2 * Copyright (c) 1994, Sean Eric Fagan
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by Sean Eric Fagan.
16 * 4. The name of the author may not be used to endorse or promote products
17 * derived from this software without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 #include <sys/cdefs.h>
33 __FBSDID("$FreeBSD$");
35 #include "opt_compat.h"
37 #include <sys/param.h>
38 #include <sys/systm.h>
40 #include <sys/mutex.h>
41 #include <sys/syscallsubr.h>
42 #include <sys/sysproto.h>
44 #include <sys/vnode.h>
45 #include <sys/ptrace.h>
47 #include <sys/malloc.h>
48 #include <sys/signalvar.h>
50 #include <machine/reg.h>
52 #include <security/audit/audit.h>
56 #include <vm/vm_extern.h>
57 #include <vm/vm_map.h>
58 #include <vm/vm_kern.h>
59 #include <vm/vm_object.h>
60 #include <vm/vm_page.h>
63 #include <sys/procfs.h>
64 #include <machine/fpu.h>
65 #include <compat/ia32/ia32_reg.h>
67 extern struct sysentvec ia32_freebsd_sysvec;
69 struct ptrace_io_desc32 {
78 * Functions implemented using PROC_ACTION():
80 * proc_read_regs(proc, regs)
81 * Get the current user-visible register set from the process
82 * and copy it into the regs structure (<machine/reg.h>).
83 * The process is stopped at the time read_regs is called.
85 * proc_write_regs(proc, regs)
86 * Update the current register set from the passed in regs
87 * structure. Take care to avoid clobbering special CPU
88 * registers or privileged bits in the PSL.
89 * Depending on the architecture this may have fix-up work to do,
90 * especially if the IAR or PCW are modified.
91 * The process is stopped at the time write_regs is called.
93 * proc_read_fpregs, proc_write_fpregs
94 * deal with the floating point register set, otherwise as above.
96 * proc_read_dbregs, proc_write_dbregs
97 * deal with the processor debug register set, otherwise as above.
100 * Arrange for the process to trap after executing a single instruction.
103 #define PROC_ACTION(action) do { \
106 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); \
107 if ((td->td_proc->p_sflag & PS_INMEM) == 0) \
115 proc_read_regs(struct thread *td, struct reg *regs)
118 PROC_ACTION(fill_regs(td, regs));
122 proc_write_regs(struct thread *td, struct reg *regs)
125 PROC_ACTION(set_regs(td, regs));
129 proc_read_dbregs(struct thread *td, struct dbreg *dbregs)
132 PROC_ACTION(fill_dbregs(td, dbregs));
136 proc_write_dbregs(struct thread *td, struct dbreg *dbregs)
139 PROC_ACTION(set_dbregs(td, dbregs));
143 * Ptrace doesn't support fpregs at all, and there are no security holes
144 * or translations for fpregs, so we can just copy them.
147 proc_read_fpregs(struct thread *td, struct fpreg *fpregs)
150 PROC_ACTION(fill_fpregs(td, fpregs));
154 proc_write_fpregs(struct thread *td, struct fpreg *fpregs)
157 PROC_ACTION(set_fpregs(td, fpregs));
161 /* For 32 bit binaries, we need to expose the 32 bit regs layouts. */
163 proc_read_regs32(struct thread *td, struct reg32 *regs32)
166 PROC_ACTION(fill_regs32(td, regs32));
170 proc_write_regs32(struct thread *td, struct reg32 *regs32)
173 PROC_ACTION(set_regs32(td, regs32));
177 proc_read_dbregs32(struct thread *td, struct dbreg32 *dbregs32)
180 PROC_ACTION(fill_dbregs32(td, dbregs32));
184 proc_write_dbregs32(struct thread *td, struct dbreg32 *dbregs32)
187 PROC_ACTION(set_dbregs32(td, dbregs32));
191 proc_read_fpregs32(struct thread *td, struct fpreg32 *fpregs32)
194 PROC_ACTION(fill_fpregs32(td, fpregs32));
198 proc_write_fpregs32(struct thread *td, struct fpreg32 *fpregs32)
201 PROC_ACTION(set_fpregs32(td, fpregs32));
206 proc_sstep(struct thread *td)
209 PROC_ACTION(ptrace_single_step(td));
213 proc_rwmem(struct proc *p, struct uio *uio)
216 vm_object_t backing_object, object = NULL;
217 vm_offset_t pageno = 0; /* page number */
222 * Assert that someone has locked this vmspace. (Should be
223 * curthread but we can't assert that.) This keeps the process
224 * from exiting out from under us until this operation completes.
226 KASSERT(p->p_lock >= 1, ("%s: process %p (pid %d) not held", __func__,
232 map = &p->p_vmspace->vm_map;
234 writing = uio->uio_rw == UIO_WRITE;
235 reqprot = writing ? (VM_PROT_WRITE | VM_PROT_OVERRIDE_WRITE) :
239 * Only map in one page at a time. We don't have to, but it
240 * makes things easier. This way is trivial - right?
245 int page_offset; /* offset into page */
246 vm_map_entry_t out_entry;
255 uva = (vm_offset_t)uio->uio_offset;
258 * Get the page number of this segment.
260 pageno = trunc_page(uva);
261 page_offset = uva - pageno;
264 * How many bytes to copy
266 len = min(PAGE_SIZE - page_offset, uio->uio_resid);
269 * Fault the page on behalf of the process
271 error = vm_fault(map, pageno, reqprot, VM_FAULT_NORMAL);
278 * Now we need to get the page. out_entry, out_prot, wired,
279 * and single_use aren't used. One would think the vm code
280 * would be a *bit* nicer... We use tmap because
281 * vm_map_lookup() can change the map argument.
284 error = vm_map_lookup(&tmap, pageno, reqprot, &out_entry,
285 &object, &pindex, &out_prot, &wired);
290 VM_OBJECT_LOCK(object);
291 while ((m = vm_page_lookup(object, pindex)) == NULL &&
293 (backing_object = object->backing_object) != NULL) {
295 * Allow fallback to backing objects if we are reading.
297 VM_OBJECT_LOCK(backing_object);
298 pindex += OFF_TO_IDX(object->backing_object_offset);
299 VM_OBJECT_UNLOCK(object);
300 object = backing_object;
302 VM_OBJECT_UNLOCK(object);
304 vm_map_lookup_done(tmap, out_entry);
310 * Hold the page in memory.
312 vm_page_lock_queues();
314 vm_page_unlock_queues();
317 * We're done with tmap now.
319 vm_map_lookup_done(tmap, out_entry);
322 * Now do the i/o move.
324 error = uiomove_fromphys(&m, page_offset, len, uio);
329 vm_page_lock_queues();
331 vm_page_unlock_queues();
333 } while (error == 0 && uio->uio_resid > 0);
339 * Process debugging system call.
341 #ifndef _SYS_SYSPROTO_H_
352 * This CPP subterfuge is to try and reduce the number of ifdefs in
353 * the body of the code.
354 * COPYIN(uap->addr, &r.reg, sizeof r.reg);
356 * copyin(uap->addr, &r.reg, sizeof r.reg);
358 * copyin(uap->addr, &r.reg32, sizeof r.reg32);
359 * .. except this is done at runtime.
361 #define COPYIN(u, k, s) wrap32 ? \
362 copyin(u, k ## 32, s ## 32) : \
364 #define COPYOUT(k, u, s) wrap32 ? \
365 copyout(k ## 32, u, s ## 32) : \
368 #define COPYIN(u, k, s) copyin(u, k, s)
369 #define COPYOUT(k, u, s) copyout(k, u, s)
375 ptrace(struct thread *td, struct ptrace_args *uap)
378 * XXX this obfuscation is to reduce stack usage, but the register
379 * structs may be too large to put on the stack anyway.
382 struct ptrace_io_desc piod;
383 struct ptrace_lwpinfo pl;
388 struct dbreg32 dbreg32;
389 struct fpreg32 fpreg32;
391 struct ptrace_io_desc32 piod32;
399 if (td->td_proc->p_sysent == &ia32_freebsd_sysvec)
402 AUDIT_ARG(pid, uap->pid);
403 AUDIT_ARG(cmd, uap->req);
404 AUDIT_ARG(addr, uap->addr);
405 AUDIT_ARG(value, uap->data);
414 error = COPYIN(uap->addr, &r.reg, sizeof r.reg);
417 error = COPYIN(uap->addr, &r.fpreg, sizeof r.fpreg);
420 error = COPYIN(uap->addr, &r.dbreg, sizeof r.dbreg);
423 error = COPYIN(uap->addr, &r.piod, sizeof r.piod);
432 error = kern_ptrace(td, uap->req, uap->pid, addr, uap->data);
438 error = COPYOUT(&r.piod, uap->addr, sizeof r.piod);
441 error = COPYOUT(&r.reg, uap->addr, sizeof r.reg);
444 error = COPYOUT(&r.fpreg, uap->addr, sizeof r.fpreg);
447 error = COPYOUT(&r.dbreg, uap->addr, sizeof r.dbreg);
450 error = copyout(&r.pl, uap->addr, uap->data);
461 * PROC_READ(regs, td2, addr);
463 * proc_read_regs(td2, addr);
465 * proc_read_regs32(td2, addr);
466 * .. except this is done at runtime. There is an additional
467 * complication in that PROC_WRITE disallows 32 bit consumers
468 * from writing to 64 bit address space targets.
470 #define PROC_READ(w, t, a) wrap32 ? \
471 proc_read_ ## w ## 32(t, a) : \
472 proc_read_ ## w (t, a)
473 #define PROC_WRITE(w, t, a) wrap32 ? \
474 (safe ? proc_write_ ## w ## 32(t, a) : EINVAL ) : \
475 proc_write_ ## w (t, a)
477 #define PROC_READ(w, t, a) proc_read_ ## w (t, a)
478 #define PROC_WRITE(w, t, a) proc_write_ ## w (t, a)
482 kern_ptrace(struct thread *td, int req, pid_t pid, void *addr, int data)
486 struct proc *curp, *p, *pp;
487 struct thread *td2 = NULL;
488 struct ptrace_io_desc *piod = NULL;
489 struct ptrace_lwpinfo *pl;
490 int error, write, tmp, num;
491 int proctree_locked = 0;
492 lwpid_t tid = 0, *buf;
494 int wrap32 = 0, safe = 0;
495 struct ptrace_io_desc32 *piod32 = NULL;
500 /* Lock proctree before locking the process. */
510 sx_xlock(&proctree_lock);
518 if (req == PT_TRACE_ME) {
522 if (pid <= PID_MAX) {
523 if ((p = pfind(pid)) == NULL) {
525 sx_xunlock(&proctree_lock);
529 /* this is slow, should be optimized */
530 sx_slock(&allproc_lock);
531 FOREACH_PROC_IN_SYSTEM(p) {
533 mtx_lock_spin(&sched_lock);
534 FOREACH_THREAD_IN_PROC(p, td2) {
535 if (td2->td_tid == pid)
538 mtx_unlock_spin(&sched_lock);
540 break; /* proc lock held */
543 sx_sunlock(&allproc_lock);
546 sx_xunlock(&proctree_lock);
553 AUDIT_ARG(process, p);
555 if ((p->p_flag & P_WEXIT) != 0) {
559 if ((error = p_cansee(td, p)) != 0)
562 if ((error = p_candebug(td, p)) != 0)
566 * System processes can't be debugged.
568 if ((p->p_flag & P_SYSTEM) != 0) {
574 if ((p->p_flag & P_STOPPED_TRACE) != 0) {
575 KASSERT(p->p_xthread != NULL, ("NULL p_xthread"));
578 td2 = FIRST_THREAD_IN_PROC(p);
585 * Test if we're a 32 bit client and what the target is.
586 * Set the wrap controls accordingly.
588 if (td->td_proc->p_sysent == &ia32_freebsd_sysvec) {
589 if (td2->td_proc->p_sysent == &ia32_freebsd_sysvec)
604 if (p->p_pid == td->td_proc->p_pid) {
610 if (p->p_flag & P_TRACED) {
615 /* Can't trace an ancestor if you're being traced. */
616 if (curp->p_flag & P_TRACED) {
617 for (pp = curp->p_pptr; pp != NULL; pp = pp->p_pptr) {
630 /* Allow thread to clear single step for itself */
631 if (td->td_tid == tid)
636 /* not being traced... */
637 if ((p->p_flag & P_TRACED) == 0) {
642 /* not being traced by YOU */
643 if (p->p_pptr != td->td_proc) {
648 /* not currently stopped */
649 if ((p->p_flag & (P_STOPPED_SIG | P_STOPPED_TRACE)) == 0 ||
650 p->p_suspcount != p->p_numthreads ||
651 (p->p_flag & P_WAITED) == 0) {
656 if ((p->p_flag & P_STOPPED_TRACE) == 0) {
657 static int count = 0;
659 printf("P_STOPPED_TRACE not set.\n");
666 /* Keep this process around until we finish this request. */
671 * Single step fixup ala procfs
677 * Actually do the requests
680 td->td_retval[0] = 0;
684 /* set my trace flag and "owner" so it can read/write me */
685 p->p_flag |= P_TRACED;
686 p->p_oppid = p->p_pptr->p_pid;
690 /* security check done above */
691 p->p_flag |= P_TRACED;
692 p->p_oppid = p->p_pptr->p_pid;
693 if (p->p_pptr != td->td_proc)
694 proc_reparent(p, td->td_proc);
696 goto sendsig; /* in PT_CONTINUE below */
699 error = ptrace_clear_single_step(td2);
703 error = ptrace_single_step(td2);
707 mtx_lock_spin(&sched_lock);
708 td2->td_flags |= TDF_DBSUSPEND;
709 mtx_unlock_spin(&sched_lock);
713 mtx_lock_spin(&sched_lock);
714 td2->td_flags &= ~TDF_DBSUSPEND;
715 mtx_unlock_spin(&sched_lock);
724 /* Zero means do not send any signal */
725 if (data < 0 || data > _SIG_MAXSIG) {
732 error = ptrace_single_step(td2);
737 p->p_stops |= S_PT_SCE;
740 p->p_stops |= S_PT_SCX;
743 p->p_stops |= S_PT_SCE | S_PT_SCX;
747 if (addr != (void *)1) {
748 error = ptrace_set_pc(td2, (u_long)(uintfptr_t)addr);
753 if (req == PT_DETACH) {
754 /* reset process parent */
755 if (p->p_oppid != p->p_pptr->p_pid) {
758 PROC_LOCK(p->p_pptr);
759 sigqueue_take(p->p_ksi);
760 PROC_UNLOCK(p->p_pptr);
763 pp = pfind(p->p_oppid);
769 proc_reparent(p, pp);
771 p->p_sigparent = SIGCHLD;
773 p->p_flag &= ~(P_TRACED | P_WAITED);
776 /* should we send SIGCHLD? */
777 /* childproc_continued(p); */
781 if (proctree_locked) {
782 sx_xunlock(&proctree_lock);
785 /* deliver or queue signal */
786 mtx_lock_spin(&sched_lock);
787 td2->td_flags &= ~TDF_XSIG;
788 mtx_unlock_spin(&sched_lock);
792 if ((p->p_flag & (P_STOPPED_SIG | P_STOPPED_TRACE)) != 0) {
793 mtx_lock_spin(&sched_lock);
794 if (req == PT_DETACH) {
796 FOREACH_THREAD_IN_PROC(p, td3)
797 td3->td_flags &= ~TDF_DBSUSPEND;
800 * unsuspend all threads, to not let a thread run,
801 * you should use PT_SUSPEND to suspend it before
802 * continuing process.
804 mtx_unlock_spin(&sched_lock);
808 p->p_flag &= ~(P_STOPPED_TRACE|P_STOPPED_SIG|P_WAITED);
809 mtx_lock_spin(&sched_lock);
811 mtx_unlock_spin(&sched_lock);
827 /* write = 0 set above */
828 iov.iov_base = write ? (caddr_t)&data : (caddr_t)&tmp;
829 iov.iov_len = sizeof(int);
832 uio.uio_offset = (off_t)(uintptr_t)addr;
833 uio.uio_resid = sizeof(int);
834 uio.uio_segflg = UIO_SYSSPACE; /* i.e.: the uap */
835 uio.uio_rw = write ? UIO_WRITE : UIO_READ;
837 error = proc_rwmem(p, &uio);
838 if (uio.uio_resid != 0) {
840 * XXX proc_rwmem() doesn't currently return ENOSPC,
841 * so I think write() can bogusly return 0.
842 * XXX what happens for short writes? We don't want
843 * to write partial data.
844 * XXX proc_rwmem() returns EPERM for other invalid
845 * addresses. Convert this to EINVAL. Does this
846 * clobber returns of EPERM for other reasons?
848 if (error == 0 || error == ENOSPC || error == EPERM)
849 error = EINVAL; /* EOF */
852 td->td_retval[0] = tmp;
860 iov.iov_base = (void *)(uintptr_t)piod32->piod_addr;
861 iov.iov_len = piod32->piod_len;
862 uio.uio_offset = (off_t)(uintptr_t)piod32->piod_offs;
863 uio.uio_resid = piod32->piod_len;
868 iov.iov_base = piod->piod_addr;
869 iov.iov_len = piod->piod_len;
870 uio.uio_offset = (off_t)(uintptr_t)piod->piod_offs;
871 uio.uio_resid = piod->piod_len;
875 uio.uio_segflg = UIO_USERSPACE;
878 tmp = wrap32 ? piod32->piod_op : piod->piod_op;
885 uio.uio_rw = UIO_READ;
889 uio.uio_rw = UIO_WRITE;
896 error = proc_rwmem(p, &uio);
899 piod32->piod_len -= uio.uio_resid;
902 piod->piod_len -= uio.uio_resid;
908 goto sendsig; /* in PT_CONTINUE above */
911 error = PROC_WRITE(regs, td2, addr);
915 error = PROC_READ(regs, td2, addr);
919 error = PROC_WRITE(fpregs, td2, addr);
923 error = PROC_READ(fpregs, td2, addr);
927 error = PROC_WRITE(dbregs, td2, addr);
931 error = PROC_READ(dbregs, td2, addr);
935 if (data <= 0 || data > sizeof(*pl)) {
940 pl->pl_lwpid = td2->td_tid;
941 if (td2->td_flags & TDF_XSIG)
942 pl->pl_event = PL_EVENT_SIGNAL;
946 if (td2->td_pflags & TDP_SA) {
947 pl->pl_flags = PL_FLAG_SA;
948 if (td2->td_upcall && !TD_CAN_UNBIND(td2))
949 pl->pl_flags |= PL_FLAG_BOUND;
956 pl->pl_sigmask = td2->td_sigmask;
957 pl->pl_siglist = td2->td_siglist;
961 td->td_retval[0] = p->p_numthreads;
969 num = imin(p->p_numthreads, data);
971 buf = malloc(num * sizeof(lwpid_t), M_TEMP, M_WAITOK);
974 mtx_lock_spin(&sched_lock);
975 FOREACH_THREAD_IN_PROC(p, td2) {
978 buf[tmp++] = td2->td_tid;
980 mtx_unlock_spin(&sched_lock);
982 error = copyout(buf, addr, tmp * sizeof(lwpid_t));
985 td->td_retval[0] = tmp;
990 #ifdef __HAVE_PTRACE_MACHDEP
991 if (req >= PT_FIRSTMACH) {
993 error = cpu_ptrace(td2, req, addr, data);
997 /* Unknown request. */
1003 /* Drop our hold on this process now that the request has completed. */
1007 if (proctree_locked)
1008 sx_xunlock(&proctree_lock);
1015 * Stop a process because of a debugging event;
1016 * stay stopped until p->p_step is cleared
1017 * (cleared by PIOCCONT in procfs).
1020 stopevent(struct proc *p, unsigned int event, unsigned int val)
1023 PROC_LOCK_ASSERT(p, MA_OWNED);
1027 p->p_xthread = NULL;
1028 p->p_stype = event; /* Which event caused the stop? */
1029 wakeup(&p->p_stype); /* Wake up any PIOCWAIT'ing procs */
1030 msleep(&p->p_step, &p->p_mtx, PWAIT, "stopevent", 0);
1031 } while (p->p_step);