1/*- 2 * SPDX-License-Identifier: BSD-4-Clause 3 * 4 * Copyright (c) 1994, Sean Eric Fagan 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by Sean Eric Fagan. 18 * 4. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34#include <sys/param.h> 35#include <sys/systm.h> 36#include <sys/ktr.h> 37#include <sys/limits.h> 38#include <sys/lock.h> 39#include <sys/mutex.h> 40#include <sys/reg.h> 41#include <sys/syscallsubr.h> 42#include <sys/sysent.h> 43#include <sys/sysproto.h> 44#include <sys/priv.h> 45#include <sys/proc.h> 46#include <sys/vnode.h> 47#include <sys/ptrace.h> 48#include <sys/rwlock.h> 49#include <sys/sx.h> 50#include <sys/malloc.h> 51#include <sys/signalvar.h> 52#include <sys/caprights.h> 53#include <sys/filedesc.h> 54 55#include <security/audit/audit.h> 56 57#include <vm/vm.h> 58#include <vm/pmap.h> 59#include <vm/vm_extern.h> 60#include <vm/vm_map.h> 61#include <vm/vm_kern.h> 62#include <vm/vm_object.h> 63#include <vm/vm_page.h> 64#include <vm/vm_param.h> 65 66#ifdef COMPAT_FREEBSD32 67#include <sys/procfs.h> 68#endif 69 70/* Assert it's safe to unlock a process, e.g. to allocate working memory */ 71#define PROC_ASSERT_TRACEREQ(p) MPASS(((p)->p_flag2 & P2_PTRACEREQ) != 0) 72 73/* 74 * Functions implemented using PROC_ACTION(): 75 * 76 * proc_read_regs(proc, regs) 77 * Get the current user-visible register set from the process 78 * and copy it into the regs structure (<machine/reg.h>). 79 * The process is stopped at the time read_regs is called. 80 * 81 * proc_write_regs(proc, regs) 82 * Update the current register set from the passed in regs 83 * structure. Take care to avoid clobbering special CPU 84 * registers or privileged bits in the PSL. 85 * Depending on the architecture this may have fix-up work to do, 86 * especially if the IAR or PCW are modified. 87 * The process is stopped at the time write_regs is called. 88 * 89 * proc_read_fpregs, proc_write_fpregs 90 * deal with the floating point register set, otherwise as above. 91 * 92 * proc_read_dbregs, proc_write_dbregs 93 * deal with the processor debug register set, otherwise as above. 94 * 95 * proc_sstep(proc) 96 * Arrange for the process to trap after executing a single instruction. 97 */ 98 99#define PROC_ACTION(action) do { \ 100 int error; \ 101 \ 102 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); \ 103 if ((td->td_proc->p_flag & P_INMEM) == 0) \ 104 error = EIO; \ 105 else \ 106 error = (action); \ 107 return (error); \ 108} while (0) 109 110int 111proc_read_regs(struct thread *td, struct reg *regs) 112{ 113 114 PROC_ACTION(fill_regs(td, regs)); 115} 116 117int 118proc_write_regs(struct thread *td, struct reg *regs) 119{ 120 121 PROC_ACTION(set_regs(td, regs)); 122} 123 124int 125proc_read_dbregs(struct thread *td, struct dbreg *dbregs) 126{ 127 128 PROC_ACTION(fill_dbregs(td, dbregs)); 129} 130 131int 132proc_write_dbregs(struct thread *td, struct dbreg *dbregs) 133{ 134 135 PROC_ACTION(set_dbregs(td, dbregs)); 136} 137 138/* 139 * Ptrace doesn't support fpregs at all, and there are no security holes 140 * or translations for fpregs, so we can just copy them. 141 */ 142int 143proc_read_fpregs(struct thread *td, struct fpreg *fpregs) 144{ 145 146 PROC_ACTION(fill_fpregs(td, fpregs)); 147} 148 149int 150proc_write_fpregs(struct thread *td, struct fpreg *fpregs) 151{ 152 153 PROC_ACTION(set_fpregs(td, fpregs)); 154} 155 156static struct regset * 157proc_find_regset(struct thread *td, int note) 158{ 159 struct regset **regsetp, **regset_end, *regset; 160 struct sysentvec *sv; 161 162 sv = td->td_proc->p_sysent; 163 regsetp = sv->sv_regset_begin; 164 if (regsetp == NULL) 165 return (NULL); 166 regset_end = sv->sv_regset_end; 167 MPASS(regset_end != NULL); 168 for (; regsetp < regset_end; regsetp++) { 169 regset = *regsetp; 170 if (regset->note != note) 171 continue; 172 173 return (regset); 174 } 175 176 return (NULL); 177} 178 179static int 180proc_read_regset(struct thread *td, int note, struct iovec *iov) 181{ 182 struct regset *regset; 183 struct proc *p; 184 void *buf; 185 size_t size; 186 int error; 187 188 regset = proc_find_regset(td, note); 189 if (regset == NULL) 190 return (EINVAL); 191 192 if (regset->get == NULL) 193 return (EINVAL); 194 195 size = regset->size; 196 /* 197 * The regset is dynamically sized, e.g. the size could change 198 * depending on the hardware, or may have a per-thread size. 199 */ 200 if (size == 0) { 201 if (!regset->get(regset, td, NULL, &size)) 202 return (EINVAL); 203 } 204 205 if (iov->iov_base == NULL) { 206 iov->iov_len = size; 207 if (iov->iov_len == 0) 208 return (EINVAL); 209 210 return (0); 211 } 212 213 /* The length is wrong, return an error */ 214 if (iov->iov_len != size) 215 return (EINVAL); 216 217 error = 0; 218 p = td->td_proc; 219 220 /* Drop the proc lock while allocating the temp buffer */ 221 PROC_ASSERT_TRACEREQ(p); 222 PROC_UNLOCK(p); 223 buf = malloc(size, M_TEMP, M_WAITOK); 224 PROC_LOCK(p); 225 226 if (!regset->get(regset, td, buf, &size)) { 227 error = EINVAL; 228 } else { 229 KASSERT(size == regset->size || regset->size == 0, 230 ("%s: Getter function changed the size", __func__)); 231 232 iov->iov_len = size; 233 PROC_UNLOCK(p); 234 error = copyout(buf, iov->iov_base, size); 235 PROC_LOCK(p); 236 } 237 238 free(buf, M_TEMP); 239 240 return (error); 241} 242 243static int 244proc_write_regset(struct thread *td, int note, struct iovec *iov) 245{ 246 struct regset *regset; 247 struct proc *p; 248 void *buf; 249 size_t size; 250 int error; 251 252 regset = proc_find_regset(td, note); 253 if (regset == NULL) 254 return (EINVAL); 255 256 size = regset->size; 257 /* 258 * The regset is dynamically sized, e.g. the size could change 259 * depending on the hardware, or may have a per-thread size. 260 */ 261 if (size == 0) { 262 if (!regset->get(regset, td, NULL, &size)) 263 return (EINVAL); 264 } 265 266 /* The length is wrong, return an error */ 267 if (iov->iov_len != size) 268 return (EINVAL); 269 270 if (regset->set == NULL) 271 return (EINVAL); 272 273 p = td->td_proc; 274 275 /* Drop the proc lock while allocating the temp buffer */ 276 PROC_ASSERT_TRACEREQ(p); 277 PROC_UNLOCK(p); 278 buf = malloc(size, M_TEMP, M_WAITOK); 279 error = copyin(iov->iov_base, buf, size); 280 PROC_LOCK(p); 281 282 if (error == 0) { 283 if (!regset->set(regset, td, buf, size)) { 284 error = EINVAL; 285 } 286 } 287 288 free(buf, M_TEMP); 289 290 return (error); 291} 292 293#ifdef COMPAT_FREEBSD32 294/* For 32 bit binaries, we need to expose the 32 bit regs layouts. */ 295int 296proc_read_regs32(struct thread *td, struct reg32 *regs32) 297{ 298 299 PROC_ACTION(fill_regs32(td, regs32)); 300} 301 302int 303proc_write_regs32(struct thread *td, struct reg32 *regs32) 304{ 305 306 PROC_ACTION(set_regs32(td, regs32)); 307} 308 309int 310proc_read_dbregs32(struct thread *td, struct dbreg32 *dbregs32) 311{ 312 313 PROC_ACTION(fill_dbregs32(td, dbregs32)); 314} 315 316int 317proc_write_dbregs32(struct thread *td, struct dbreg32 *dbregs32) 318{ 319 320 PROC_ACTION(set_dbregs32(td, dbregs32)); 321} 322 323int 324proc_read_fpregs32(struct thread *td, struct fpreg32 *fpregs32) 325{ 326 327 PROC_ACTION(fill_fpregs32(td, fpregs32)); 328} 329 330int 331proc_write_fpregs32(struct thread *td, struct fpreg32 *fpregs32) 332{ 333 334 PROC_ACTION(set_fpregs32(td, fpregs32)); 335} 336#endif 337 338int 339proc_sstep(struct thread *td) 340{ 341 342 PROC_ACTION(ptrace_single_step(td)); 343} 344 345int 346proc_rwmem(struct proc *p, struct uio *uio) 347{ 348 vm_map_t map; 349 vm_offset_t pageno; /* page number */ 350 vm_prot_t reqprot; 351 int error, fault_flags, page_offset, writing; 352 353 /* 354 * Make sure that the process' vmspace remains live. 355 */ 356 if (p != curproc) 357 PROC_ASSERT_HELD(p); 358 PROC_LOCK_ASSERT(p, MA_NOTOWNED); 359 360 /* 361 * The map we want... 362 */ 363 map = &p->p_vmspace->vm_map; 364 365 /* 366 * If we are writing, then we request vm_fault() to create a private 367 * copy of each page. Since these copies will not be writeable by the 368 * process, we must explicity request that they be dirtied. 369 */ 370 writing = uio->uio_rw == UIO_WRITE; 371 reqprot = writing ? VM_PROT_COPY | VM_PROT_READ : VM_PROT_READ; 372 fault_flags = writing ? VM_FAULT_DIRTY : VM_FAULT_NORMAL; 373 374 /* 375 * Only map in one page at a time. We don't have to, but it 376 * makes things easier. This way is trivial - right? 377 */ 378 do { 379 vm_offset_t uva; 380 u_int len; 381 vm_page_t m; 382 383 uva = (vm_offset_t)uio->uio_offset; 384 385 /* 386 * Get the page number of this segment. 387 */ 388 pageno = trunc_page(uva); 389 page_offset = uva - pageno; 390 391 /* 392 * How many bytes to copy 393 */ 394 len = min(PAGE_SIZE - page_offset, uio->uio_resid); 395 396 /* 397 * Fault and hold the page on behalf of the process. 398 */ 399 error = vm_fault(map, pageno, reqprot, fault_flags, &m); 400 if (error != KERN_SUCCESS) { 401 if (error == KERN_RESOURCE_SHORTAGE) 402 error = ENOMEM; 403 else 404 error = EFAULT; 405 break; 406 } 407 408 /* 409 * Now do the i/o move. 410 */ 411 error = uiomove_fromphys(&m, page_offset, len, uio); 412 413 /* Make the I-cache coherent for breakpoints. */ 414 if (writing && error == 0) { 415 vm_map_lock_read(map); 416 if (vm_map_check_protection(map, pageno, pageno + 417 PAGE_SIZE, VM_PROT_EXECUTE)) 418 vm_sync_icache(map, uva, len); 419 vm_map_unlock_read(map); 420 } 421 422 /* 423 * Release the page. 424 */ 425 vm_page_unwire(m, PQ_ACTIVE); 426 427 } while (error == 0 && uio->uio_resid > 0); 428 429 return (error); 430} 431 432static ssize_t 433proc_iop(struct thread *td, struct proc *p, vm_offset_t va, void *buf, 434 size_t len, enum uio_rw rw) 435{ 436 struct iovec iov; 437 struct uio uio; 438 ssize_t slen; 439 440 MPASS(len < SSIZE_MAX); 441 slen = (ssize_t)len; 442 443 iov.iov_base = (caddr_t)buf; 444 iov.iov_len = len; 445 uio.uio_iov = &iov; 446 uio.uio_iovcnt = 1; 447 uio.uio_offset = va; 448 uio.uio_resid = slen; 449 uio.uio_segflg = UIO_SYSSPACE; 450 uio.uio_rw = rw; 451 uio.uio_td = td; 452 proc_rwmem(p, &uio); 453 if (uio.uio_resid == slen) 454 return (-1); 455 return (slen - uio.uio_resid); 456} 457 458ssize_t 459proc_readmem(struct thread *td, struct proc *p, vm_offset_t va, void *buf, 460 size_t len) 461{ 462 463 return (proc_iop(td, p, va, buf, len, UIO_READ)); 464} 465 466ssize_t 467proc_writemem(struct thread *td, struct proc *p, vm_offset_t va, void *buf, 468 size_t len) 469{ 470 471 return (proc_iop(td, p, va, buf, len, UIO_WRITE)); 472} 473 474static int 475ptrace_vm_entry(struct thread *td, struct proc *p, struct ptrace_vm_entry *pve) 476{ 477 struct vattr vattr; 478 vm_map_t map; 479 vm_map_entry_t entry; 480 vm_object_t obj, tobj, lobj; 481 struct vmspace *vm; 482 struct vnode *vp; 483 char *freepath, *fullpath; 484 u_int pathlen; 485 int error, index; 486 487 error = 0; 488 obj = NULL; 489 490 vm = vmspace_acquire_ref(p); 491 map = &vm->vm_map; 492 vm_map_lock_read(map); 493 494 do { 495 KASSERT((map->header.eflags & MAP_ENTRY_IS_SUB_MAP) == 0, 496 ("Submap in map header")); 497 index = 0; 498 VM_MAP_ENTRY_FOREACH(entry, map) { 499 if (index >= pve->pve_entry && 500 (entry->eflags & MAP_ENTRY_IS_SUB_MAP) == 0) 501 break; 502 index++; 503 } 504 if (index < pve->pve_entry) { 505 error = EINVAL; 506 break; 507 } 508 if (entry == &map->header) { 509 error = ENOENT; 510 break; 511 } 512 513 /* We got an entry. */ 514 pve->pve_entry = index + 1; 515 pve->pve_timestamp = map->timestamp; 516 pve->pve_start = entry->start; 517 pve->pve_end = entry->end - 1; 518 pve->pve_offset = entry->offset; 519 pve->pve_prot = entry->protection; 520 521 /* Backing object's path needed? */ 522 if (pve->pve_pathlen == 0) 523 break; 524 525 pathlen = pve->pve_pathlen; 526 pve->pve_pathlen = 0; 527 528 obj = entry->object.vm_object; 529 if (obj != NULL) 530 VM_OBJECT_RLOCK(obj); 531 } while (0); 532 533 vm_map_unlock_read(map); 534 535 pve->pve_fsid = VNOVAL; 536 pve->pve_fileid = VNOVAL; 537 538 if (error == 0 && obj != NULL) { 539 lobj = obj; 540 for (tobj = obj; tobj != NULL; tobj = tobj->backing_object) { 541 if (tobj != obj) 542 VM_OBJECT_RLOCK(tobj); 543 if (lobj != obj) 544 VM_OBJECT_RUNLOCK(lobj); 545 lobj = tobj; 546 pve->pve_offset += tobj->backing_object_offset; 547 } 548 vp = vm_object_vnode(lobj); 549 if (vp != NULL) 550 vref(vp); 551 if (lobj != obj) 552 VM_OBJECT_RUNLOCK(lobj); 553 VM_OBJECT_RUNLOCK(obj); 554 555 if (vp != NULL) { 556 freepath = NULL; 557 fullpath = NULL; 558 vn_fullpath(vp, &fullpath, &freepath); 559 vn_lock(vp, LK_SHARED | LK_RETRY); 560 if (VOP_GETATTR(vp, &vattr, td->td_ucred) == 0) { 561 pve->pve_fileid = vattr.va_fileid; 562 pve->pve_fsid = vattr.va_fsid; 563 } 564 vput(vp); 565 566 if (fullpath != NULL) { 567 pve->pve_pathlen = strlen(fullpath) + 1; 568 if (pve->pve_pathlen <= pathlen) { 569 error = copyout(fullpath, pve->pve_path, 570 pve->pve_pathlen); 571 } else 572 error = ENAMETOOLONG; 573 } 574 if (freepath != NULL) 575 free(freepath, M_TEMP); 576 } 577 } 578 vmspace_free(vm); 579 if (error == 0) 580 CTR3(KTR_PTRACE, "PT_VM_ENTRY: pid %d, entry %d, start %p", 581 p->p_pid, pve->pve_entry, pve->pve_start); 582 583 return (error); 584} 585 586/* 587 * Process debugging system call. 588 */ 589#ifndef _SYS_SYSPROTO_H_ 590struct ptrace_args { 591 int req; 592 pid_t pid; 593 caddr_t addr; 594 int data; 595}; 596#endif 597 598int 599sys_ptrace(struct thread *td, struct ptrace_args *uap) 600{ 601 /* 602 * XXX this obfuscation is to reduce stack usage, but the register 603 * structs may be too large to put on the stack anyway. 604 */ 605 union { 606 struct ptrace_io_desc piod; 607 struct ptrace_lwpinfo pl; 608 struct ptrace_vm_entry pve; 609 struct ptrace_coredump pc; 610 struct ptrace_sc_remote sr; 611 struct dbreg dbreg; 612 struct fpreg fpreg; 613 struct reg reg; 614 struct iovec vec; 615 syscallarg_t args[nitems(td->td_sa.args)]; 616 struct ptrace_sc_ret psr; 617 int ptevents; 618 } r; 619 syscallarg_t pscr_args[nitems(td->td_sa.args)]; 620 void *addr; 621 int error; 622 623 if (!allow_ptrace) 624 return (ENOSYS); 625 error = 0; 626 627 AUDIT_ARG_PID(uap->pid); 628 AUDIT_ARG_CMD(uap->req); 629 AUDIT_ARG_VALUE(uap->data); 630 addr = &r; 631 switch (uap->req) { 632 case PT_GET_EVENT_MASK: 633 case PT_LWPINFO: 634 case PT_GET_SC_ARGS: 635 case PT_GET_SC_RET: 636 break; 637 case PT_GETREGS: 638 bzero(&r.reg, sizeof(r.reg)); 639 break; 640 case PT_GETFPREGS: 641 bzero(&r.fpreg, sizeof(r.fpreg)); 642 break; 643 case PT_GETDBREGS: 644 bzero(&r.dbreg, sizeof(r.dbreg)); 645 break; 646 case PT_GETREGSET: 647 case PT_SETREGSET: 648 error = copyin(uap->addr, &r.vec, sizeof(r.vec)); 649 break; 650 case PT_SETREGS: 651 error = copyin(uap->addr, &r.reg, sizeof(r.reg)); 652 break; 653 case PT_SETFPREGS: 654 error = copyin(uap->addr, &r.fpreg, sizeof(r.fpreg)); 655 break; 656 case PT_SETDBREGS: 657 error = copyin(uap->addr, &r.dbreg, sizeof(r.dbreg)); 658 break; 659 case PT_SET_EVENT_MASK: 660 if (uap->data != sizeof(r.ptevents)) 661 error = EINVAL; 662 else 663 error = copyin(uap->addr, &r.ptevents, uap->data); 664 break; 665 case PT_IO: 666 error = copyin(uap->addr, &r.piod, sizeof(r.piod)); 667 break; 668 case PT_VM_ENTRY: 669 error = copyin(uap->addr, &r.pve, sizeof(r.pve)); 670 break; 671 case PT_COREDUMP: 672 if (uap->data != sizeof(r.pc)) 673 error = EINVAL; 674 else 675 error = copyin(uap->addr, &r.pc, uap->data); 676 break; 677 case PT_SC_REMOTE: 678 if (uap->data != sizeof(r.sr)) { 679 error = EINVAL; 680 break; 681 } 682 error = copyin(uap->addr, &r.sr, uap->data); 683 if (error != 0) 684 break; 685 if (r.sr.pscr_nargs > nitems(td->td_sa.args)) { 686 error = EINVAL; 687 break; 688 } 689 error = copyin(r.sr.pscr_args, pscr_args, 690 sizeof(u_long) * r.sr.pscr_nargs); 691 if (error != 0) 692 break; 693 r.sr.pscr_args = pscr_args; 694 break; 695 default: 696 addr = uap->addr; 697 break; 698 } 699 if (error) 700 return (error); 701 702 error = kern_ptrace(td, uap->req, uap->pid, addr, uap->data); 703 if (error) 704 return (error); 705 706 switch (uap->req) { 707 case PT_VM_ENTRY: 708 error = copyout(&r.pve, uap->addr, sizeof(r.pve)); 709 break; 710 case PT_IO: 711 error = copyout(&r.piod, uap->addr, sizeof(r.piod)); 712 break; 713 case PT_GETREGS: 714 error = copyout(&r.reg, uap->addr, sizeof(r.reg)); 715 break; 716 case PT_GETFPREGS: 717 error = copyout(&r.fpreg, uap->addr, sizeof(r.fpreg)); 718 break; 719 case PT_GETDBREGS: 720 error = copyout(&r.dbreg, uap->addr, sizeof(r.dbreg)); 721 break; 722 case PT_GETREGSET: 723 error = copyout(&r.vec, uap->addr, sizeof(r.vec)); 724 break; 725 case PT_GET_EVENT_MASK: 726 /* NB: The size in uap->data is validated in kern_ptrace(). */ 727 error = copyout(&r.ptevents, uap->addr, uap->data); 728 break; 729 case PT_LWPINFO: 730 /* NB: The size in uap->data is validated in kern_ptrace(). */ 731 error = copyout(&r.pl, uap->addr, uap->data); 732 break; 733 case PT_GET_SC_ARGS: 734 error = copyout(r.args, uap->addr, MIN(uap->data, 735 sizeof(r.args))); 736 break; 737 case PT_GET_SC_RET: 738 error = copyout(&r.psr, uap->addr, MIN(uap->data, 739 sizeof(r.psr))); 740 break; 741 case PT_SC_REMOTE: 742 error = copyout(&r.sr.pscr_ret, uap->addr + 743 offsetof(struct ptrace_sc_remote, pscr_ret), 744 sizeof(r.sr.pscr_ret)); 745 break; 746 } 747 748 return (error); 749} 750 751#ifdef COMPAT_FREEBSD32 752/* 753 * PROC_READ(regs, td2, addr); 754 * becomes either: 755 * proc_read_regs(td2, addr); 756 * or 757 * proc_read_regs32(td2, addr); 758 * .. except this is done at runtime. There is an additional 759 * complication in that PROC_WRITE disallows 32 bit consumers 760 * from writing to 64 bit address space targets. 761 */ 762#define PROC_READ(w, t, a) wrap32 ? \ 763 proc_read_ ## w ## 32(t, a) : \ 764 proc_read_ ## w (t, a) 765#define PROC_WRITE(w, t, a) wrap32 ? \ 766 (safe ? proc_write_ ## w ## 32(t, a) : EINVAL ) : \ 767 proc_write_ ## w (t, a) 768#else 769#define PROC_READ(w, t, a) proc_read_ ## w (t, a) 770#define PROC_WRITE(w, t, a) proc_write_ ## w (t, a) 771#endif 772 773void 774proc_set_traced(struct proc *p, bool stop) 775{ 776 777 sx_assert(&proctree_lock, SX_XLOCKED); 778 PROC_LOCK_ASSERT(p, MA_OWNED); 779 p->p_flag |= P_TRACED; 780 if (stop) 781 p->p_flag2 |= P2_PTRACE_FSTP; 782 p->p_ptevents = PTRACE_DEFAULT; 783} 784 785void 786ptrace_unsuspend(struct proc *p) 787{ 788 PROC_LOCK_ASSERT(p, MA_OWNED); 789 790 PROC_SLOCK(p); 791 p->p_flag &= ~(P_STOPPED_TRACE | P_STOPPED_SIG | P_WAITED); 792 thread_unsuspend(p); 793 PROC_SUNLOCK(p); 794 itimer_proc_continue(p); 795 kqtimer_proc_continue(p); 796} 797 798static int 799proc_can_ptrace(struct thread *td, struct proc *p) 800{ 801 int error; 802 803 PROC_LOCK_ASSERT(p, MA_OWNED); 804 805 if ((p->p_flag & P_WEXIT) != 0) 806 return (ESRCH); 807 808 if ((error = p_cansee(td, p)) != 0) 809 return (error); 810 if ((error = p_candebug(td, p)) != 0) 811 return (error); 812 813 /* not being traced... */ 814 if ((p->p_flag & P_TRACED) == 0) 815 return (EPERM); 816 817 /* not being traced by YOU */ 818 if (p->p_pptr != td->td_proc) 819 return (EBUSY); 820 821 /* not currently stopped */ 822 if ((p->p_flag & P_STOPPED_TRACE) == 0 || 823 p->p_suspcount != p->p_numthreads || 824 (p->p_flag & P_WAITED) == 0) 825 return (EBUSY); 826 827 return (0); 828} 829 830static struct thread * 831ptrace_sel_coredump_thread(struct proc *p) 832{ 833 struct thread *td2; 834 835 PROC_LOCK_ASSERT(p, MA_OWNED); 836 MPASS((p->p_flag & P_STOPPED_TRACE) != 0); 837 838 FOREACH_THREAD_IN_PROC(p, td2) { 839 if ((td2->td_dbgflags & TDB_SSWITCH) != 0) 840 return (td2); 841 } 842 return (NULL); 843} 844 845int 846kern_ptrace(struct thread *td, int req, pid_t pid, void *addr, int data) 847{ 848 struct iovec iov; 849 struct uio uio; 850 struct proc *curp, *p, *pp; 851 struct thread *td2 = NULL, *td3; 852 struct ptrace_io_desc *piod = NULL; 853 struct ptrace_lwpinfo *pl; 854 struct ptrace_sc_ret *psr; 855 struct ptrace_sc_remote *pscr; 856 struct file *fp; 857 struct ptrace_coredump *pc; 858 struct thr_coredump_req *tcq; 859 struct thr_syscall_req *tsr; 860 int error, num, tmp; 861 lwpid_t tid = 0, *buf; 862#ifdef COMPAT_FREEBSD32 863 int wrap32 = 0, safe = 0; 864#endif 865 bool proctree_locked, p2_req_set; 866 867 curp = td->td_proc; 868 proctree_locked = false; 869 p2_req_set = false; 870 871 /* Lock proctree before locking the process. */ 872 switch (req) { 873 case PT_TRACE_ME: 874 case PT_ATTACH: 875 case PT_STEP: 876 case PT_CONTINUE: 877 case PT_TO_SCE: 878 case PT_TO_SCX: 879 case PT_SYSCALL: 880 case PT_FOLLOW_FORK: 881 case PT_LWP_EVENTS: 882 case PT_GET_EVENT_MASK: 883 case PT_SET_EVENT_MASK: 884 case PT_DETACH: 885 case PT_GET_SC_ARGS: 886 sx_xlock(&proctree_lock); 887 proctree_locked = true; 888 break; 889 default: 890 break; 891 } 892 893 if (req == PT_TRACE_ME) { 894 p = td->td_proc; 895 PROC_LOCK(p); 896 } else { 897 if (pid <= PID_MAX) { 898 if ((p = pfind(pid)) == NULL) { 899 if (proctree_locked) 900 sx_xunlock(&proctree_lock); 901 return (ESRCH); 902 } 903 } else { 904 td2 = tdfind(pid, -1); 905 if (td2 == NULL) { 906 if (proctree_locked) 907 sx_xunlock(&proctree_lock); 908 return (ESRCH); 909 } 910 p = td2->td_proc; 911 tid = pid; 912 pid = p->p_pid; 913 } 914 } 915 AUDIT_ARG_PROCESS(p); 916 917 if ((p->p_flag & P_WEXIT) != 0) { 918 error = ESRCH; 919 goto fail; 920 } 921 if ((error = p_cansee(td, p)) != 0) 922 goto fail; 923 924 if ((error = p_candebug(td, p)) != 0) 925 goto fail; 926 927 /* 928 * System processes can't be debugged. 929 */ 930 if ((p->p_flag & P_SYSTEM) != 0) { 931 error = EINVAL; 932 goto fail; 933 } 934 935 if (tid == 0) { 936 if ((p->p_flag & P_STOPPED_TRACE) != 0) { 937 KASSERT(p->p_xthread != NULL, ("NULL p_xthread")); 938 td2 = p->p_xthread; 939 } else { 940 td2 = FIRST_THREAD_IN_PROC(p); 941 } 942 tid = td2->td_tid; 943 } 944 945#ifdef COMPAT_FREEBSD32 946 /* 947 * Test if we're a 32 bit client and what the target is. 948 * Set the wrap controls accordingly. 949 */ 950 if (SV_CURPROC_FLAG(SV_ILP32)) { 951 if (SV_PROC_FLAG(td2->td_proc, SV_ILP32)) 952 safe = 1; 953 wrap32 = 1; 954 } 955#endif 956 /* 957 * Permissions check 958 */ 959 switch (req) { 960 case PT_TRACE_ME: 961 /* 962 * Always legal, when there is a parent process which 963 * could trace us. Otherwise, reject. 964 */ 965 if ((p->p_flag & P_TRACED) != 0) { 966 error = EBUSY; 967 goto fail; 968 } 969 if (p->p_pptr == initproc) { 970 error = EPERM; 971 goto fail; 972 } 973 break; 974 975 case PT_ATTACH: 976 /* Self */ 977 if (p == td->td_proc) { 978 error = EINVAL; 979 goto fail; 980 } 981 982 /* Already traced */ 983 if (p->p_flag & P_TRACED) { 984 error = EBUSY; 985 goto fail; 986 } 987 988 /* Can't trace an ancestor if you're being traced. */ 989 if (curp->p_flag & P_TRACED) { 990 for (pp = curp->p_pptr; pp != NULL; pp = pp->p_pptr) { 991 if (pp == p) { 992 error = EINVAL; 993 goto fail; 994 } 995 } 996 } 997 998 /* OK */ 999 break; 1000 1001 case PT_CLEARSTEP: 1002 /* Allow thread to clear single step for itself */ 1003 if (td->td_tid == tid) 1004 break; 1005 1006 /* FALLTHROUGH */ 1007 default: 1008 /* 1009 * Check for ptrace eligibility before waiting for 1010 * holds to drain. 1011 */ 1012 error = proc_can_ptrace(td, p); 1013 if (error != 0) 1014 goto fail; 1015 1016 /* 1017 * Block parallel ptrace requests. Most important, do 1018 * not allow other thread in debugger to continue the 1019 * debuggee until coredump finished. 1020 */ 1021 while ((p->p_flag2 & P2_PTRACEREQ) != 0) { 1022 if (proctree_locked) 1023 sx_xunlock(&proctree_lock); 1024 error = msleep(&p->p_flag2, &p->p_mtx, PPAUSE | PCATCH | 1025 (proctree_locked ? PDROP : 0), "pptrace", 0); 1026 if (proctree_locked) { 1027 sx_xlock(&proctree_lock); 1028 PROC_LOCK(p); 1029 } 1030 if (error == 0 && td2->td_proc != p) 1031 error = ESRCH; 1032 if (error == 0) 1033 error = proc_can_ptrace(td, p); 1034 if (error != 0) 1035 goto fail; 1036 } 1037 1038 /* Ok */ 1039 break; 1040 } 1041 1042 /* 1043 * Keep this process around and request parallel ptrace() 1044 * request to wait until we finish this request. 1045 */ 1046 MPASS((p->p_flag2 & P2_PTRACEREQ) == 0); 1047 p->p_flag2 |= P2_PTRACEREQ; 1048 p2_req_set = true; 1049 _PHOLD(p); 1050 1051 /* 1052 * Actually do the requests 1053 */ 1054 1055 td->td_retval[0] = 0; 1056 1057 switch (req) { 1058 case PT_TRACE_ME: 1059 /* set my trace flag and "owner" so it can read/write me */ 1060 proc_set_traced(p, false); 1061 if (p->p_flag & P_PPWAIT) 1062 p->p_flag |= P_PPTRACE; 1063 CTR1(KTR_PTRACE, "PT_TRACE_ME: pid %d", p->p_pid); 1064 break; 1065 1066 case PT_ATTACH: 1067 /* security check done above */ 1068 /* 1069 * It would be nice if the tracing relationship was separate 1070 * from the parent relationship but that would require 1071 * another set of links in the proc struct or for "wait" 1072 * to scan the entire proc table. To make life easier, 1073 * we just re-parent the process we're trying to trace. 1074 * The old parent is remembered so we can put things back 1075 * on a "detach". 1076 */ 1077 proc_set_traced(p, true); 1078 proc_reparent(p, td->td_proc, false); 1079 CTR2(KTR_PTRACE, "PT_ATTACH: pid %d, oppid %d", p->p_pid, 1080 p->p_oppid); 1081 1082 sx_xunlock(&proctree_lock); 1083 proctree_locked = false; 1084 MPASS(p->p_xthread == NULL); 1085 MPASS((p->p_flag & P_STOPPED_TRACE) == 0); 1086 1087 /* 1088 * If already stopped due to a stop signal, clear the 1089 * existing stop before triggering a traced SIGSTOP. 1090 */ 1091 if ((p->p_flag & P_STOPPED_SIG) != 0) { 1092 PROC_SLOCK(p); 1093 p->p_flag &= ~(P_STOPPED_SIG | P_WAITED); 1094 thread_unsuspend(p); 1095 PROC_SUNLOCK(p); 1096 } 1097 1098 kern_psignal(p, SIGSTOP); 1099 break; 1100 1101 case PT_CLEARSTEP: 1102 CTR2(KTR_PTRACE, "PT_CLEARSTEP: tid %d (pid %d)", td2->td_tid, 1103 p->p_pid); 1104 error = ptrace_clear_single_step(td2); 1105 break; 1106 1107 case PT_SETSTEP: 1108 CTR2(KTR_PTRACE, "PT_SETSTEP: tid %d (pid %d)", td2->td_tid, 1109 p->p_pid); 1110 error = ptrace_single_step(td2); 1111 break; 1112 1113 case PT_SUSPEND: 1114 CTR2(KTR_PTRACE, "PT_SUSPEND: tid %d (pid %d)", td2->td_tid, 1115 p->p_pid); 1116 td2->td_dbgflags |= TDB_SUSPEND; 1117 ast_sched(td2, TDA_SUSPEND); 1118 break; 1119 1120 case PT_RESUME: 1121 CTR2(KTR_PTRACE, "PT_RESUME: tid %d (pid %d)", td2->td_tid, 1122 p->p_pid); 1123 td2->td_dbgflags &= ~TDB_SUSPEND; 1124 break; 1125 1126 case PT_FOLLOW_FORK: 1127 CTR3(KTR_PTRACE, "PT_FOLLOW_FORK: pid %d %s -> %s", p->p_pid, 1128 p->p_ptevents & PTRACE_FORK ? "enabled" : "disabled", 1129 data ? "enabled" : "disabled"); 1130 if (data) 1131 p->p_ptevents |= PTRACE_FORK; 1132 else 1133 p->p_ptevents &= ~PTRACE_FORK; 1134 break; 1135 1136 case PT_LWP_EVENTS: 1137 CTR3(KTR_PTRACE, "PT_LWP_EVENTS: pid %d %s -> %s", p->p_pid, 1138 p->p_ptevents & PTRACE_LWP ? "enabled" : "disabled", 1139 data ? "enabled" : "disabled"); 1140 if (data) 1141 p->p_ptevents |= PTRACE_LWP; 1142 else 1143 p->p_ptevents &= ~PTRACE_LWP; 1144 break; 1145 1146 case PT_GET_EVENT_MASK: 1147 if (data != sizeof(p->p_ptevents)) { 1148 error = EINVAL; 1149 break; 1150 } 1151 CTR2(KTR_PTRACE, "PT_GET_EVENT_MASK: pid %d mask %#x", p->p_pid, 1152 p->p_ptevents); 1153 *(int *)addr = p->p_ptevents; 1154 break; 1155 1156 case PT_SET_EVENT_MASK: 1157 if (data != sizeof(p->p_ptevents)) { 1158 error = EINVAL; 1159 break; 1160 } 1161 tmp = *(int *)addr; 1162 if ((tmp & ~(PTRACE_EXEC | PTRACE_SCE | PTRACE_SCX | 1163 PTRACE_FORK | PTRACE_LWP | PTRACE_VFORK)) != 0) { 1164 error = EINVAL; 1165 break; 1166 } 1167 CTR3(KTR_PTRACE, "PT_SET_EVENT_MASK: pid %d mask %#x -> %#x", 1168 p->p_pid, p->p_ptevents, tmp); 1169 p->p_ptevents = tmp; 1170 break; 1171 1172 case PT_GET_SC_ARGS: 1173 CTR1(KTR_PTRACE, "PT_GET_SC_ARGS: pid %d", p->p_pid); 1174 if ((td2->td_dbgflags & (TDB_SCE | TDB_SCX)) == 0 1175#ifdef COMPAT_FREEBSD32 1176 || (wrap32 && !safe) 1177#endif 1178 ) { 1179 error = EINVAL; 1180 break; 1181 } 1182 bzero(addr, sizeof(td2->td_sa.args)); 1183 /* See the explanation in linux_ptrace_get_syscall_info(). */ 1184 bcopy(td2->td_sa.args, addr, SV_PROC_ABI(td->td_proc) == 1185 SV_ABI_LINUX ? sizeof(td2->td_sa.args) : 1186 td2->td_sa.callp->sy_narg * sizeof(syscallarg_t)); 1187 break; 1188 1189 case PT_GET_SC_RET: 1190 if ((td2->td_dbgflags & (TDB_SCX)) == 0 1191#ifdef COMPAT_FREEBSD32 1192 || (wrap32 && !safe) 1193#endif 1194 ) { 1195 error = EINVAL; 1196 break; 1197 } 1198 psr = addr; 1199 bzero(psr, sizeof(*psr)); 1200 psr->sr_error = td2->td_errno; 1201 if (psr->sr_error == 0) { 1202 psr->sr_retval[0] = td2->td_retval[0]; 1203 psr->sr_retval[1] = td2->td_retval[1]; 1204 } 1205 CTR4(KTR_PTRACE, 1206 "PT_GET_SC_RET: pid %d error %d retval %#lx,%#lx", 1207 p->p_pid, psr->sr_error, psr->sr_retval[0], 1208 psr->sr_retval[1]); 1209 break; 1210 1211 case PT_STEP: 1212 case PT_CONTINUE: 1213 case PT_TO_SCE: 1214 case PT_TO_SCX: 1215 case PT_SYSCALL: 1216 case PT_DETACH: 1217 /* Zero means do not send any signal */ 1218 if (data < 0 || data > _SIG_MAXSIG) { 1219 error = EINVAL; 1220 break; 1221 } 1222 1223 switch (req) { 1224 case PT_STEP: 1225 CTR3(KTR_PTRACE, "PT_STEP: tid %d (pid %d), sig = %d", 1226 td2->td_tid, p->p_pid, data); 1227 error = ptrace_single_step(td2); 1228 if (error) 1229 goto out; 1230 break; 1231 case PT_CONTINUE: 1232 case PT_TO_SCE: 1233 case PT_TO_SCX: 1234 case PT_SYSCALL: 1235 if (addr != (void *)1) { 1236 error = ptrace_set_pc(td2, 1237 (u_long)(uintfptr_t)addr); 1238 if (error) 1239 goto out; 1240 } 1241 switch (req) { 1242 case PT_TO_SCE: 1243 p->p_ptevents |= PTRACE_SCE; 1244 CTR4(KTR_PTRACE, 1245 "PT_TO_SCE: pid %d, events = %#x, PC = %#lx, sig = %d", 1246 p->p_pid, p->p_ptevents, 1247 (u_long)(uintfptr_t)addr, data); 1248 break; 1249 case PT_TO_SCX: 1250 p->p_ptevents |= PTRACE_SCX; 1251 CTR4(KTR_PTRACE, 1252 "PT_TO_SCX: pid %d, events = %#x, PC = %#lx, sig = %d", 1253 p->p_pid, p->p_ptevents, 1254 (u_long)(uintfptr_t)addr, data); 1255 break; 1256 case PT_SYSCALL: 1257 p->p_ptevents |= PTRACE_SYSCALL; 1258 CTR4(KTR_PTRACE, 1259 "PT_SYSCALL: pid %d, events = %#x, PC = %#lx, sig = %d", 1260 p->p_pid, p->p_ptevents, 1261 (u_long)(uintfptr_t)addr, data); 1262 break; 1263 case PT_CONTINUE: 1264 CTR3(KTR_PTRACE, 1265 "PT_CONTINUE: pid %d, PC = %#lx, sig = %d", 1266 p->p_pid, (u_long)(uintfptr_t)addr, data); 1267 break; 1268 } 1269 break; 1270 case PT_DETACH: 1271 /* 1272 * Clear P_TRACED before reparenting 1273 * a detached process back to its original 1274 * parent. Otherwise the debugee will be set 1275 * as an orphan of the debugger. 1276 */ 1277 p->p_flag &= ~(P_TRACED | P_WAITED); 1278 1279 /* 1280 * Reset the process parent. 1281 */ 1282 if (p->p_oppid != p->p_pptr->p_pid) { 1283 PROC_LOCK(p->p_pptr); 1284 sigqueue_take(p->p_ksi); 1285 PROC_UNLOCK(p->p_pptr); 1286 1287 pp = proc_realparent(p); 1288 proc_reparent(p, pp, false); 1289 if (pp == initproc) 1290 p->p_sigparent = SIGCHLD; 1291 CTR3(KTR_PTRACE, 1292 "PT_DETACH: pid %d reparented to pid %d, sig %d", 1293 p->p_pid, pp->p_pid, data); 1294 } else { 1295 CTR2(KTR_PTRACE, "PT_DETACH: pid %d, sig %d", 1296 p->p_pid, data); 1297 } 1298 1299 p->p_ptevents = 0; 1300 FOREACH_THREAD_IN_PROC(p, td3) { 1301 if ((td3->td_dbgflags & TDB_FSTP) != 0) { 1302 sigqueue_delete(&td3->td_sigqueue, 1303 SIGSTOP); 1304 } 1305 td3->td_dbgflags &= ~(TDB_XSIG | TDB_FSTP | 1306 TDB_SUSPEND | TDB_BORN); 1307 } 1308 1309 if ((p->p_flag2 & P2_PTRACE_FSTP) != 0) { 1310 sigqueue_delete(&p->p_sigqueue, SIGSTOP); 1311 p->p_flag2 &= ~P2_PTRACE_FSTP; 1312 } 1313 1314 /* should we send SIGCHLD? */ 1315 /* childproc_continued(p); */ 1316 break; 1317 } 1318 1319 sx_xunlock(&proctree_lock); 1320 proctree_locked = false; 1321 1322 sendsig: 1323 MPASS(!proctree_locked); 1324 1325 /* 1326 * Clear the pending event for the thread that just 1327 * reported its event (p_xthread). This may not be 1328 * the thread passed to PT_CONTINUE, PT_STEP, etc. if 1329 * the debugger is resuming a different thread. 1330 * 1331 * Deliver any pending signal via the reporting thread. 1332 */ 1333 MPASS(p->p_xthread != NULL); 1334 p->p_xthread->td_dbgflags &= ~TDB_XSIG; 1335 p->p_xthread->td_xsig = data; 1336 p->p_xthread = NULL; 1337 p->p_xsig = data; 1338 1339 /* 1340 * P_WKILLED is insurance that a PT_KILL/SIGKILL 1341 * always works immediately, even if another thread is 1342 * unsuspended first and attempts to handle a 1343 * different signal or if the POSIX.1b style signal 1344 * queue cannot accommodate any new signals. 1345 */ 1346 if (data == SIGKILL) 1347 proc_wkilled(p); 1348 1349 /* 1350 * Unsuspend all threads. To leave a thread 1351 * suspended, use PT_SUSPEND to suspend it before 1352 * continuing the process. 1353 */ 1354 ptrace_unsuspend(p); 1355 break; 1356 1357 case PT_WRITE_I: 1358 case PT_WRITE_D: 1359 td2->td_dbgflags |= TDB_USERWR; 1360 PROC_UNLOCK(p); 1361 error = 0; 1362 if (proc_writemem(td, p, (off_t)(uintptr_t)addr, &data, 1363 sizeof(int)) != sizeof(int)) 1364 error = ENOMEM; 1365 else 1366 CTR3(KTR_PTRACE, "PT_WRITE: pid %d: %p <= %#x", 1367 p->p_pid, addr, data); 1368 PROC_LOCK(p); 1369 break; 1370 1371 case PT_READ_I: 1372 case PT_READ_D: 1373 PROC_UNLOCK(p); 1374 error = tmp = 0; 1375 if (proc_readmem(td, p, (off_t)(uintptr_t)addr, &tmp, 1376 sizeof(int)) != sizeof(int)) 1377 error = ENOMEM; 1378 else 1379 CTR3(KTR_PTRACE, "PT_READ: pid %d: %p >= %#x", 1380 p->p_pid, addr, tmp); 1381 td->td_retval[0] = tmp; 1382 PROC_LOCK(p); 1383 break; 1384 1385 case PT_IO: 1386 piod = addr; 1387 iov.iov_base = piod->piod_addr; 1388 iov.iov_len = piod->piod_len; 1389 uio.uio_offset = (off_t)(uintptr_t)piod->piod_offs; 1390 uio.uio_resid = piod->piod_len; 1391 uio.uio_iov = &iov; 1392 uio.uio_iovcnt = 1; 1393 uio.uio_segflg = UIO_USERSPACE; 1394 uio.uio_td = td; 1395 switch (piod->piod_op) { 1396 case PIOD_READ_D: 1397 case PIOD_READ_I: 1398 CTR3(KTR_PTRACE, "PT_IO: pid %d: READ (%p, %#x)", 1399 p->p_pid, (uintptr_t)uio.uio_offset, uio.uio_resid); 1400 uio.uio_rw = UIO_READ; 1401 break; 1402 case PIOD_WRITE_D: 1403 case PIOD_WRITE_I: 1404 CTR3(KTR_PTRACE, "PT_IO: pid %d: WRITE (%p, %#x)", 1405 p->p_pid, (uintptr_t)uio.uio_offset, uio.uio_resid); 1406 td2->td_dbgflags |= TDB_USERWR; 1407 uio.uio_rw = UIO_WRITE; 1408 break; 1409 default: 1410 error = EINVAL; 1411 goto out; 1412 } 1413 PROC_UNLOCK(p); 1414 error = proc_rwmem(p, &uio); 1415 piod->piod_len -= uio.uio_resid; 1416 PROC_LOCK(p); 1417 break; 1418 1419 case PT_KILL: 1420 CTR1(KTR_PTRACE, "PT_KILL: pid %d", p->p_pid); 1421 data = SIGKILL; 1422 goto sendsig; /* in PT_CONTINUE above */ 1423 1424 case PT_SETREGS: 1425 CTR2(KTR_PTRACE, "PT_SETREGS: tid %d (pid %d)", td2->td_tid, 1426 p->p_pid); 1427 td2->td_dbgflags |= TDB_USERWR; 1428 error = PROC_WRITE(regs, td2, addr); 1429 break; 1430 1431 case PT_GETREGS: 1432 CTR2(KTR_PTRACE, "PT_GETREGS: tid %d (pid %d)", td2->td_tid, 1433 p->p_pid); 1434 error = PROC_READ(regs, td2, addr); 1435 break; 1436 1437 case PT_SETFPREGS: 1438 CTR2(KTR_PTRACE, "PT_SETFPREGS: tid %d (pid %d)", td2->td_tid, 1439 p->p_pid); 1440 td2->td_dbgflags |= TDB_USERWR; 1441 error = PROC_WRITE(fpregs, td2, addr); 1442 break; 1443 1444 case PT_GETFPREGS: 1445 CTR2(KTR_PTRACE, "PT_GETFPREGS: tid %d (pid %d)", td2->td_tid, 1446 p->p_pid); 1447 error = PROC_READ(fpregs, td2, addr); 1448 break; 1449 1450 case PT_SETDBREGS: 1451 CTR2(KTR_PTRACE, "PT_SETDBREGS: tid %d (pid %d)", td2->td_tid, 1452 p->p_pid); 1453 td2->td_dbgflags |= TDB_USERWR; 1454 error = PROC_WRITE(dbregs, td2, addr); 1455 break; 1456 1457 case PT_GETDBREGS: 1458 CTR2(KTR_PTRACE, "PT_GETDBREGS: tid %d (pid %d)", td2->td_tid, 1459 p->p_pid); 1460 error = PROC_READ(dbregs, td2, addr); 1461 break; 1462 1463 case PT_SETREGSET: 1464 CTR2(KTR_PTRACE, "PT_SETREGSET: tid %d (pid %d)", td2->td_tid, 1465 p->p_pid); 1466 error = proc_write_regset(td2, data, addr); 1467 break; 1468 1469 case PT_GETREGSET: 1470 CTR2(KTR_PTRACE, "PT_GETREGSET: tid %d (pid %d)", td2->td_tid, 1471 p->p_pid); 1472 error = proc_read_regset(td2, data, addr); 1473 break; 1474 1475 case PT_LWPINFO: 1476 if (data <= 0 || data > sizeof(*pl)) { 1477 error = EINVAL; 1478 break; 1479 } 1480 pl = addr; 1481 bzero(pl, sizeof(*pl)); 1482 pl->pl_lwpid = td2->td_tid; 1483 pl->pl_event = PL_EVENT_NONE; 1484 pl->pl_flags = 0; 1485 if (td2->td_dbgflags & TDB_XSIG) { 1486 pl->pl_event = PL_EVENT_SIGNAL; 1487 if (td2->td_si.si_signo != 0 && 1488 data >= offsetof(struct ptrace_lwpinfo, pl_siginfo) 1489 + sizeof(pl->pl_siginfo)){ 1490 pl->pl_flags |= PL_FLAG_SI; 1491 pl->pl_siginfo = td2->td_si; 1492 } 1493 } 1494 if (td2->td_dbgflags & TDB_SCE) 1495 pl->pl_flags |= PL_FLAG_SCE; 1496 else if (td2->td_dbgflags & TDB_SCX) 1497 pl->pl_flags |= PL_FLAG_SCX; 1498 if (td2->td_dbgflags & TDB_EXEC) 1499 pl->pl_flags |= PL_FLAG_EXEC; 1500 if (td2->td_dbgflags & TDB_FORK) { 1501 pl->pl_flags |= PL_FLAG_FORKED; 1502 pl->pl_child_pid = td2->td_dbg_forked; 1503 if (td2->td_dbgflags & TDB_VFORK) 1504 pl->pl_flags |= PL_FLAG_VFORKED; 1505 } else if ((td2->td_dbgflags & (TDB_SCX | TDB_VFORK)) == 1506 TDB_VFORK) 1507 pl->pl_flags |= PL_FLAG_VFORK_DONE; 1508 if (td2->td_dbgflags & TDB_CHILD) 1509 pl->pl_flags |= PL_FLAG_CHILD; 1510 if (td2->td_dbgflags & TDB_BORN) 1511 pl->pl_flags |= PL_FLAG_BORN; 1512 if (td2->td_dbgflags & TDB_EXIT) 1513 pl->pl_flags |= PL_FLAG_EXITED; 1514 pl->pl_sigmask = td2->td_sigmask; 1515 pl->pl_siglist = td2->td_siglist; 1516 strcpy(pl->pl_tdname, td2->td_name); 1517 if ((td2->td_dbgflags & (TDB_SCE | TDB_SCX)) != 0) { 1518 pl->pl_syscall_code = td2->td_sa.code; 1519 pl->pl_syscall_narg = td2->td_sa.callp->sy_narg; 1520 } else { 1521 pl->pl_syscall_code = 0; 1522 pl->pl_syscall_narg = 0; 1523 } 1524 CTR6(KTR_PTRACE, 1525 "PT_LWPINFO: tid %d (pid %d) event %d flags %#x child pid %d syscall %d", 1526 td2->td_tid, p->p_pid, pl->pl_event, pl->pl_flags, 1527 pl->pl_child_pid, pl->pl_syscall_code); 1528 break; 1529 1530 case PT_GETNUMLWPS: 1531 CTR2(KTR_PTRACE, "PT_GETNUMLWPS: pid %d: %d threads", p->p_pid, 1532 p->p_numthreads); 1533 td->td_retval[0] = p->p_numthreads; 1534 break; 1535 1536 case PT_GETLWPLIST: 1537 CTR3(KTR_PTRACE, "PT_GETLWPLIST: pid %d: data %d, actual %d", 1538 p->p_pid, data, p->p_numthreads); 1539 if (data <= 0) { 1540 error = EINVAL; 1541 break; 1542 } 1543 num = imin(p->p_numthreads, data); 1544 PROC_UNLOCK(p); 1545 buf = malloc(num * sizeof(lwpid_t), M_TEMP, M_WAITOK); 1546 tmp = 0; 1547 PROC_LOCK(p); 1548 FOREACH_THREAD_IN_PROC(p, td2) { 1549 if (tmp >= num) 1550 break; 1551 buf[tmp++] = td2->td_tid; 1552 } 1553 PROC_UNLOCK(p); 1554 error = copyout(buf, addr, tmp * sizeof(lwpid_t)); 1555 free(buf, M_TEMP); 1556 if (!error) 1557 td->td_retval[0] = tmp; 1558 PROC_LOCK(p); 1559 break; 1560 1561 case PT_VM_TIMESTAMP: 1562 CTR2(KTR_PTRACE, "PT_VM_TIMESTAMP: pid %d: timestamp %d", 1563 p->p_pid, p->p_vmspace->vm_map.timestamp); 1564 td->td_retval[0] = p->p_vmspace->vm_map.timestamp; 1565 break; 1566 1567 case PT_VM_ENTRY: 1568 PROC_UNLOCK(p); 1569 error = ptrace_vm_entry(td, p, addr); 1570 PROC_LOCK(p); 1571 break; 1572 1573 case PT_COREDUMP: 1574 pc = addr; 1575 CTR2(KTR_PTRACE, "PT_COREDUMP: pid %d, fd %d", 1576 p->p_pid, pc->pc_fd); 1577 1578 if ((pc->pc_flags & ~(PC_COMPRESS | PC_ALL)) != 0) { 1579 error = EINVAL; 1580 break; 1581 } 1582 PROC_UNLOCK(p); 1583 1584 tcq = malloc(sizeof(*tcq), M_TEMP, M_WAITOK | M_ZERO); 1585 fp = NULL; 1586 error = fget_write(td, pc->pc_fd, &cap_write_rights, &fp); 1587 if (error != 0) 1588 goto coredump_cleanup_nofp; 1589 if (fp->f_type != DTYPE_VNODE || fp->f_vnode->v_type != VREG) { 1590 error = EPIPE; 1591 goto coredump_cleanup; 1592 } 1593 1594 PROC_LOCK(p); 1595 error = proc_can_ptrace(td, p); 1596 if (error != 0) 1597 goto coredump_cleanup_locked; 1598 1599 td2 = ptrace_sel_coredump_thread(p); 1600 if (td2 == NULL) { 1601 error = EBUSY; 1602 goto coredump_cleanup_locked; 1603 } 1604 KASSERT((td2->td_dbgflags & (TDB_COREDUMPREQ | 1605 TDB_SCREMOTEREQ)) == 0, 1606 ("proc %d tid %d req coredump", p->p_pid, td2->td_tid)); 1607 1608 tcq->tc_vp = fp->f_vnode; 1609 tcq->tc_limit = pc->pc_limit == 0 ? OFF_MAX : pc->pc_limit; 1610 tcq->tc_flags = SVC_PT_COREDUMP; 1611 if ((pc->pc_flags & PC_COMPRESS) == 0) 1612 tcq->tc_flags |= SVC_NOCOMPRESS; 1613 if ((pc->pc_flags & PC_ALL) != 0) 1614 tcq->tc_flags |= SVC_ALL; 1615 td2->td_remotereq = tcq; 1616 td2->td_dbgflags |= TDB_COREDUMPREQ; 1617 thread_run_flash(td2); 1618 while ((td2->td_dbgflags & TDB_COREDUMPREQ) != 0) 1619 msleep(p, &p->p_mtx, PPAUSE, "crdmp", 0); 1620 error = tcq->tc_error; 1621coredump_cleanup_locked: 1622 PROC_UNLOCK(p); 1623coredump_cleanup: 1624 fdrop(fp, td); 1625coredump_cleanup_nofp: 1626 free(tcq, M_TEMP); 1627 PROC_LOCK(p); 1628 break; 1629 1630 case PT_SC_REMOTE: 1631 pscr = addr; 1632 CTR2(KTR_PTRACE, "PT_SC_REMOTE: pid %d, syscall %d", 1633 p->p_pid, pscr->pscr_syscall); 1634 if ((td2->td_dbgflags & TDB_BOUNDARY) == 0) { 1635 error = EBUSY; 1636 break; 1637 } 1638 PROC_UNLOCK(p); 1639 MPASS(pscr->pscr_nargs <= nitems(td->td_sa.args)); 1640 1641 tsr = malloc(sizeof(struct thr_syscall_req), M_TEMP, 1642 M_WAITOK | M_ZERO); 1643 1644 tsr->ts_sa.code = pscr->pscr_syscall; 1645 tsr->ts_nargs = pscr->pscr_nargs; 1646 memcpy(&tsr->ts_sa.args, pscr->pscr_args, 1647 sizeof(syscallarg_t) * tsr->ts_nargs); 1648 1649 PROC_LOCK(p); 1650 error = proc_can_ptrace(td, p); 1651 if (error != 0) { 1652 free(tsr, M_TEMP); 1653 break; 1654 } 1655 if (td2->td_proc != p) { 1656 free(tsr, M_TEMP); 1657 error = ESRCH; 1658 break; 1659 } 1660 KASSERT((td2->td_dbgflags & (TDB_COREDUMPREQ | 1661 TDB_SCREMOTEREQ)) == 0, 1662 ("proc %d tid %d req coredump", p->p_pid, td2->td_tid)); 1663 1664 td2->td_remotereq = tsr; 1665 td2->td_dbgflags |= TDB_SCREMOTEREQ; 1666 thread_run_flash(td2); 1667 while ((td2->td_dbgflags & TDB_SCREMOTEREQ) != 0) 1668 msleep(p, &p->p_mtx, PPAUSE, "pscrx", 0); 1669 error = 0; 1670 memcpy(&pscr->pscr_ret, &tsr->ts_ret, sizeof(tsr->ts_ret)); 1671 free(tsr, M_TEMP); 1672 break; 1673 1674 default: 1675#ifdef __HAVE_PTRACE_MACHDEP 1676 if (req >= PT_FIRSTMACH) { 1677 PROC_UNLOCK(p); 1678 error = cpu_ptrace(td2, req, addr, data); 1679 PROC_LOCK(p); 1680 } else 1681#endif 1682 /* Unknown request. */ 1683 error = EINVAL; 1684 break; 1685 } 1686out: 1687 /* Drop our hold on this process now that the request has completed. */ 1688 _PRELE(p); 1689fail: 1690 if (p2_req_set) { 1691 if ((p->p_flag2 & P2_PTRACEREQ) != 0) 1692 wakeup(&p->p_flag2); 1693 p->p_flag2 &= ~P2_PTRACEREQ; 1694 } 1695 PROC_UNLOCK(p); 1696 if (proctree_locked) 1697 sx_xunlock(&proctree_lock); 1698 return (error); 1699} 1700#undef PROC_READ 1701#undef PROC_WRITE 1702