sys_process.c revision 1.37
1/* $OpenBSD: sys_process.c,v 1.37 2006/11/29 12:24:18 miod Exp $ */ 2/* $NetBSD: sys_process.c,v 1.55 1996/05/15 06:17:47 tls Exp $ */ 3 4/*- 5 * Copyright (c) 1994 Christopher G. Demetriou. All rights reserved. 6 * Copyright (c) 1982, 1986, 1989, 1993 7 * The Regents of the University of California. All rights reserved. 8 * (c) UNIX System Laboratories, Inc. 9 * All or some portions of this file are derived from material licensed 10 * to the University of California by American Telephone and Telegraph 11 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 12 * the permission of UNIX System Laboratories, Inc. 13 * 14 * Redistribution and use in source and binary forms, with or without 15 * modification, are permitted provided that the following conditions 16 * are met: 17 * 1. Redistributions of source code must retain the above copyright 18 * notice, this list of conditions and the following disclaimer. 19 * 2. Redistributions in binary form must reproduce the above copyright 20 * notice, this list of conditions and the following disclaimer in the 21 * documentation and/or other materials provided with the distribution. 22 * 3. Neither the name of the University nor the names of its contributors 23 * may be used to endorse or promote products derived from this software 24 * without specific prior written permission. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 * 38 * from: @(#)sys_process.c 8.1 (Berkeley) 6/10/93 39 */ 40 41/* 42 * References: 43 * (1) Bach's "The Design of the UNIX Operating System", 44 * (2) sys/miscfs/procfs from UCB's 4.4BSD-Lite distribution, 45 * (3) the "4.4BSD Programmer's Reference Manual" published 46 * by USENIX and O'Reilly & Associates. 47 * The 4.4BSD PRM does a reasonably good job of documenting what the various 48 * ptrace() requests should actually do, and its text is quoted several times 49 * in this file. 50 */ 51 52#include <sys/param.h> 53#include <sys/systm.h> 54#include <sys/proc.h> 55#include <sys/signalvar.h> 56#include <sys/errno.h> 57#include <sys/malloc.h> 58#include <sys/ptrace.h> 59#include <sys/uio.h> 60#include <sys/user.h> 61#include <sys/sched.h> 62 63#include <sys/mount.h> 64#include <sys/syscallargs.h> 65 66#include <uvm/uvm_extern.h> 67 68#include <machine/reg.h> 69 70#ifdef PTRACE 71/* 72 * Process debugging system call. 73 */ 74int 75sys_ptrace(struct proc *p, void *v, register_t *retval) 76{ 77 struct sys_ptrace_args /* { 78 syscallarg(int) req; 79 syscallarg(pid_t) pid; 80 syscallarg(caddr_t) addr; 81 syscallarg(int) data; 82 } */ *uap = v; 83 struct proc *t; /* target process */ 84 struct uio uio; 85 struct iovec iov; 86 struct ptrace_io_desc piod; 87 struct ptrace_event pe; 88 struct reg *regs; 89#if defined (PT_SETFPREGS) || defined (PT_GETFPREGS) 90 struct fpreg *fpregs; 91#endif 92#if defined (PT_SETXMMREGS) || defined (PT_GETXMMREGS) 93 struct xmmregs *xmmregs; 94#endif 95#ifdef PT_WCOOKIE 96 register_t wcookie; 97#endif 98 int error, write; 99 int temp; 100 int req; 101 int s; 102 103 /* "A foolish consistency..." XXX */ 104 if (SCARG(uap, req) == PT_TRACE_ME) 105 t = p; 106 else { 107 108 /* Find the process we're supposed to be operating on. */ 109 if ((t = pfind(SCARG(uap, pid))) == NULL) 110 return (ESRCH); 111 } 112 113 if ((t->p_flag & P_INEXEC) != 0) 114 return (EAGAIN); 115 116 /* Make sure we can operate on it. */ 117 switch (SCARG(uap, req)) { 118 case PT_TRACE_ME: 119 /* Saying that you're being traced is always legal. */ 120 break; 121 122 case PT_ATTACH: 123 /* 124 * You can't attach to a process if: 125 * (1) it's the process that's doing the attaching, 126 */ 127 if (t->p_pid == p->p_pid) 128 return (EINVAL); 129 130 /* 131 * (2) it's a system process 132 */ 133 if (ISSET(t->p_flag, P_SYSTEM)) 134 return (EPERM); 135 136 /* 137 * (3) it's already being traced, or 138 */ 139 if (ISSET(t->p_flag, P_TRACED)) 140 return (EBUSY); 141 142 /* 143 * (4) it's not owned by you, or the last exec 144 * gave us setuid/setgid privs (unless 145 * you're root), or... 146 * 147 * [Note: once P_SUGID or P_SUGIDEXEC gets set in 148 * execve(), they stay set until the process does 149 * another execve(). Hence this prevents a setuid 150 * process which revokes it's special privileges using 151 * setuid() from being traced. This is good security.] 152 */ 153 if ((t->p_cred->p_ruid != p->p_cred->p_ruid || 154 ISSET(t->p_flag, P_SUGIDEXEC) || 155 ISSET(t->p_flag, P_SUGID)) && 156 (error = suser(p, 0)) != 0) 157 return (error); 158 159 /* 160 * (5) ...it's init, which controls the security level 161 * of the entire system, and the system was not 162 * compiled with permanently insecure mode turned 163 * on. 164 */ 165 if ((t->p_pid == 1) && (securelevel > -1)) 166 return (EPERM); 167 break; 168 169 case PT_READ_I: 170 case PT_READ_D: 171 case PT_WRITE_I: 172 case PT_WRITE_D: 173 case PT_IO: 174 case PT_CONTINUE: 175 case PT_KILL: 176 case PT_DETACH: 177#ifdef PT_STEP 178 case PT_STEP: 179#endif 180 case PT_SET_EVENT_MASK: 181 case PT_GET_EVENT_MASK: 182 case PT_GET_PROCESS_STATE: 183 case PT_GETREGS: 184 case PT_SETREGS: 185#ifdef PT_GETFPREGS 186 case PT_GETFPREGS: 187#endif 188#ifdef PT_SETFPREGS 189 case PT_SETFPREGS: 190#endif 191#ifdef PT_GETXMMREGS 192 case PT_GETXMMREGS: 193#endif 194#ifdef PT_SETXMMREGS 195 case PT_SETXMMREGS: 196#endif 197#ifdef PT_WCOOKIE 198 case PT_WCOOKIE: 199#endif 200 /* 201 * You can't do what you want to the process if: 202 * (1) It's not being traced at all, 203 */ 204 if (!ISSET(t->p_flag, P_TRACED)) 205 return (EPERM); 206 207 /* 208 * (2) it's not being traced by _you_, or 209 */ 210 if (t->p_pptr != p) 211 return (EBUSY); 212 213 /* 214 * (3) it's not currently stopped. 215 */ 216 if (t->p_stat != SSTOP || !ISSET(t->p_flag, P_WAITED)) 217 return (EBUSY); 218 break; 219 220 default: /* It was not a legal request. */ 221 return (EINVAL); 222 } 223 224 /* Do single-step fixup if needed. */ 225 FIX_SSTEP(t); 226 227 /* Now do the operation. */ 228 write = 0; 229 *retval = 0; 230 231 switch (SCARG(uap, req)) { 232 case PT_TRACE_ME: 233 /* Just set the trace flag. */ 234 SET(t->p_flag, P_TRACED); 235 t->p_oppid = t->p_pptr->p_pid; 236 if (t->p_ptstat == NULL) 237 t->p_ptstat = malloc(sizeof(*t->p_ptstat), 238 M_SUBPROC, M_WAITOK); 239 bzero(t->p_ptstat, sizeof(*t->p_ptstat)); 240 return (0); 241 242 case PT_WRITE_I: /* XXX no separate I and D spaces */ 243 case PT_WRITE_D: 244 write = 1; 245 temp = SCARG(uap, data); 246 case PT_READ_I: /* XXX no separate I and D spaces */ 247 case PT_READ_D: 248 /* write = 0 done above. */ 249 iov.iov_base = (caddr_t)&temp; 250 iov.iov_len = sizeof(int); 251 uio.uio_iov = &iov; 252 uio.uio_iovcnt = 1; 253 uio.uio_offset = (off_t)(long)SCARG(uap, addr); 254 uio.uio_resid = sizeof(int); 255 uio.uio_segflg = UIO_SYSSPACE; 256 uio.uio_rw = write ? UIO_WRITE : UIO_READ; 257 uio.uio_procp = p; 258 error = process_domem(p, t, &uio, write ? PT_WRITE_I : 259 PT_READ_I); 260 if (write == 0) 261 *retval = temp; 262 return (error); 263 case PT_IO: 264 error = copyin(SCARG(uap, addr), &piod, sizeof(piod)); 265 if (error) 266 return (error); 267 iov.iov_base = piod.piod_addr; 268 iov.iov_len = piod.piod_len; 269 uio.uio_iov = &iov; 270 uio.uio_iovcnt = 1; 271 uio.uio_offset = (off_t)(long)piod.piod_offs; 272 uio.uio_resid = piod.piod_len; 273 uio.uio_segflg = UIO_USERSPACE; 274 uio.uio_procp = p; 275 switch (piod.piod_op) { 276 case PIOD_READ_I: 277 req = PT_READ_I; 278 uio.uio_rw = UIO_READ; 279 break; 280 case PIOD_READ_D: 281 req = PT_READ_D; 282 uio.uio_rw = UIO_READ; 283 break; 284 case PIOD_WRITE_I: 285 req = PT_WRITE_I; 286 uio.uio_rw = UIO_WRITE; 287 break; 288 case PIOD_WRITE_D: 289 req = PT_WRITE_D; 290 uio.uio_rw = UIO_WRITE; 291 break; 292 default: 293 return (EINVAL); 294 } 295 error = process_domem(p, t, &uio, req); 296 piod.piod_len -= uio.uio_resid; 297 (void) copyout(&piod, SCARG(uap, addr), sizeof(piod)); 298 return (error); 299#ifdef PT_STEP 300 case PT_STEP: 301 /* 302 * From the 4.4BSD PRM: 303 * "Execution continues as in request PT_CONTINUE; however 304 * as soon as possible after execution of at least one 305 * instruction, execution stops again. [ ... ]" 306 */ 307#endif 308 case PT_CONTINUE: 309 /* 310 * From the 4.4BSD PRM: 311 * "The data argument is taken as a signal number and the 312 * child's execution continues at location addr as if it 313 * incurred that signal. Normally the signal number will 314 * be either 0 to indicate that the signal that caused the 315 * stop should be ignored, or that value fetched out of 316 * the process's image indicating which signal caused 317 * the stop. If addr is (int *)1 then execution continues 318 * from where it stopped." 319 */ 320 321 /* Check that the data is a valid signal number or zero. */ 322 if (SCARG(uap, data) < 0 || SCARG(uap, data) >= NSIG) 323 return (EINVAL); 324 325 /* If the address parameter is not (int *)1, set the pc. */ 326 if ((int *)SCARG(uap, addr) != (int *)1) 327 if ((error = process_set_pc(t, SCARG(uap, addr))) != 0) 328 goto relebad; 329 330#ifdef PT_STEP 331 /* 332 * Arrange for a single-step, if that's requested and possible. 333 */ 334 error = process_sstep(t, SCARG(uap, req) == PT_STEP); 335 if (error) 336 goto relebad; 337#endif 338 goto sendsig; 339 340 case PT_DETACH: 341 /* 342 * From the 4.4BSD PRM: 343 * "The data argument is taken as a signal number and the 344 * child's execution continues at location addr as if it 345 * incurred that signal. Normally the signal number will 346 * be either 0 to indicate that the signal that caused the 347 * stop should be ignored, or that value fetched out of 348 * the process's image indicating which signal caused 349 * the stop. If addr is (int *)1 then execution continues 350 * from where it stopped." 351 */ 352 353 /* Check that the data is a valid signal number or zero. */ 354 if (SCARG(uap, data) < 0 || SCARG(uap, data) >= NSIG) 355 return (EINVAL); 356 357#ifdef PT_STEP 358 /* 359 * Arrange for a single-step, if that's requested and possible. 360 */ 361 error = process_sstep(t, SCARG(uap, req) == PT_STEP); 362 if (error) 363 goto relebad; 364#endif 365 366 /* give process back to original parent or init */ 367 if (t->p_oppid != t->p_pptr->p_pid) { 368 struct proc *pp; 369 370 pp = pfind(t->p_oppid); 371 proc_reparent(t, pp ? pp : initproc); 372 } 373 374 /* not being traced any more */ 375 t->p_oppid = 0; 376 CLR(t->p_flag, P_TRACED|P_WAITED); 377 378 sendsig: 379 bzero(t->p_ptstat, sizeof(*t->p_ptstat)); 380 381 /* Finally, deliver the requested signal (or none). */ 382 if (t->p_stat == SSTOP) { 383 t->p_xstat = SCARG(uap, data); 384 SCHED_LOCK(s); 385 setrunnable(t); 386 SCHED_UNLOCK(s); 387 } else { 388 if (SCARG(uap, data) != 0) 389 psignal(t, SCARG(uap, data)); 390 } 391 return (0); 392 393 relebad: 394 return (error); 395 396 case PT_KILL: 397 /* just send the process a KILL signal. */ 398 SCARG(uap, data) = SIGKILL; 399 goto sendsig; /* in PT_CONTINUE, above. */ 400 401 case PT_ATTACH: 402 /* 403 * As done in procfs: 404 * Go ahead and set the trace flag. 405 * Save the old parent (it's reset in 406 * _DETACH, and also in kern_exit.c:wait4() 407 * Reparent the process so that the tracing 408 * proc gets to see all the action. 409 * Stop the target. 410 */ 411 SET(t->p_flag, P_TRACED); 412 t->p_oppid = t->p_pptr->p_pid; 413 if (t->p_pptr != p) 414 proc_reparent(t, p); 415 if (t->p_ptstat == NULL) 416 t->p_ptstat = malloc(sizeof(*t->p_ptstat), 417 M_SUBPROC, M_WAITOK); 418 SCARG(uap, data) = SIGSTOP; 419 goto sendsig; 420 421 case PT_GET_EVENT_MASK: 422 if (SCARG(uap, data) != sizeof(pe)) 423 return (EINVAL); 424 bzero(&pe, sizeof(pe)); 425 pe.pe_set_event = t->p_ptmask; 426 return (copyout(&pe, SCARG(uap, addr), sizeof(pe))); 427 case PT_SET_EVENT_MASK: 428 if (SCARG(uap, data) != sizeof(pe)) 429 return (EINVAL); 430 if ((error = copyin(SCARG(uap, addr), &pe, sizeof(pe)))) 431 return (error); 432 t->p_ptmask = pe.pe_set_event; 433 return (0); 434 435 case PT_GET_PROCESS_STATE: 436 if (SCARG(uap, data) != sizeof(*t->p_ptstat)) 437 return (EINVAL); 438 return (copyout(t->p_ptstat, SCARG(uap, addr), 439 sizeof(*t->p_ptstat))); 440 441 case PT_SETREGS: 442 KASSERT((p->p_flag & P_SYSTEM) == 0); 443 if ((error = process_checkioperm(p, t)) != 0) 444 return (error); 445 446 regs = malloc(sizeof(*regs), M_TEMP, M_WAITOK); 447 error = copyin(SCARG(uap, addr), regs, sizeof(*regs)); 448 if (error == 0) { 449 error = process_write_regs(t, regs); 450 } 451 free(regs, M_TEMP); 452 return (error); 453 case PT_GETREGS: 454 KASSERT((p->p_flag & P_SYSTEM) == 0); 455 if ((error = process_checkioperm(p, t)) != 0) 456 return (error); 457 458 regs = malloc(sizeof(*regs), M_TEMP, M_WAITOK); 459 error = process_read_regs(t, regs); 460 if (error == 0) 461 error = copyout(regs, 462 SCARG(uap, addr), sizeof (*regs)); 463 free(regs, M_TEMP); 464 return (error); 465#ifdef PT_SETFPREGS 466 case PT_SETFPREGS: 467 KASSERT((p->p_flag & P_SYSTEM) == 0); 468 if ((error = process_checkioperm(p, t)) != 0) 469 return (error); 470 471 fpregs = malloc(sizeof(*fpregs), M_TEMP, M_WAITOK); 472 error = copyin(SCARG(uap, addr), fpregs, sizeof(*fpregs)); 473 if (error == 0) { 474 error = process_write_fpregs(t, fpregs); 475 } 476 free(fpregs, M_TEMP); 477 return (error); 478#endif 479#ifdef PT_GETFPREGS 480 case PT_GETFPREGS: 481 KASSERT((p->p_flag & P_SYSTEM) == 0); 482 if ((error = process_checkioperm(p, t)) != 0) 483 return (error); 484 485 fpregs = malloc(sizeof(*fpregs), M_TEMP, M_WAITOK); 486 error = process_read_fpregs(t, fpregs); 487 if (error == 0) 488 error = copyout(fpregs, 489 SCARG(uap, addr), sizeof(*fpregs)); 490 free(fpregs, M_TEMP); 491 return (error); 492#endif 493#ifdef PT_SETXMMREGS 494 case PT_SETXMMREGS: 495 KASSERT((p->p_flag & P_SYSTEM) == 0); 496 if ((error = process_checkioperm(p, t)) != 0) 497 return (error); 498 499 xmmregs = malloc(sizeof(*xmmregs), M_TEMP, M_WAITOK); 500 error = copyin(SCARG(uap, addr), xmmregs, sizeof(*xmmregs)); 501 if (error == 0) { 502 error = process_write_xmmregs(t, xmmregs); 503 } 504 free(xmmregs, M_TEMP); 505 return (error); 506#endif 507#ifdef PT_GETXMMREGS 508 case PT_GETXMMREGS: 509 KASSERT((p->p_flag & P_SYSTEM) == 0); 510 if ((error = process_checkioperm(p, t)) != 0) 511 return (error); 512 513 xmmregs = malloc(sizeof(*xmmregs), M_TEMP, M_WAITOK); 514 error = process_read_xmmregs(t, xmmregs); 515 if (error == 0) 516 error = copyout(xmmregs, 517 SCARG(uap, addr), sizeof(*xmmregs)); 518 free(xmmregs, M_TEMP); 519 return (error); 520#endif 521#ifdef PT_WCOOKIE 522 case PT_WCOOKIE: 523 wcookie = process_get_wcookie (t); 524 return (copyout(&wcookie, SCARG(uap, addr), 525 sizeof (register_t))); 526#endif 527 } 528 529#ifdef DIAGNOSTIC 530 panic("ptrace: impossible"); 531#endif 532 return 0; 533} 534#endif /* PTRACE */ 535 536/* 537 * Check if a process is allowed to fiddle with the memory of another. 538 * 539 * p = tracer 540 * t = tracee 541 * 542 * 1. You can't attach to a process not owned by you or one that has raised 543 * its privileges. 544 * 1a. ...unless you are root. 545 * 546 * 2. init is always off-limits because it can control the securelevel. 547 * 2a. ...unless securelevel is permanently set to insecure. 548 * 549 * 3. Processes that are in the process of doing an exec() are always 550 * off-limits because of the can of worms they are. Just wait a 551 * second. 552 */ 553int 554process_checkioperm(struct proc *p, struct proc *t) 555{ 556 int error; 557 558 if ((t->p_cred->p_ruid != p->p_cred->p_ruid || 559 ISSET(t->p_flag, P_SUGIDEXEC) || 560 ISSET(t->p_flag, P_SUGID)) && 561 (error = suser(p, 0)) != 0) 562 return (error); 563 564 if ((t->p_pid == 1) && (securelevel > -1)) 565 return (EPERM); 566 567 if (t->p_flag & P_INEXEC) 568 return (EAGAIN); 569 570 return (0); 571} 572 573int 574process_domem(struct proc *curp, struct proc *p, struct uio *uio, int req) 575{ 576 int error; 577 vaddr_t addr; 578 vsize_t len; 579 580 len = uio->uio_resid; 581 if (len == 0) 582 return (0); 583 584 if ((error = process_checkioperm(curp, p)) != 0) 585 return (error); 586 587 /* XXXCDC: how should locking work here? */ 588 if ((p->p_flag & P_WEXIT) || (p->p_vmspace->vm_refcnt < 1)) 589 return(EFAULT); 590 addr = uio->uio_offset; 591 p->p_vmspace->vm_refcnt++; /* XXX */ 592 error = uvm_io(&p->p_vmspace->vm_map, uio, 593 (req == PT_WRITE_I) ? UVM_IO_FIXPROT : 0); 594 uvmspace_free(p->p_vmspace); 595 596 if (error == 0 && req == PT_WRITE_I) 597 pmap_proc_iflush(p, addr, len); 598 599 return (error); 600} 601