM_PROT_READ; 267 fault_flags = writing ? VM_FAULT_DIRTY : VM_FAULT_NORMAL; 268 269 /* 270 * Only map in one page at a time. We don't have to, but it 271 * makes things easier. This way is trivial - right? 272 */ 273 do { 274 vm_offset_t uva; 275 u_int len; 276 vm_page_t m; 277 278 uva = (vm_offset_t)uio->uio_offset; 279 280 /* 281 * Get the page number of this segment. 282 */ 283 pageno = trunc_page(uva); 284 page_offset = uva - pageno; 285 286 /* 287 * How many bytes to copy 288 */ 289 len = min(PAGE_SIZE - page_offset, uio->uio_resid); 290 291 /* 292 * Fault and hold the page on behalf of the process. 293 */ 294 error = vm_fault_hold(map, pageno, reqprot, fault_flags, &m); 295 if (error != KERN_SUCCESS) { 296 if (error == KERN_RESOURCE_SHORTAGE) 297 error = ENOMEM; 298 else 299 error = EFAULT; 300 break; 301 } 302 303 /* 304 * Now do the i/o move. 305 */ 306 error = uiomove_fromphys(&m, page_offset, len, uio); 307 308 /* Make the I-cache coherent for breakpoints. */ 309 if (writing && error == 0) { 310 vm_map_lock_read(map); 311 if (vm_map_check_protection(map, pageno, pageno + 312 PAGE_SIZE, VM_PROT_EXECUTE)) 313 vm_sync_icache(map, uva, len); 314 vm_map_unlock_read(map); 315 } 316 317 /* 318 * Release the page. 319 */ 320 vm_page_lock(m); 321 vm_page_unhold(m); 322 vm_page_unlock(m); 323 324 } while (error == 0 && uio->uio_resid > 0); 325 326 return (error); 327 } 328 329 static int 330 ptrace_vm_entry(struct thread *td, struct proc *p, struct ptrace_vm_entry *pve) 331 { 332 struct vattr vattr; 333 vm_map_t map; 334 vm_map_entry_t entry; 335 vm_object_t obj, tobj, lobj; 336 struct vmspace *vm; 337 struct vnode *vp; 338 char *freepath, *fullpath; 339 u_int pathlen; 340 int error, index; 341 342 error = 0; 343 obj = NULL; 344 345 vm = vmspace_acquire_ref(p); 346 map = &vm->vm_map; 347 vm_map_lock_read(map); 348 349 do { 350 entry = map->header.next; 351 index = 0; 352 while (index < pve->pve_entry && entry != &map->header) { 353 entry = entry->next; 354 index++; 355 } 356 if (index != pve->pve_entry) { 357 error = EINVAL; 358 break; 359 } 360 while (entry != &map->header && 361 (entry->eflags & MAP_ENTRY_IS_SUB_MAP) != 0) { 362 entry = entry->next; 363 index++; 364 } 365 if (entry == &map->header) { 366 error = ENOENT; 367 break; 368 } 369 370 /* We got an entry. */ 371 pve->pve_entry = index + 1; 372 pve->pve_timestamp = map->timestamp; 373 pve->pve_start = entry->start; 374 pve->pve_end = entry->end - 1; 375 pve->pve_offset = entry->offset; 376 pve->pve_prot = entry->protection; 377 378 /* Backing object's path needed? */ 379 if (pve->pve_pathlen == 0) 380 break; 381 382 pathlen = pve->pve_pathlen; 383 pve->pve_pathlen = 0; 384 385 obj = entry->object.vm_object; 386 if (obj != NULL) 387 VM_OBJECT_RLOCK(obj); 388 } while (0); 389 390 vm_map_unlock_read(map); 391 vmspace_free(vm); 392 393 pve->pve_fsid = VNOVAL; 394 pve->pve_fileid = VNOVAL; 395 396 if (error == 0 && obj != NULL) { 397 lobj = obj; 398 for (tobj = obj; tobj != NULL; tobj = tobj->backing_object) { 399 if (tobj != obj) 400 VM_OBJECT_RLOCK(tobj); 401 if (lobj != obj) 402 VM_OBJECT_RUNLOCK(lobj); 403 lobj = tobj; 404 pve->pve_offset += tobj->backing_object_offset; 405 } 406 vp = vm_object_vnode(lobj); 407 if (vp != NULL) 408 vref(vp); 409 if (lobj != obj) 410 VM_OBJECT_RUNLOCK(lobj); 411 VM_OBJECT_RUNLOCK(obj); 412 413 if (vp != NULL) { 414 freepath = NULL; 415 fullpath = NULL; 416 vn_fullpath(td, vp, &fullpath, &freepath); 417 vn_lock(vp, LK_SHARED | LK_RETRY); 418 if (VOP_GETATTR(vp, &vattr, td->td_ucred) == 0) { 419 pve->pve_fileid = vattr.va_fileid; 420 pve->pve_fsid = vattr.va_fsid; 421 } 422 vput(vp); 423 424 if (fullpath != NULL) { 425 pve->pve_pathlen = strlen(fullpath) + 1; 426 if (pve->pve_pathlen <= pathlen) { 427 error = copyout(fullpath, pve->pve_path, 428 pve->pve_pathlen); 429 } else 430 error = ENAMETOOLONG; 431 } 432 if (freepath != NULL) 433 free(freepath, M_TEMP); 434 } 435 } 436 if (error == 0) 437 CTR3(KTR_PTRACE, "PT_VM_ENTRY: pid %d, entry %d, start %p", 438 p->p_pid, pve->pve_entry, pve->pve_start); 439 440 return (error); 441 } 442 443 #ifdef COMPAT_FREEBSD32 444 static int 445 ptrace_vm_entry32(struct thread *td, struct proc *p, 446 struct ptrace_vm_entry32 *pve32) 447 { 448 struct ptrace_vm_entry pve; 449 int error; 450 451 pve.pve_entry = pve32->pve_entry; 452 pve.pve_pathlen = pve32->pve_pathlen; 453 pve.pve_path = (void *)(uintptr_t)pve32->pve_path; 454 455 error = ptrace_vm_entry(td, p, &pve); 456 if (error == 0) { 457 pve32->pve_entry = pve.pve_entry; 458 pve32->pve_timestamp = pve.pve_timestamp; 459 pve32->pve_start = pve.pve_start; 460 pve32->pve_end = pve.pve_end; 461 pve32->pve_offset = pve.pve_offset; 462 pve32->pve_prot = pve.pve_prot; 463 pve32->pve_fileid = pve.pve_fileid; 464 pve32->pve_fsid = pve.pve_fsid; 465 } 466 467 pve32->pve_pathlen = pve.pve_pathlen; 468 return (error); 469 } 470 471 static void 472 ptrace_lwpinfo_to32(const struct ptrace_lwpinfo *pl, 473 struct ptrace_lwpinfo32 *pl32) 474 { 475 476 pl32->pl_lwpid = pl->pl_lwpid; 477 pl32->pl_event = pl->pl_event; 478 pl32->pl_flags = pl->pl_flags; 479 pl32->pl_sigmask = pl->pl_sigmask; 480 pl32->pl_siglist = pl->pl_siglist; 481 siginfo_to_siginfo32(&pl->pl_siginfo, &pl32->pl_siginfo); 482 strcpy(pl32->pl_tdname, pl->pl_tdname); 483 pl32->pl_child_pid = pl->pl_child_pid; 484 } 485 #endif /* COMPAT_FREEBSD32 */ 486 487 /* 488 * Process debugging system call. 489 */ 490 #ifndef _SYS_SYSPROTO_H_ 491 struct ptrace_args { 492 int req; 493 pid_t pid; 494 caddr_t addr; 495 int data; 496 }; 497 #endif 498 499 #ifdef COMPAT_FREEBSD32 500 /* 501 * This CPP subterfuge is to try and reduce the number of ifdefs in 502 * the body of the code. 503 * COPYIN(uap->addr, &r.reg, sizeof r.reg); 504 * becomes either: 505 * copyin(uap->addr, &r.reg, sizeof r.reg); 506 * or 507 * copyin(uap->addr, &r.reg32, sizeof r.reg32); 508 * .. except this is done at runtime. 509 */ 510 #define COPYIN(u, k, s) wrap32 ? \ 511 copyin(u, k ## 32, s ## 32) : \ 512 copyin(u, k, s) 513 #define COPYOUT(k, u, s) wrap32 ? \ 514 copyout(k ## 32, u, s ## 32) : \ 515 copyout(k, u, s) 516 #else 517 #define COPYIN(u, k, s) copyin(u, k, s) 518 #define COPYOUT(k, u, s) copyout(k, u, s) 519 #endif 520 int 521 sys_ptrace(struct thread *td, struct ptrace_args *uap) 522 { 523 /* 524 * XXX this obfuscation is to reduce stack usage, but the register 525 * structs may be too large to put on the stack anyway. 526 */ 527 union { 528 struct ptrace_io_desc piod; 529 struct ptrace_lwpinfo pl; 530 struct ptrace_vm_entry pve; 531 struct dbreg dbreg; 532 struct fpreg fpreg; 533 struct reg reg; 534 #ifdef COMPAT_FREEBSD32 535 struct dbreg32 dbreg32; 536 struct fpreg32 fpreg32; 537 struct reg32 reg32; 538 struct ptrace_io_desc32 piod32; 539 struct ptrace_lwpinfo32 pl32; 540 struct ptrace_vm_entry32 pve32; 541 #endif 542 } r; 543 void *addr; 544 int error = 0; 545 #ifdef COMPAT_FREEBSD32 546 int wrap32 = 0; 547 548 if (SV_CURPROC_FLAG(SV_ILP32)) 549 wrap32 = 1; 550 #endif 551 AUDIT_ARG_PID(uap->pid); 552 AUDIT_ARG_CMD(uap->req); 553 AUDIT_ARG_VALUE(uap->data); 554 addr = &r; 555 switch (uap->req) { 556 case PT_GETREGS: 557 case PT_GETFPREGS: 558 case PT_GETDBREGS: 559 case PT_LWPINFO: 560 break; 561 case PT_SETREGS: 562 error = COPYIN(uap->addr, &r.reg, sizeof r.reg); 563 break; 564 case PT_SETFPREGS: 565 error = COPYIN(uap->addr, &r.fpreg, sizeof r.fpreg); 566 break; 567 case PT_SETDBREGS: 568 error = COPYIN(uap->addr, &r.dbreg, sizeof r.dbreg); 569 break; 570 case PT_IO: 571 error = COPYIN(uap->addr, &r.piod, sizeof r.piod); 572 break; 573 case PT_VM_ENTRY: 574 error = COPYIN(uap->addr, &r.pve, sizeof r.pve); 575 break; 576 default: 577 addr = uap->addr; 578 break; 579 } 580 if (error) 581 return (error); 582 583 error = kern_ptrace(td, uap->req, uap->pid, addr, uap->data); 584 if (error) 585 return (error); 586 587 switch (uap->req) { 588 case PT_VM_ENTRY: 589 error = COPYOUT(&r.pve, uap->addr, sizeof r.pve); 590 break; 591 case PT_IO: 592 error = COPYOUT(&r.piod, uap->addr, sizeof r.piod); 593 break; 594 case PT_GETREGS: 595 error = COPYOUT(&r.reg, uap->addr, sizeof r.reg); 596 break; 597 case PT_GETFPREGS: 598 error = COPYOUT(&r.fpreg, uap->addr, sizeof r.fpreg); 599 break; 600 case PT_GETDBREGS: 601 error = COPYOUT(&r.dbreg, uap->addr, sizeof r.dbreg); 602 break; 603 case PT_LWPINFO: 604 error = copyout(&r.pl, uap->addr, uap->data); 605 break; 606 } 607 608 return (error); 609 } 610 #undef COPYIN 611 #undef COPYOUT 612 613 #ifdef COMPAT_FREEBSD32 614 /* 615 * PROC_READ(regs, td2, addr); 616 * becomes either: 617 * proc_read_regs(td2, addr); 618 * or 619 * proc_read_regs32(td2, addr); 620 * .. except this is done at runtime. There is an additional 621 * complication in that PROC_WRITE disallows 32 bit consumers 622 * from writing to 64 bit address space targets. 623 */ 624 #define PROC_READ(w, t, a) wrap32 ? \ 625 proc_read_ ## w ## 32(t, a) : \ 626 proc_read_ ## w (t, a) 627 #define PROC_WRITE(w, t, a) wrap32 ? \ 628 (safe ? proc_write_ ## w ## 32(t, a) : EINVAL ) : \ 629 proc_write_ ## w (t, a) 630 #else 631 #define PROC_READ(w, t, a) proc_read_ ## w (t, a) 632 #define PROC_WRITE(w, t, a) proc_write_ ## w (t, a) 633 #endif 634 635 int 636 kern_ptrace(struct thread *td, int req, pid_t pid, void *addr, int data) 637 { 638 struct iovec iov; 639 struct uio uio; 640 struct proc *curp, *p, *pp; 641 struct thread *td2 = NULL, *td3; 642 struct ptrace_io_desc *piod = NULL; 643 struct ptrace_lwpinfo *pl; 644 int error, write, tmp, num; 645 int proctree_locked = 0; 646 lwpid_t tid = 0, *buf; 647 #ifdef COMPAT_FREEBSD32 648 int wrap32 = 0, safe = 0; 649 struct ptrace_io_desc32 *piod32 = NULL; 650 struct ptrace_lwpinfo32 *pl32 = NULL; 651 struct ptrace_lwpinfo plr; 652 #endif 653 654 curp = td->td_proc; 655 656 /* Lock proctree before locking the process. */ 657 switch (req) { 658 case PT_TRACE_ME: 659 case PT_ATTACH: 660 case PT_STEP: 661 case PT_CONTINUE: 662 case PT_TO_SCE: 663 case PT_TO_SCX: 664 case PT_SYSCALL: 665 case PT_FOLLOW_FORK: 666 case PT_DETACH: 667 sx_xlock(&proctree_lock); 668 proctree_locked = 1; 669 break; 670 default: 671 break; 672 } 673 674 write = 0; 675 if (req == PT_TRACE_ME) { 676 p = td->td_proc; 677 PROC_LOCK(p); 678 } else { 679 if (pid <= PID_MAX) { 680 if ((p = pfind(pid)) == NULL) { 681 if (proctree_locked) 682 sx_xunlock(&proctree_lock); 683 return (ESRCH); 684 } 685 } else { 686 td2 = tdfind(pid, -1); 687 if (td2 == NULL) { 688 if (proctree_locked) 689 sx_xunlock(&proctree_lock); 690 return (ESRCH); 691 } 692 p = td2->td_proc; 693 tid = pid; 694 pid = p->p_pid; 695 } 696 } 697 AUDIT_ARG_PROCESS(p); 698 699 if ((p->p_flag & P_WEXIT) != 0) { 700 error = ESRCH; 701 goto fail; 702 } 703 if ((error = p_cansee(td, p)) != 0) 704 goto fail; 705 706 if ((error = p_candebug(td, p)) != 0) 707 goto fail; 708 709 /* 710 * System processes can't be debugged. 711 */ 712 if ((p->p_flag & P_SYSTEM) != 0) { 713 error = EINVAL; 714 goto fail; 715 } 716 717 if (tid == 0) { 718 if ((p->p_flag & P_STOPPED_TRACE) != 0) { 719 KASSERT(p->p_xthread != NULL, ("NULL p_xthread")); 720 td2 = p->p_xthread; 721 } else { 722 td2 = FIRST_THREAD_IN_PROC(p); 723 } 724 tid = td2->td_tid; 725 } 726 727 #ifdef COMPAT_FREEBSD32 728 /* 729 * Test if we're a 32 bit client and what the target is. 730 * Set the wrap controls accordingly. 731 */ 732 if (SV_CURPROC_FLAG(SV_ILP32)) { 733 if (SV_PROC_FLAG(td2->td_proc, SV_ILP32)) 734 safe = 1; 735 wrap32 = 1; 736 } 737 #endif 738 /* 739 * Permissions check 740 */ 741 switch (req) { 742 case PT_TRACE_ME: 743 /* Always legal. */ 744 break; 745 746 case PT_ATTACH: 747 /* Self */ 748 if (p->p_pid == td->td_proc->p_pid) { 749 error = EINVAL; 750 goto fail; 751 } 752 753 /* Already traced */ 754 if (p->p_flag & P_TRACED) { 755 error = EBUSY; 756 goto fail; 757 } 758 759 /* Can't trace an ancestor if you're being traced. */ 760 if (curp->p_flag & P_TRACED) { 761 for (pp = curp->p_pptr; pp != NULL; pp = pp->p_pptr) { 762 if (pp == p) { 763 error = EINVAL; 764 goto fail; 765 } 766 } 767 } 768 769 770 /* OK */ 771 break; 772 773 case PT_CLEARSTEP: 774 /* Allow thread to clear single step for itself */ 775 if (td->td_tid == tid) 776 break; 777 778 /* FALLTHROUGH */ 779 default: 780 /* not being traced... */ 781 if ((p->p_flag & P_TRACED) == 0) { 782 error = EPERM; 783 goto fail; 784 } 785 786 /* not being traced by YOU */ 787 if (p->p_pptr != td->td_proc) { 788 error = EBUSY; 789 goto fail; 790 } 791 792 /* not currently stopped */ 793 if ((p->p_flag & (P_STOPPED_SIG | P_STOPPED_TRACE)) == 0 || 794 p->p_suspcount != p->p_numthreads || 795 (p->p_flag & P_WAITED) == 0) { 796 error = EBUSY; 797 goto fail; 798 } 799 800 if ((p->p_flag & P_STOPPED_TRACE) == 0) { 801 static int count = 0; 802 if (count++ == 0) 803 printf("P_STOPPED_TRACE not set.\n"); 804 } 805 806 /* OK */ 807 break; 808 } 809 810 /* Keep this process around until we finish this request. */ 811 _PHOLD(p); 812 813 #ifdef FIX_SSTEP 814 /* 815 * Single step fixup ala procfs 816 */ 817 FIX_SSTEP(td2); 818 #endif 819 820 /* 821 * Actually do the requests 822 */ 823 824 td->td_retval[0] = 0; 825 826 switch (req) { 827 case PT_TRACE_ME: 828 /* set my trace flag and "owner" so it can read/write me */ 829 p->p_flag |= P_TRACED; 830 if (p->p_flag & P_PPWAIT) 831 p->p_flag |= P_PPTRACE; 832 p->p_oppid = p->p_pptr->p_pid; 833 CTR1(KTR_PTRACE, "PT_TRACE_ME: pid %d", p->p_pid); 834 break; 835 836 case PT_ATTACH: 837 /* security check done above */ 838 /* 839 * It would be nice if the tracing relationship was separate 840 * from the parent relationship but that would require 841 * another set of links in the proc struct or for "wait" 842 * to scan the entire proc table. To make life easier, 843 * we just re-parent the process we're trying to trace. 844 * The old parent is remembered so we can put things back 845 * on a "detach". 846 */ 847 p->p_flag |= P_TRACED; 848 p->p_oppid = p->p_pptr->p_pid; 849 if (p->p_pptr != td->td_proc) { 850 proc_reparent(p, td->td_proc); 851 } 852 data = SIGSTOP; 853 CTR2(KTR_PTRACE, "PT_ATTACH: pid %d, oppid %d", p->p_pid, 854 p->p_oppid); 855 goto sendsig; /* in PT_CONTINUE below */ 856 857 case PT_CLEARSTEP: 858 CTR2(KTR_PTRACE, "PT_CLEARSTEP: tid %d (pid %d)", td2->td_tid, 859 p->p_pid); 860 error = ptrace_clear_single_step(td2); 861 break; 862 863 case PT_SETSTEP: 864 CTR2(KTR_PTRACE, "PT_SETSTEP: tid %d (pid %d)", td2->td_tid, 865 p->p_pid); 866 error = ptrace_single_step(td2); 867 break; 868 869 case PT_SUSPEND: 870 CTR2(KTR_PTRACE, "PT_SUSPEND: tid %d (pid %d)", td2->td_tid, 871 p->p_pid); 872 td2->td_dbgflags |= TDB_SUSPEND; 873 thread_lock(td2); 874 td2->td_flags |= TDF_NEEDSUSPCHK; 875 thread_unlock(td2); 876 break; 877 878 case PT_RESUME: 879 CTR2(KTR_PTRACE, "PT_RESUME: tid %d (pid %d)", td2->td_tid, 880 p->p_pid); 881 td2->td_dbgflags &= ~TDB_SUSPEND; 882 break; 883 884 case PT_FOLLOW_FORK: 885 CTR3(KTR_PTRACE, "PT_FOLLOW_FORK: pid %d %s -> %s", p->p_pid, 886 p->p_flag & P_FOLLOWFORK ? "enabled" : "disabled", 887 data ? "enabled" : "disabled"); 888 if (data) 889 p->p_flag |= P_FOLLOWFORK; 890 else 891 p->p_flag &= ~P_FOLLOWFORK; 892 break; 893 894 case PT_STEP: 895 case PT_CONTINUE: 896 case PT_TO_SCE: 897 case PT_TO_SCX: 898 case PT_SYSCALL: 899 case PT_DETACH: 900 /* Zero means do not send any signal */ 901 if (data < 0 || data > _SIG_MAXSIG) { 902 error = EINVAL; 903 break; 904 } 905 906 switch (req) { 907 case PT_STEP: 908 CTR2(KTR_PTRACE, "PT_STEP: tid %d (pid %d)", 909 td2->td_tid, p->p_pid); 910 error = ptrace_single_step(td2); 911 if (error) 912 goto out; 913 break; 914 case PT_CONTINUE: 915 case PT_TO_SCE: 916 case PT_TO_SCX: 917 case PT_SYSCALL: 918 if (addr != (void *)1) { 919 error = ptrace_set_pc(td2, 920 (u_long)(uintfptr_t)addr); 921 if (error) 922 goto out; 923 } 924 switch (req) { 925 case PT_TO_SCE: 926 p->p_stops |= S_PT_SCE; 927 CTR2(KTR_PTRACE, 928 "PT_TO_SCE: pid %d, stops = %#x", p->p_pid, 929 p->p_stops); 930 break; 931 case PT_TO_SCX: 932 p->p_stops |= S_PT_SCX; 933 CTR2(KTR_PTRACE, 934 "PT_TO_SCX: pid %d, stops = %#x", p->p_pid, 935 p->p_stops); 936 break; 937 case PT_SYSCALL: 938 p->p_stops |= S_PT_SCE | S_PT_SCX; 939 CTR2(KTR_PTRACE, 940 "PT_SYSCALL: pid %d, stops = %#x", p->p_pid, 941 p->p_stops); 942 break; 943 case PT_CONTINUE: 944 CTR1(KTR_PTRACE, 945 "PT_CONTINUE: pid %d", p->p_pid); 946 break; 947 } 948 break; 949 case PT_DETACH: 950 /* 951 * Reset the process parent. 952 * 953 * NB: This clears P_TRACED before reparenting 954 * a detached process back to its original 955 * parent. Otherwise the debugee will be set 956 * as an orphan of the debugger. 957 */ 958 p->p_flag &= ~(P_TRACED | P_WAITED | P_FOLLOWFORK); 959 if (p->p_oppid != p->p_pptr->p_pid) { 960 PROC_LOCK(p->p_pptr); 961 sigqueue_take(p->p_ksi); 962 PROC_UNLOCK(p->p_pptr); 963 964 pp = proc_realparent(p); 965 proc_reparent(p, pp); 966 if (pp == initproc) 967 p->p_sigparent = SIGCHLD; 968 CTR2(KTR_PTRACE, 969 "PT_DETACH: pid %d reparented to pid %d", 970 p->p_pid, pp->p_pid); 971 } else 972 CTR1(KTR_PTRACE, "PT_DETACH: pid %d", p->p_pid); 973 p->p_oppid = 0; 974 p->p_stops = 0; 975 976 /* should we send SIGCHLD? */ 977 /* childproc_continued(p); */ 978 break; 979 } 980 981 sendsig: 982 if (proctree_locked) { 983 sx_xunlock(&proctree_lock); 984 proctree_locked = 0; 985 } 986 p->p_xsig = data; 987 p->p_xthread = NULL; 988 if ((p->p_flag & (P_STOPPED_SIG | P_STOPPED_TRACE)) != 0) { 989 /* deliver or queue signal */ 990 td2->td_dbgflags &= ~TDB_XSIG; 991 td2->td_xsig = data; 992 993 if (req == PT_DETACH) { 994 FOREACH_THREAD_IN_PROC(p, td3) 995 td3->td_dbgflags &= ~TDB_SUSPEND; 996 } 997 /* 998 * unsuspend all threads, to not let a thread run, 999 * you should use PT_SUSPEND to suspend it before 1000 * continuing process. 1001 */ 1002 PROC_SLOCK(p); 1003 p->p_flag &= ~(P_STOPPED_TRACE|P_STOPPED_SIG|P_WAITED); 1004 thread_unsuspend(p); 1005 PROC_SUNLOCK(p); 1006 if (req == PT_ATTACH) 1007 kern_psignal(p, data); 1008 } else { 1009 if (data) 1010 kern_psignal(p, data); 1011 } 1012 break; 1013 1014 case PT_WRITE_I: 1015 case PT_WRITE_D: 1016 td2->td_dbgflags |= TDB_USERWR; 1017 write = 1; 1018 /* FALLTHROUGH */ 1019 case PT_READ_I: 1020 case PT_READ_D: 1021 PROC_UNLOCK(p); 1022 tmp = 0; 1023 /* write = 0 set above */ 1024 iov.iov_base = write ? (caddr_t)&data : (caddr_t)&tmp; 1025 iov.iov_len = sizeof(int); 1026 uio.uio_iov = &iov; 1027 uio.uio_iovcnt = 1; 1028 uio.uio_offset = (off_t)(uintptr_t)addr; 1029 uio.uio_resid = sizeof(int); 1030 uio.uio_segflg = UIO_SYSSPACE; /* i.e.: the uap */ 1031 uio.uio_rw = write ? UIO_WRITE : UIO_READ; 1032 uio.uio_td = td; 1033 error = proc_rwmem(p, &uio); 1034 if (uio.uio_resid != 0) { 1035 /* 1036 * XXX proc_rwmem() doesn't currently return ENOSPC, 1037 * so I think write() can bogusly return 0. 1038 * XXX what happens for short writes? We don't want 1039 * to write partial data. 1040 * XXX proc_rwmem() returns EPERM for other invalid 1041 * addresses. Convert this to EINVAL. Does this 1042 * clobber returns of EPERM for other reasons? 1043 */ 1044 if (error == 0 || error == ENOSPC || error == EPERM) 1045 error = EINVAL; /* EOF */ 1046 } 1047 if (!write) 1048 td->td_retval[0] = tmp; 1049 if (error == 0) { 1050 if (write) 1051 CTR3(KTR_PTRACE, "PT_WRITE: pid %d: %p <= %#x", 1052 p->p_pid, addr, data); 1053 else 1054 CTR3(KTR_PTRACE, "PT_READ: pid %d: %p >= %#x", 1055 p->p_pid, addr, tmp); 1056 } 1057 PROC_LOCK(p); 1058 break; 1059 1060 case PT_IO: 1061 #ifdef COMPAT_FREEBSD32 1062 if (wrap32) { 1063 piod32 = addr; 1064 iov.iov_base = (void *)(uintptr_t)piod32->piod_addr; 1065 iov.iov_len = piod32->piod_len; 1066 uio.uio_offset = (off_t)(uintptr_t)piod32->piod_offs; 1067 uio.uio_resid = piod32->piod_len; 1068 } else 1069 #endif 1070 { 1071 piod = addr; 1072 iov.iov_base = piod->piod_addr; 1073 iov.iov_len = piod->piod_len; 1074 uio.uio_offset = (off_t)(uintptr_t)piod->piod_offs; 1075 uio.uio_resid = piod->piod_len; 1076 } 1077 uio.uio_iov = &iov; 1078 uio.uio_iovcnt = 1; 1079 uio.uio_segflg = UIO_USERSPACE; 1080 uio.uio_td = td; 1081 #ifdef COMPAT_FREEBSD32 1082 tmp = wrap32 ? piod32->piod_op : piod->piod_op; 1083 #else 1084 tmp = piod->piod_op; 1085 #endif 1086 switch (tmp) { 1087 case PIOD_READ_D: 1088 case PIOD_READ_I: 1089 CTR3(KTR_PTRACE, "PT_IO: pid %d: READ (%p, %#x)", 1090 p->p_pid, (uintptr_t)uio.uio_offset, uio.uio_resid); 1091 uio.uio_rw = UIO_READ; 1092 break; 1093 case PIOD_WRITE_D: 1094 case PIOD_WRITE_I: 1095 CTR3(KTR_PTRACE, "PT_IO: pid %d: WRITE (%p, %#x)", 1096 p->p_pid, (uintptr_t)uio.uio_offset, uio.uio_resid); 1097 td2->td_dbgflags |= TDB_USERWR; 1098 uio.uio_rw = UIO_WRITE; 1099 break; 1100 default: 1101 error = EINVAL; 1102 goto out; 1103 } 1104 PROC_UNLOCK(p); 1105 error = proc_rwmem(p, &uio); 1106 #ifdef COMPAT_FREEBSD32 1107 if (wrap32) 1108 piod32->piod_len -= uio.uio_resid; 1109 else 1110 #endif 1111 piod->piod_len -= uio.uio_resid; 1112 PROC_LOCK(p); 1113 break; 1114 1115 case PT_KILL: 1116 CTR1(KTR_PTRACE, "PT_KILL: pid %d", p->p_pid); 1117 data = SIGKILL; 1118 goto sendsig; /* in PT_CONTINUE above */ 1119 1120 case PT_SETREGS: 1121 CTR2(KTR_PTRACE, "PT_SETREGS: tid %d (pid %d)", td2->td_tid, 1122 p->p_pid); 1123 td2->td_dbgflags |= TDB_USERWR; 1124 error = PROC_WRITE(regs, td2, addr); 1125 break; 1126 1127 case PT_GETREGS: 1128 CTR2(KTR_PTRACE, "PT_GETREGS: tid %d (pid %d)", td2->td_tid, 1129 p->p_pid); 1130 error = PROC_READ(regs, td2, addr); 1131 break; 1132 1133 case PT_SETFPREGS: 1134 CTR2(KTR_PTRACE, "PT_SETFPREGS: tid %d (pid %d)", td2->td_tid, 1135 p->p_pid); 1136 td2->td_dbgflags |= TDB_USERWR; 1137 error = PROC_WRITE(fpregs, td2, addr); 1138 break; 1139 1140 case PT_GETFPREGS: 1141 CTR2(KTR_PTRACE, "PT_GETFPREGS: tid %d (pid %d)", td2->td_tid, 1142 p->p_pid); 1143 error = PROC_READ(fpregs, td2, addr); 1144 break; 1145 1146 case PT_SETDBREGS: 1147 CTR2(KTR_PTRACE, "PT_SETDBREGS: tid %d (pid %d)", td2->td_tid, 1148 p->p_pid); 1149 td2->td_dbgflags |= TDB_USERWR; 1150 error = PROC_WRITE(dbregs, td2, addr); 1151 break; 1152 1153 case PT_GETDBREGS: 1154 CTR2(KTR_PTRACE, "PT_GETDBREGS: tid %d (pid %d)", td2->td_tid, 1155 p->p_pid); 1156 error = PROC_READ(dbregs, td2, addr); 1157 break; 1158 1159 case PT_LWPINFO: 1160 if (data <= 0 || 1161 #ifdef COMPAT_FREEBSD32 1162 (!wrap32 && data > sizeof(*pl)) || 1163 (wrap32 && data > sizeof(*pl32))) { 1164 #else 1165 data > sizeof(*pl)) { 1166 #endif 1167 error = EINVAL; 1168 break; 1169 } 1170 #ifdef COMPAT_FREEBSD32 1171 if (wrap32) { 1172 pl = &plr; 1173 pl32 = addr; 1174 } else 1175 #endif 1176 pl = addr; 1177 pl->pl_lwpid = td2->td_tid; 1178 pl->pl_event = PL_EVENT_NONE; 1179 pl->pl_flags = 0; 1180 if (td2->td_dbgflags & TDB_XSIG) { 1181 pl->pl_event = PL_EVENT_SIGNAL; 1182 if (td2->td_dbgksi.ksi_signo != 0 && 1183 #ifdef COMPAT_FREEBSD32 1184 ((!wrap32 && data >= offsetof(struct ptrace_lwpinfo, 1185 pl_siginfo) + sizeof(pl->pl_siginfo)) || 1186 (wrap32 && data >= offsetof(struct ptrace_lwpinfo32, 1187 pl_siginfo) + sizeof(struct siginfo32))) 1188 #else 1189 data >= offsetof(struct ptrace_lwpinfo, pl_siginfo) 1190 + sizeof(pl->pl_siginfo) 1191 #endif 1192 ){ 1193 pl->pl_flags |= PL_FLAG_SI; 1194 pl->pl_siginfo = td2->td_dbgksi.ksi_info; 1195 } 1196 } 1197 if ((pl->pl_flags & PL_FLAG_SI) == 0) 1198 bzero(&pl->pl_siginfo, sizeof(pl->pl_siginfo)); 1199 if (td2->td_dbgflags & TDB_SCE) 1200 pl->pl_flags |= PL_FLAG_SCE; 1201 else if (td2->td_dbgflags & TDB_SCX) 1202 pl->pl_flags |= PL_FLAG_SCX; 1203 if (td2->td_dbgflags & TDB_EXEC) 1204 pl->pl_flags |= PL_FLAG_EXEC; 1205 if (td2->td_dbgflags & TDB_FORK) { 1206 pl->pl_flags |= PL_FLAG_FORKED; 1207 pl->pl_child_pid = td2->td_dbg_forked; 1208 } 1209 if (td2->td_dbgflags & TDB_CHILD) 1210 pl->pl_flags |= PL_FLAG_CHILD; 1211 pl->pl_sigmask = td2->td_sigmask; 1212 pl->pl_siglist = td2->td_siglist; 1213 strcpy(pl->pl_tdname, td2->td_name); 1214 #ifdef COMPAT_FREEBSD32 1215 if (wrap32) 1216 ptrace_lwpinfo_to32(pl, pl32); 1217 #endif 1218 CTR5(KTR_PTRACE, 1219 "PT_LWPINFO: tid %d (pid %d) event %d flags %#x child pid %d", 1220 td2->td_tid, p->p_pid, pl->pl_event, pl->pl_flags, 1221 pl->pl_child_pid); 1222 break; 1223 1224 case PT_GETNUMLWPS: 1225 CTR2(KTR_PTRACE, "PT_GETNUMLWPS: pid %d: %d threads", p->p_pid, 1226 p->p_numthreads); 1227 td->td_retval[0] = p->p_numthreads; 1228 break; 1229 1230 case PT_GETLWPLIST: 1231 CTR3(KTR_PTRACE, "PT_GETLWPLIST: pid %d: data %d, actual %d", 1232 p->p_pid, data, p->p_numthreads); 1233 if (data <= 0) { 1234 error = EINVAL; 1235 break; 1236 } 1237 num = imin(p->p_numthreads, data); 1238 PROC_UNLOCK(p); 1239 buf = malloc(num * sizeof(lwpid_t), M_TEMP, M_WAITOK); 1240 tmp = 0; 1241 PROC_LOCK(p); 1242 FOREACH_THREAD_IN_PROC(p, td2) { 1243 if (tmp >= num) 1244 break; 1245 buf[tmp++] = td2->td_tid; 1246 } 1247 PROC_UNLOCK(p); 1248 error = copyout(buf, addr, tmp * sizeof(lwpid_t)); 1249 free(buf, M_TEMP); 1250 if (!error) 1251 td->td_retval[0] = tmp; 1252 PROC_LOCK(p); 1253 break; 1254 1255 case PT_VM_TIMESTAMP: 1256 CTR2(KTR_PTRACE, "PT_VM_TIMESTAMP: pid %d: timestamp %d", 1257 p->p_pid, p->p_vmspace->vm_map.timestamp); 1258 td->td_retval[0] = p->p_vmspace->vm_map.timestamp; 1259 break; 1260 1261 case PT_VM_ENTRY: 1262 PROC_UNLOCK(p); 1263 #ifdef COMPAT_FREEBSD32 1264 if (wrap32) 1265 error = ptrace_vm_entry32(td, p, addr); 1266 else 1267 #endif 1268 error = ptrace_vm_entry(td, p, addr); 1269 PROC_LOCK(p); 1270 break; 1271 1272 default: 1273 #ifdef __HAVE_PTRACE_MACHDEP 1274 if (req >= PT_FIRSTMACH) { 1275 PROC_UNLOCK(p); 1276 error = cpu_ptrace(td2, req, addr, data); 1277 PROC_LOCK(p); 1278 } else 1279 #endif 1280 /* Unknown request. */ 1281 error = EINVAL; 1282 break; 1283 } 1284 1285 out: 1286 /* Drop our hold on this process now that the request has completed. */ 1287 _PRELE(p); 1288 fail: 1289 PROC_UNLOCK(p); 1290 if (proctree_locked) 1291 sx_xunlock(&proctree_lock); 1292 return (error); 1293 } 1294 #undef PROC_READ 1295 #undef PROC_WRITE 1296 1297 /* 1298 * Stop a process because of a debugging event; 1299 * stay stopped until p->p_step is cleared 1300 * (cleared by PIOCCONT in procfs). 1301 */ 1302 void 1303 stopevent(struct proc *p, unsigned int event, unsigned int val) 1304 { 1305 1306 PROC_LOCK_ASSERT(p, MA_OWNED); 1307 p->p_step = 1; 1308 CTR3(KTR_PTRACE, "stopevent: pid %d event %u val %u", p->p_pid, event, 1309 val); 1310 do { 1311 if (event != S_EXIT) 1312 p->p_xsig = val; 1313 p->p_xthread = NULL; 1314 p->p_stype = event; /* Which event caused the stop? */ 1315 wakeup(&p->p_stype); /* Wake up any PIOCWAIT'ing procs */ 1316 msleep(&p->p_step, &p->p_mtx, PWAIT, "stopevent", 0); 1317 } while (p->p_step); 1318 } 1319