kern_procctl.c revision 216604
1/*- 2 * Copyright (c) 1994, Sean Eric Fagan 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. All advertising materials mentioning features or use of this software 14 * must display the following acknowledgement: 15 * This product includes software developed by Sean Eric Fagan. 16 * 4. The name of the author may not be used to endorse or promote products 17 * derived from this software without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32#include <sys/cdefs.h> 33__FBSDID("$FreeBSD: head/sys/kern/sys_process.c 216604 2010-12-20 22:49:31Z alc $"); 34 35#include "opt_compat.h" 36 37#include <sys/param.h> 38#include <sys/systm.h> 39#include <sys/lock.h> 40#include <sys/mutex.h> 41#include <sys/syscallsubr.h> 42#include <sys/sysent.h> 43#include <sys/sysproto.h> 44#include <sys/proc.h> 45#include <sys/vnode.h> 46#include <sys/ptrace.h> 47#include <sys/sx.h> 48#include <sys/malloc.h> 49#include <sys/signalvar.h> 50 51#include <machine/reg.h> 52 53#include <security/audit/audit.h> 54 55#include <vm/vm.h> 56#include <vm/pmap.h> 57#include <vm/vm_extern.h> 58#include <vm/vm_map.h> 59#include <vm/vm_kern.h> 60#include <vm/vm_object.h> 61#include <vm/vm_page.h> 62#include <vm/vm_pager.h> 63#include <vm/vm_param.h> 64 65#ifdef COMPAT_FREEBSD32 66#include <sys/procfs.h> 67#include <compat/freebsd32/freebsd32_signal.h> 68 69struct ptrace_io_desc32 { 70 int piod_op; 71 uint32_t piod_offs; 72 uint32_t piod_addr; 73 uint32_t piod_len; 74}; 75 76struct ptrace_vm_entry32 { 77 int pve_entry; 78 int pve_timestamp; 79 uint32_t pve_start; 80 uint32_t pve_end; 81 uint32_t pve_offset; 82 u_int pve_prot; 83 u_int pve_pathlen; 84 int32_t pve_fileid; 85 u_int pve_fsid; 86 uint32_t pve_path; 87}; 88 89struct ptrace_lwpinfo32 { 90 lwpid_t pl_lwpid; /* LWP described. */ 91 int pl_event; /* Event that stopped the LWP. */ 92 int pl_flags; /* LWP flags. */ 93 sigset_t pl_sigmask; /* LWP signal mask */ 94 sigset_t pl_siglist; /* LWP pending signal */ 95 struct siginfo32 pl_siginfo; /* siginfo for signal */ 96 char pl_tdname[MAXCOMLEN + 1]; /* LWP name. */ 97}; 98 99#endif 100 101/* 102 * Functions implemented using PROC_ACTION(): 103 * 104 * proc_read_regs(proc, regs) 105 * Get the current user-visible register set from the process 106 * and copy it into the regs structure (<machine/reg.h>). 107 * The process is stopped at the time read_regs is called. 108 * 109 * proc_write_regs(proc, regs) 110 * Update the current register set from the passed in regs 111 * structure. Take care to avoid clobbering special CPU 112 * registers or privileged bits in the PSL. 113 * Depending on the architecture this may have fix-up work to do, 114 * especially if the IAR or PCW are modified. 115 * The process is stopped at the time write_regs is called. 116 * 117 * proc_read_fpregs, proc_write_fpregs 118 * deal with the floating point register set, otherwise as above. 119 * 120 * proc_read_dbregs, proc_write_dbregs 121 * deal with the processor debug register set, otherwise as above. 122 * 123 * proc_sstep(proc) 124 * Arrange for the process to trap after executing a single instruction. 125 */ 126 127#define PROC_ACTION(action) do { \ 128 int error; \ 129 \ 130 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); \ 131 if ((td->td_proc->p_flag & P_INMEM) == 0) \ 132 error = EIO; \ 133 else \ 134 error = (action); \ 135 return (error); \ 136} while(0) 137 138int 139proc_read_regs(struct thread *td, struct reg *regs) 140{ 141 142 PROC_ACTION(fill_regs(td, regs)); 143} 144 145int 146proc_write_regs(struct thread *td, struct reg *regs) 147{ 148 149 PROC_ACTION(set_regs(td, regs)); 150} 151 152int 153proc_read_dbregs(struct thread *td, struct dbreg *dbregs) 154{ 155 156 PROC_ACTION(fill_dbregs(td, dbregs)); 157} 158 159int 160proc_write_dbregs(struct thread *td, struct dbreg *dbregs) 161{ 162 163 PROC_ACTION(set_dbregs(td, dbregs)); 164} 165 166/* 167 * Ptrace doesn't support fpregs at all, and there are no security holes 168 * or translations for fpregs, so we can just copy them. 169 */ 170int 171proc_read_fpregs(struct thread *td, struct fpreg *fpregs) 172{ 173 174 PROC_ACTION(fill_fpregs(td, fpregs)); 175} 176 177int 178proc_write_fpregs(struct thread *td, struct fpreg *fpregs) 179{ 180 181 PROC_ACTION(set_fpregs(td, fpregs)); 182} 183 184#ifdef COMPAT_FREEBSD32 185/* For 32 bit binaries, we need to expose the 32 bit regs layouts. */ 186int 187proc_read_regs32(struct thread *td, struct reg32 *regs32) 188{ 189 190 PROC_ACTION(fill_regs32(td, regs32)); 191} 192 193int 194proc_write_regs32(struct thread *td, struct reg32 *regs32) 195{ 196 197 PROC_ACTION(set_regs32(td, regs32)); 198} 199 200int 201proc_read_dbregs32(struct thread *td, struct dbreg32 *dbregs32) 202{ 203 204 PROC_ACTION(fill_dbregs32(td, dbregs32)); 205} 206 207int 208proc_write_dbregs32(struct thread *td, struct dbreg32 *dbregs32) 209{ 210 211 PROC_ACTION(set_dbregs32(td, dbregs32)); 212} 213 214int 215proc_read_fpregs32(struct thread *td, struct fpreg32 *fpregs32) 216{ 217 218 PROC_ACTION(fill_fpregs32(td, fpregs32)); 219} 220 221int 222proc_write_fpregs32(struct thread *td, struct fpreg32 *fpregs32) 223{ 224 225 PROC_ACTION(set_fpregs32(td, fpregs32)); 226} 227#endif 228 229int 230proc_sstep(struct thread *td) 231{ 232 233 PROC_ACTION(ptrace_single_step(td)); 234} 235 236int 237proc_rwmem(struct proc *p, struct uio *uio) 238{ 239 vm_map_t map; 240 vm_offset_t pageno; /* page number */ 241 vm_prot_t reqprot; 242 int error, fault_flags, page_offset, writing; 243 244 /* 245 * Assert that someone has locked this vmspace. (Should be 246 * curthread but we can't assert that.) This keeps the process 247 * from exiting out from under us until this operation completes. 248 */ 249 KASSERT(p->p_lock >= 1, ("%s: process %p (pid %d) not held", __func__, 250 p, p->p_pid)); 251 252 /* 253 * The map we want... 254 */ 255 map = &p->p_vmspace->vm_map; 256 257 /* 258 * If we are writing, then we request vm_fault() to create a private 259 * copy of each page. Since these copies will not be writeable by the 260 * process, we must explicity request that they be dirtied. 261 */ 262 writing = uio->uio_rw == UIO_WRITE; 263 reqprot = writing ? VM_PROT_COPY | VM_PROT_READ : VM_PROT_READ; 264 fault_flags = writing ? VM_FAULT_DIRTY : VM_FAULT_NORMAL; 265 266 /* 267 * Only map in one page at a time. We don't have to, but it 268 * makes things easier. This way is trivial - right? 269 */ 270 do { 271 vm_offset_t uva; 272 u_int len; 273 vm_page_t m; 274 275 uva = (vm_offset_t)uio->uio_offset; 276 277 /* 278 * Get the page number of this segment. 279 */ 280 pageno = trunc_page(uva); 281 page_offset = uva - pageno; 282 283 /* 284 * How many bytes to copy 285 */ 286 len = min(PAGE_SIZE - page_offset, uio->uio_resid); 287 288 /* 289 * Fault and hold the page on behalf of the process. 290 */ 291 error = vm_fault_hold(map, pageno, reqprot, fault_flags, &m); 292 if (error != KERN_SUCCESS) { 293 if (error == KERN_RESOURCE_SHORTAGE) 294 error = ENOMEM; 295 else 296 error = EFAULT; 297 break; 298 } 299 300 /* 301 * Now do the i/o move. 302 */ 303 error = uiomove_fromphys(&m, page_offset, len, uio); 304 305 /* Make the I-cache coherent for breakpoints. */ 306 if (writing && error == 0) { 307 vm_map_lock_read(map); 308 if (vm_map_check_protection(map, pageno, pageno + 309 PAGE_SIZE, VM_PROT_EXECUTE)) 310 vm_sync_icache(map, uva, len); 311 vm_map_unlock_read(map); 312 } 313 314 /* 315 * Release the page. 316 */ 317 vm_page_lock(m); 318 vm_page_unhold(m); 319 vm_page_unlock(m); 320 321 } while (error == 0 && uio->uio_resid > 0); 322 323 return (error); 324} 325 326static int 327ptrace_vm_entry(struct thread *td, struct proc *p, struct ptrace_vm_entry *pve) 328{ 329 struct vattr vattr; 330 vm_map_t map; 331 vm_map_entry_t entry; 332 vm_object_t obj, tobj, lobj; 333 struct vmspace *vm; 334 struct vnode *vp; 335 char *freepath, *fullpath; 336 u_int pathlen; 337 int error, index, vfslocked; 338 339 error = 0; 340 obj = NULL; 341 342 vm = vmspace_acquire_ref(p); 343 map = &vm->vm_map; 344 vm_map_lock_read(map); 345 346 do { 347 entry = map->header.next; 348 index = 0; 349 while (index < pve->pve_entry && entry != &map->header) { 350 entry = entry->next; 351 index++; 352 } 353 if (index != pve->pve_entry) { 354 error = EINVAL; 355 break; 356 } 357 while (entry != &map->header && 358 (entry->eflags & MAP_ENTRY_IS_SUB_MAP) != 0) { 359 entry = entry->next; 360 index++; 361 } 362 if (entry == &map->header) { 363 error = ENOENT; 364 break; 365 } 366 367 /* We got an entry. */ 368 pve->pve_entry = index + 1; 369 pve->pve_timestamp = map->timestamp; 370 pve->pve_start = entry->start; 371 pve->pve_end = entry->end - 1; 372 pve->pve_offset = entry->offset; 373 pve->pve_prot = entry->protection; 374 375 /* Backing object's path needed? */ 376 if (pve->pve_pathlen == 0) 377 break; 378 379 pathlen = pve->pve_pathlen; 380 pve->pve_pathlen = 0; 381 382 obj = entry->object.vm_object; 383 if (obj != NULL) 384 VM_OBJECT_LOCK(obj); 385 } while (0); 386 387 vm_map_unlock_read(map); 388 vmspace_free(vm); 389 390 pve->pve_fsid = VNOVAL; 391 pve->pve_fileid = VNOVAL; 392 393 if (error == 0 && obj != NULL) { 394 lobj = obj; 395 for (tobj = obj; tobj != NULL; tobj = tobj->backing_object) { 396 if (tobj != obj) 397 VM_OBJECT_LOCK(tobj); 398 if (lobj != obj) 399 VM_OBJECT_UNLOCK(lobj); 400 lobj = tobj; 401 pve->pve_offset += tobj->backing_object_offset; 402 } 403 vp = (lobj->type == OBJT_VNODE) ? lobj->handle : NULL; 404 if (vp != NULL) 405 vref(vp); 406 if (lobj != obj) 407 VM_OBJECT_UNLOCK(lobj); 408 VM_OBJECT_UNLOCK(obj); 409 410 if (vp != NULL) { 411 freepath = NULL; 412 fullpath = NULL; 413 vn_fullpath(td, vp, &fullpath, &freepath); 414 vfslocked = VFS_LOCK_GIANT(vp->v_mount); 415 vn_lock(vp, LK_SHARED | LK_RETRY); 416 if (VOP_GETATTR(vp, &vattr, td->td_ucred) == 0) { 417 pve->pve_fileid = vattr.va_fileid; 418 pve->pve_fsid = vattr.va_fsid; 419 } 420 vput(vp); 421 VFS_UNLOCK_GIANT(vfslocked); 422 423 if (fullpath != NULL) { 424 pve->pve_pathlen = strlen(fullpath) + 1; 425 if (pve->pve_pathlen <= pathlen) { 426 error = copyout(fullpath, pve->pve_path, 427 pve->pve_pathlen); 428 } else 429 error = ENAMETOOLONG; 430 } 431 if (freepath != NULL) 432 free(freepath, M_TEMP); 433 } 434 } 435 436 return (error); 437} 438 439#ifdef COMPAT_FREEBSD32 440static int 441ptrace_vm_entry32(struct thread *td, struct proc *p, 442 struct ptrace_vm_entry32 *pve32) 443{ 444 struct ptrace_vm_entry pve; 445 int error; 446 447 pve.pve_entry = pve32->pve_entry; 448 pve.pve_pathlen = pve32->pve_pathlen; 449 pve.pve_path = (void *)(uintptr_t)pve32->pve_path; 450 451 error = ptrace_vm_entry(td, p, &pve); 452 if (error == 0) { 453 pve32->pve_entry = pve.pve_entry; 454 pve32->pve_timestamp = pve.pve_timestamp; 455 pve32->pve_start = pve.pve_start; 456 pve32->pve_end = pve.pve_end; 457 pve32->pve_offset = pve.pve_offset; 458 pve32->pve_prot = pve.pve_prot; 459 pve32->pve_fileid = pve.pve_fileid; 460 pve32->pve_fsid = pve.pve_fsid; 461 } 462 463 pve32->pve_pathlen = pve.pve_pathlen; 464 return (error); 465} 466 467static void 468ptrace_lwpinfo_to32(const struct ptrace_lwpinfo *pl, 469 struct ptrace_lwpinfo32 *pl32) 470{ 471 472 pl32->pl_lwpid = pl->pl_lwpid; 473 pl32->pl_event = pl->pl_event; 474 pl32->pl_flags = pl->pl_flags; 475 pl32->pl_sigmask = pl->pl_sigmask; 476 pl32->pl_siglist = pl->pl_siglist; 477 siginfo_to_siginfo32(&pl->pl_siginfo, &pl32->pl_siginfo); 478 strcpy(pl32->pl_tdname, pl->pl_tdname); 479} 480#endif /* COMPAT_FREEBSD32 */ 481 482/* 483 * Process debugging system call. 484 */ 485#ifndef _SYS_SYSPROTO_H_ 486struct ptrace_args { 487 int req; 488 pid_t pid; 489 caddr_t addr; 490 int data; 491}; 492#endif 493 494#ifdef COMPAT_FREEBSD32 495/* 496 * This CPP subterfuge is to try and reduce the number of ifdefs in 497 * the body of the code. 498 * COPYIN(uap->addr, &r.reg, sizeof r.reg); 499 * becomes either: 500 * copyin(uap->addr, &r.reg, sizeof r.reg); 501 * or 502 * copyin(uap->addr, &r.reg32, sizeof r.reg32); 503 * .. except this is done at runtime. 504 */ 505#define COPYIN(u, k, s) wrap32 ? \ 506 copyin(u, k ## 32, s ## 32) : \ 507 copyin(u, k, s) 508#define COPYOUT(k, u, s) wrap32 ? \ 509 copyout(k ## 32, u, s ## 32) : \ 510 copyout(k, u, s) 511#else 512#define COPYIN(u, k, s) copyin(u, k, s) 513#define COPYOUT(k, u, s) copyout(k, u, s) 514#endif 515int 516ptrace(struct thread *td, struct ptrace_args *uap) 517{ 518 /* 519 * XXX this obfuscation is to reduce stack usage, but the register 520 * structs may be too large to put on the stack anyway. 521 */ 522 union { 523 struct ptrace_io_desc piod; 524 struct ptrace_lwpinfo pl; 525 struct ptrace_vm_entry pve; 526 struct dbreg dbreg; 527 struct fpreg fpreg; 528 struct reg reg; 529#ifdef COMPAT_FREEBSD32 530 struct dbreg32 dbreg32; 531 struct fpreg32 fpreg32; 532 struct reg32 reg32; 533 struct ptrace_io_desc32 piod32; 534 struct ptrace_lwpinfo32 pl32; 535 struct ptrace_vm_entry32 pve32; 536#endif 537 } r; 538 void *addr; 539 int error = 0; 540#ifdef COMPAT_FREEBSD32 541 int wrap32 = 0; 542 543 if (SV_CURPROC_FLAG(SV_ILP32)) 544 wrap32 = 1; 545#endif 546 AUDIT_ARG_PID(uap->pid); 547 AUDIT_ARG_CMD(uap->req); 548 AUDIT_ARG_VALUE(uap->data); 549 addr = &r; 550 switch (uap->req) { 551 case PT_GETREGS: 552 case PT_GETFPREGS: 553 case PT_GETDBREGS: 554 case PT_LWPINFO: 555 break; 556 case PT_SETREGS: 557 error = COPYIN(uap->addr, &r.reg, sizeof r.reg); 558 break; 559 case PT_SETFPREGS: 560 error = COPYIN(uap->addr, &r.fpreg, sizeof r.fpreg); 561 break; 562 case PT_SETDBREGS: 563 error = COPYIN(uap->addr, &r.dbreg, sizeof r.dbreg); 564 break; 565 case PT_IO: 566 error = COPYIN(uap->addr, &r.piod, sizeof r.piod); 567 break; 568 case PT_VM_ENTRY: 569 error = COPYIN(uap->addr, &r.pve, sizeof r.pve); 570 break; 571 default: 572 addr = uap->addr; 573 break; 574 } 575 if (error) 576 return (error); 577 578 error = kern_ptrace(td, uap->req, uap->pid, addr, uap->data); 579 if (error) 580 return (error); 581 582 switch (uap->req) { 583 case PT_VM_ENTRY: 584 error = COPYOUT(&r.pve, uap->addr, sizeof r.pve); 585 break; 586 case PT_IO: 587 error = COPYOUT(&r.piod, uap->addr, sizeof r.piod); 588 break; 589 case PT_GETREGS: 590 error = COPYOUT(&r.reg, uap->addr, sizeof r.reg); 591 break; 592 case PT_GETFPREGS: 593 error = COPYOUT(&r.fpreg, uap->addr, sizeof r.fpreg); 594 break; 595 case PT_GETDBREGS: 596 error = COPYOUT(&r.dbreg, uap->addr, sizeof r.dbreg); 597 break; 598 case PT_LWPINFO: 599 error = copyout(&r.pl, uap->addr, uap->data); 600 break; 601 } 602 603 return (error); 604} 605#undef COPYIN 606#undef COPYOUT 607 608#ifdef COMPAT_FREEBSD32 609/* 610 * PROC_READ(regs, td2, addr); 611 * becomes either: 612 * proc_read_regs(td2, addr); 613 * or 614 * proc_read_regs32(td2, addr); 615 * .. except this is done at runtime. There is an additional 616 * complication in that PROC_WRITE disallows 32 bit consumers 617 * from writing to 64 bit address space targets. 618 */ 619#define PROC_READ(w, t, a) wrap32 ? \ 620 proc_read_ ## w ## 32(t, a) : \ 621 proc_read_ ## w (t, a) 622#define PROC_WRITE(w, t, a) wrap32 ? \ 623 (safe ? proc_write_ ## w ## 32(t, a) : EINVAL ) : \ 624 proc_write_ ## w (t, a) 625#else 626#define PROC_READ(w, t, a) proc_read_ ## w (t, a) 627#define PROC_WRITE(w, t, a) proc_write_ ## w (t, a) 628#endif 629 630int 631kern_ptrace(struct thread *td, int req, pid_t pid, void *addr, int data) 632{ 633 struct iovec iov; 634 struct uio uio; 635 struct proc *curp, *p, *pp; 636 struct thread *td2 = NULL; 637 struct ptrace_io_desc *piod = NULL; 638 struct ptrace_lwpinfo *pl; 639 int error, write, tmp, num; 640 int proctree_locked = 0; 641 lwpid_t tid = 0, *buf; 642#ifdef COMPAT_FREEBSD32 643 int wrap32 = 0, safe = 0; 644 struct ptrace_io_desc32 *piod32 = NULL; 645 struct ptrace_lwpinfo32 *pl32 = NULL; 646 struct ptrace_lwpinfo plr; 647#endif 648 649 curp = td->td_proc; 650 651 /* Lock proctree before locking the process. */ 652 switch (req) { 653 case PT_TRACE_ME: 654 case PT_ATTACH: 655 case PT_STEP: 656 case PT_CONTINUE: 657 case PT_TO_SCE: 658 case PT_TO_SCX: 659 case PT_SYSCALL: 660 case PT_DETACH: 661 sx_xlock(&proctree_lock); 662 proctree_locked = 1; 663 break; 664 default: 665 break; 666 } 667 668 write = 0; 669 if (req == PT_TRACE_ME) { 670 p = td->td_proc; 671 PROC_LOCK(p); 672 } else { 673 if (pid <= PID_MAX) { 674 if ((p = pfind(pid)) == NULL) { 675 if (proctree_locked) 676 sx_xunlock(&proctree_lock); 677 return (ESRCH); 678 } 679 } else { 680 td2 = tdfind(pid, -1); 681 if (td2 == NULL) { 682 if (proctree_locked) 683 sx_xunlock(&proctree_lock); 684 return (ESRCH); 685 } 686 p = td2->td_proc; 687 tid = pid; 688 pid = p->p_pid; 689 } 690 } 691 AUDIT_ARG_PROCESS(p); 692 693 if ((p->p_flag & P_WEXIT) != 0) { 694 error = ESRCH; 695 goto fail; 696 } 697 if ((error = p_cansee(td, p)) != 0) 698 goto fail; 699 700 if ((error = p_candebug(td, p)) != 0) 701 goto fail; 702 703 /* 704 * System processes can't be debugged. 705 */ 706 if ((p->p_flag & P_SYSTEM) != 0) { 707 error = EINVAL; 708 goto fail; 709 } 710 711 if (tid == 0) { 712 if ((p->p_flag & P_STOPPED_TRACE) != 0) { 713 KASSERT(p->p_xthread != NULL, ("NULL p_xthread")); 714 td2 = p->p_xthread; 715 } else { 716 td2 = FIRST_THREAD_IN_PROC(p); 717 } 718 tid = td2->td_tid; 719 } 720 721#ifdef COMPAT_FREEBSD32 722 /* 723 * Test if we're a 32 bit client and what the target is. 724 * Set the wrap controls accordingly. 725 */ 726 if (SV_CURPROC_FLAG(SV_ILP32)) { 727 if (td2->td_proc->p_sysent->sv_flags & SV_ILP32) 728 safe = 1; 729 wrap32 = 1; 730 } 731#endif 732 /* 733 * Permissions check 734 */ 735 switch (req) { 736 case PT_TRACE_ME: 737 /* Always legal. */ 738 break; 739 740 case PT_ATTACH: 741 /* Self */ 742 if (p->p_pid == td->td_proc->p_pid) { 743 error = EINVAL; 744 goto fail; 745 } 746 747 /* Already traced */ 748 if (p->p_flag & P_TRACED) { 749 error = EBUSY; 750 goto fail; 751 } 752 753 /* Can't trace an ancestor if you're being traced. */ 754 if (curp->p_flag & P_TRACED) { 755 for (pp = curp->p_pptr; pp != NULL; pp = pp->p_pptr) { 756 if (pp == p) { 757 error = EINVAL; 758 goto fail; 759 } 760 } 761 } 762 763 764 /* OK */ 765 break; 766 767 case PT_CLEARSTEP: 768 /* Allow thread to clear single step for itself */ 769 if (td->td_tid == tid) 770 break; 771 772 /* FALLTHROUGH */ 773 default: 774 /* not being traced... */ 775 if ((p->p_flag & P_TRACED) == 0) { 776 error = EPERM; 777 goto fail; 778 } 779 780 /* not being traced by YOU */ 781 if (p->p_pptr != td->td_proc) { 782 error = EBUSY; 783 goto fail; 784 } 785 786 /* not currently stopped */ 787 if ((p->p_flag & (P_STOPPED_SIG | P_STOPPED_TRACE)) == 0 || 788 p->p_suspcount != p->p_numthreads || 789 (p->p_flag & P_WAITED) == 0) { 790 error = EBUSY; 791 goto fail; 792 } 793 794 if ((p->p_flag & P_STOPPED_TRACE) == 0) { 795 static int count = 0; 796 if (count++ == 0) 797 printf("P_STOPPED_TRACE not set.\n"); 798 } 799 800 /* OK */ 801 break; 802 } 803 804 /* Keep this process around until we finish this request. */ 805 _PHOLD(p); 806 807#ifdef FIX_SSTEP 808 /* 809 * Single step fixup ala procfs 810 */ 811 FIX_SSTEP(td2); 812#endif 813 814 /* 815 * Actually do the requests 816 */ 817 818 td->td_retval[0] = 0; 819 820 switch (req) { 821 case PT_TRACE_ME: 822 /* set my trace flag and "owner" so it can read/write me */ 823 p->p_flag |= P_TRACED; 824 p->p_oppid = p->p_pptr->p_pid; 825 break; 826 827 case PT_ATTACH: 828 /* security check done above */ 829 p->p_flag |= P_TRACED; 830 p->p_oppid = p->p_pptr->p_pid; 831 if (p->p_pptr != td->td_proc) 832 proc_reparent(p, td->td_proc); 833 data = SIGSTOP; 834 goto sendsig; /* in PT_CONTINUE below */ 835 836 case PT_CLEARSTEP: 837 error = ptrace_clear_single_step(td2); 838 break; 839 840 case PT_SETSTEP: 841 error = ptrace_single_step(td2); 842 break; 843 844 case PT_SUSPEND: 845 td2->td_dbgflags |= TDB_SUSPEND; 846 thread_lock(td2); 847 td2->td_flags |= TDF_NEEDSUSPCHK; 848 thread_unlock(td2); 849 break; 850 851 case PT_RESUME: 852 td2->td_dbgflags &= ~TDB_SUSPEND; 853 break; 854 855 case PT_STEP: 856 case PT_CONTINUE: 857 case PT_TO_SCE: 858 case PT_TO_SCX: 859 case PT_SYSCALL: 860 case PT_DETACH: 861 /* Zero means do not send any signal */ 862 if (data < 0 || data > _SIG_MAXSIG) { 863 error = EINVAL; 864 break; 865 } 866 867 switch (req) { 868 case PT_STEP: 869 error = ptrace_single_step(td2); 870 if (error) 871 goto out; 872 break; 873 case PT_CONTINUE: 874 case PT_TO_SCE: 875 case PT_TO_SCX: 876 case PT_SYSCALL: 877 if (addr != (void *)1) { 878 error = ptrace_set_pc(td2, 879 (u_long)(uintfptr_t)addr); 880 if (error) 881 goto out; 882 } 883 switch (req) { 884 case PT_TO_SCE: 885 p->p_stops |= S_PT_SCE; 886 break; 887 case PT_TO_SCX: 888 p->p_stops |= S_PT_SCX; 889 break; 890 case PT_SYSCALL: 891 p->p_stops |= S_PT_SCE | S_PT_SCX; 892 break; 893 } 894 break; 895 case PT_DETACH: 896 /* reset process parent */ 897 if (p->p_oppid != p->p_pptr->p_pid) { 898 struct proc *pp; 899 900 PROC_LOCK(p->p_pptr); 901 sigqueue_take(p->p_ksi); 902 PROC_UNLOCK(p->p_pptr); 903 904 PROC_UNLOCK(p); 905 pp = pfind(p->p_oppid); 906 if (pp == NULL) 907 pp = initproc; 908 else 909 PROC_UNLOCK(pp); 910 PROC_LOCK(p); 911 proc_reparent(p, pp); 912 if (pp == initproc) 913 p->p_sigparent = SIGCHLD; 914 } 915 p->p_flag &= ~(P_TRACED | P_WAITED); 916 p->p_oppid = 0; 917 918 /* should we send SIGCHLD? */ 919 /* childproc_continued(p); */ 920 break; 921 } 922 923 sendsig: 924 if (proctree_locked) { 925 sx_xunlock(&proctree_lock); 926 proctree_locked = 0; 927 } 928 p->p_xstat = data; 929 p->p_xthread = NULL; 930 if ((p->p_flag & (P_STOPPED_SIG | P_STOPPED_TRACE)) != 0) { 931 /* deliver or queue signal */ 932 td2->td_dbgflags &= ~TDB_XSIG; 933 td2->td_xsig = data; 934 935 if (req == PT_DETACH) { 936 struct thread *td3; 937 FOREACH_THREAD_IN_PROC(p, td3) { 938 td3->td_dbgflags &= ~TDB_SUSPEND; 939 } 940 } 941 /* 942 * unsuspend all threads, to not let a thread run, 943 * you should use PT_SUSPEND to suspend it before 944 * continuing process. 945 */ 946 PROC_SLOCK(p); 947 p->p_flag &= ~(P_STOPPED_TRACE|P_STOPPED_SIG|P_WAITED); 948 thread_unsuspend(p); 949 PROC_SUNLOCK(p); 950 } else { 951 if (data) 952 psignal(p, data); 953 } 954 break; 955 956 case PT_WRITE_I: 957 case PT_WRITE_D: 958 td2->td_dbgflags |= TDB_USERWR; 959 write = 1; 960 /* FALLTHROUGH */ 961 case PT_READ_I: 962 case PT_READ_D: 963 PROC_UNLOCK(p); 964 tmp = 0; 965 /* write = 0 set above */ 966 iov.iov_base = write ? (caddr_t)&data : (caddr_t)&tmp; 967 iov.iov_len = sizeof(int); 968 uio.uio_iov = &iov; 969 uio.uio_iovcnt = 1; 970 uio.uio_offset = (off_t)(uintptr_t)addr; 971 uio.uio_resid = sizeof(int); 972 uio.uio_segflg = UIO_SYSSPACE; /* i.e.: the uap */ 973 uio.uio_rw = write ? UIO_WRITE : UIO_READ; 974 uio.uio_td = td; 975 error = proc_rwmem(p, &uio); 976 if (uio.uio_resid != 0) { 977 /* 978 * XXX proc_rwmem() doesn't currently return ENOSPC, 979 * so I think write() can bogusly return 0. 980 * XXX what happens for short writes? We don't want 981 * to write partial data. 982 * XXX proc_rwmem() returns EPERM for other invalid 983 * addresses. Convert this to EINVAL. Does this 984 * clobber returns of EPERM for other reasons? 985 */ 986 if (error == 0 || error == ENOSPC || error == EPERM) 987 error = EINVAL; /* EOF */ 988 } 989 if (!write) 990 td->td_retval[0] = tmp; 991 PROC_LOCK(p); 992 break; 993 994 case PT_IO: 995#ifdef COMPAT_FREEBSD32 996 if (wrap32) { 997 piod32 = addr; 998 iov.iov_base = (void *)(uintptr_t)piod32->piod_addr; 999 iov.iov_len = piod32->piod_len; 1000 uio.uio_offset = (off_t)(uintptr_t)piod32->piod_offs; 1001 uio.uio_resid = piod32->piod_len; 1002 } else 1003#endif 1004 { 1005 piod = addr; 1006 iov.iov_base = piod->piod_addr; 1007 iov.iov_len = piod->piod_len; 1008 uio.uio_offset = (off_t)(uintptr_t)piod->piod_offs; 1009 uio.uio_resid = piod->piod_len; 1010 } 1011 uio.uio_iov = &iov; 1012 uio.uio_iovcnt = 1; 1013 uio.uio_segflg = UIO_USERSPACE; 1014 uio.uio_td = td; 1015#ifdef COMPAT_FREEBSD32 1016 tmp = wrap32 ? piod32->piod_op : piod->piod_op; 1017#else 1018 tmp = piod->piod_op; 1019#endif 1020 switch (tmp) { 1021 case PIOD_READ_D: 1022 case PIOD_READ_I: 1023 uio.uio_rw = UIO_READ; 1024 break; 1025 case PIOD_WRITE_D: 1026 case PIOD_WRITE_I: 1027 td2->td_dbgflags |= TDB_USERWR; 1028 uio.uio_rw = UIO_WRITE; 1029 break; 1030 default: 1031 error = EINVAL; 1032 goto out; 1033 } 1034 PROC_UNLOCK(p); 1035 error = proc_rwmem(p, &uio); 1036#ifdef COMPAT_FREEBSD32 1037 if (wrap32) 1038 piod32->piod_len -= uio.uio_resid; 1039 else 1040#endif 1041 piod->piod_len -= uio.uio_resid; 1042 PROC_LOCK(p); 1043 break; 1044 1045 case PT_KILL: 1046 data = SIGKILL; 1047 goto sendsig; /* in PT_CONTINUE above */ 1048 1049 case PT_SETREGS: 1050 td2->td_dbgflags |= TDB_USERWR; 1051 error = PROC_WRITE(regs, td2, addr); 1052 break; 1053 1054 case PT_GETREGS: 1055 error = PROC_READ(regs, td2, addr); 1056 break; 1057 1058 case PT_SETFPREGS: 1059 td2->td_dbgflags |= TDB_USERWR; 1060 error = PROC_WRITE(fpregs, td2, addr); 1061 break; 1062 1063 case PT_GETFPREGS: 1064 error = PROC_READ(fpregs, td2, addr); 1065 break; 1066 1067 case PT_SETDBREGS: 1068 td2->td_dbgflags |= TDB_USERWR; 1069 error = PROC_WRITE(dbregs, td2, addr); 1070 break; 1071 1072 case PT_GETDBREGS: 1073 error = PROC_READ(dbregs, td2, addr); 1074 break; 1075 1076 case PT_LWPINFO: 1077 if (data <= 0 || 1078#ifdef COMPAT_FREEBSD32 1079 (!wrap32 && data > sizeof(*pl)) || 1080 (wrap32 && data > sizeof(*pl32))) { 1081#else 1082 data > sizeof(*pl)) { 1083#endif 1084 error = EINVAL; 1085 break; 1086 } 1087#ifdef COMPAT_FREEBSD32 1088 if (wrap32) { 1089 pl = &plr; 1090 pl32 = addr; 1091 } else 1092#endif 1093 pl = addr; 1094 pl->pl_lwpid = td2->td_tid; 1095 pl->pl_flags = 0; 1096 if (td2->td_dbgflags & TDB_XSIG) { 1097 pl->pl_event = PL_EVENT_SIGNAL; 1098 if (td2->td_dbgksi.ksi_signo != 0 && 1099#ifdef COMPAT_FREEBSD32 1100 ((!wrap32 && data >= offsetof(struct ptrace_lwpinfo, 1101 pl_siginfo) + sizeof(pl->pl_siginfo)) || 1102 (wrap32 && data >= offsetof(struct ptrace_lwpinfo32, 1103 pl_siginfo) + sizeof(struct siginfo32))) 1104#else 1105 data >= offsetof(struct ptrace_lwpinfo, pl_siginfo) 1106 + sizeof(pl->pl_siginfo) 1107#endif 1108 ){ 1109 pl->pl_flags |= PL_FLAG_SI; 1110 pl->pl_siginfo = td2->td_dbgksi.ksi_info; 1111 } 1112 } 1113 if ((pl->pl_flags & PL_FLAG_SI) == 0) 1114 bzero(&pl->pl_siginfo, sizeof(pl->pl_siginfo)); 1115 if (td2->td_dbgflags & TDB_SCE) 1116 pl->pl_flags |= PL_FLAG_SCE; 1117 else if (td2->td_dbgflags & TDB_SCX) 1118 pl->pl_flags |= PL_FLAG_SCX; 1119 if (td2->td_dbgflags & TDB_EXEC) 1120 pl->pl_flags |= PL_FLAG_EXEC; 1121 pl->pl_sigmask = td2->td_sigmask; 1122 pl->pl_siglist = td2->td_siglist; 1123 strcpy(pl->pl_tdname, td2->td_name); 1124#ifdef COMPAT_FREEBSD32 1125 if (wrap32) 1126 ptrace_lwpinfo_to32(pl, pl32); 1127#endif 1128 break; 1129 1130 case PT_GETNUMLWPS: 1131 td->td_retval[0] = p->p_numthreads; 1132 break; 1133 1134 case PT_GETLWPLIST: 1135 if (data <= 0) { 1136 error = EINVAL; 1137 break; 1138 } 1139 num = imin(p->p_numthreads, data); 1140 PROC_UNLOCK(p); 1141 buf = malloc(num * sizeof(lwpid_t), M_TEMP, M_WAITOK); 1142 tmp = 0; 1143 PROC_LOCK(p); 1144 FOREACH_THREAD_IN_PROC(p, td2) { 1145 if (tmp >= num) 1146 break; 1147 buf[tmp++] = td2->td_tid; 1148 } 1149 PROC_UNLOCK(p); 1150 error = copyout(buf, addr, tmp * sizeof(lwpid_t)); 1151 free(buf, M_TEMP); 1152 if (!error) 1153 td->td_retval[0] = tmp; 1154 PROC_LOCK(p); 1155 break; 1156 1157 case PT_VM_TIMESTAMP: 1158 td->td_retval[0] = p->p_vmspace->vm_map.timestamp; 1159 break; 1160 1161 case PT_VM_ENTRY: 1162 PROC_UNLOCK(p); 1163#ifdef COMPAT_FREEBSD32 1164 if (wrap32) 1165 error = ptrace_vm_entry32(td, p, addr); 1166 else 1167#endif 1168 error = ptrace_vm_entry(td, p, addr); 1169 PROC_LOCK(p); 1170 break; 1171 1172 default: 1173#ifdef __HAVE_PTRACE_MACHDEP 1174 if (req >= PT_FIRSTMACH) { 1175 PROC_UNLOCK(p); 1176 error = cpu_ptrace(td2, req, addr, data); 1177 PROC_LOCK(p); 1178 } else 1179#endif 1180 /* Unknown request. */ 1181 error = EINVAL; 1182 break; 1183 } 1184 1185out: 1186 /* Drop our hold on this process now that the request has completed. */ 1187 _PRELE(p); 1188fail: 1189 PROC_UNLOCK(p); 1190 if (proctree_locked) 1191 sx_xunlock(&proctree_lock); 1192 return (error); 1193} 1194#undef PROC_READ 1195#undef PROC_WRITE 1196 1197/* 1198 * Stop a process because of a debugging event; 1199 * stay stopped until p->p_step is cleared 1200 * (cleared by PIOCCONT in procfs). 1201 */ 1202void 1203stopevent(struct proc *p, unsigned int event, unsigned int val) 1204{ 1205 1206 PROC_LOCK_ASSERT(p, MA_OWNED); 1207 p->p_step = 1; 1208 do { 1209 p->p_xstat = val; 1210 p->p_xthread = NULL; 1211 p->p_stype = event; /* Which event caused the stop? */ 1212 wakeup(&p->p_stype); /* Wake up any PIOCWAIT'ing procs */ 1213 msleep(&p->p_step, &p->p_mtx, PWAIT, "stopevent", 0); 1214 } while (p->p_step); 1215} 1216