2 * Copyright (c) 1994, Sean Eric Fagan
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by Sean Eric Fagan.
16 * 4. The name of the author may not be used to endorse or promote products
17 * derived from this software without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 #include <sys/cdefs.h>
33 __FBSDID("$FreeBSD$");
35 #include "opt_compat.h"
37 #include <sys/param.h>
38 #include <sys/systm.h>
40 #include <sys/mutex.h>
41 #include <sys/syscallsubr.h>
42 #include <sys/sysent.h>
43 #include <sys/sysproto.h>
45 #include <sys/vnode.h>
46 #include <sys/ptrace.h>
48 #include <sys/malloc.h>
49 #include <sys/signalvar.h>
51 #include <machine/reg.h>
53 #include <security/audit/audit.h>
57 #include <vm/vm_extern.h>
58 #include <vm/vm_map.h>
59 #include <vm/vm_kern.h>
60 #include <vm/vm_object.h>
61 #include <vm/vm_page.h>
62 #include <vm/vm_pager.h>
63 #include <vm/vm_param.h>
66 #include <sys/procfs.h>
67 #include <machine/fpu.h>
68 #include <compat/ia32/ia32_reg.h>
70 struct ptrace_io_desc32 {
77 struct ptrace_vm_entry32 {
90 * Functions implemented using PROC_ACTION():
92 * proc_read_regs(proc, regs)
93 * Get the current user-visible register set from the process
94 * and copy it into the regs structure (<machine/reg.h>).
95 * The process is stopped at the time read_regs is called.
97 * proc_write_regs(proc, regs)
98 * Update the current register set from the passed in regs
99 * structure. Take care to avoid clobbering special CPU
100 * registers or privileged bits in the PSL.
101 * Depending on the architecture this may have fix-up work to do,
102 * especially if the IAR or PCW are modified.
103 * The process is stopped at the time write_regs is called.
105 * proc_read_fpregs, proc_write_fpregs
106 * deal with the floating point register set, otherwise as above.
108 * proc_read_dbregs, proc_write_dbregs
109 * deal with the processor debug register set, otherwise as above.
112 * Arrange for the process to trap after executing a single instruction.
115 #define PROC_ACTION(action) do { \
118 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); \
119 if ((td->td_proc->p_flag & P_INMEM) == 0) \
127 proc_read_regs(struct thread *td, struct reg *regs)
130 PROC_ACTION(fill_regs(td, regs));
134 proc_write_regs(struct thread *td, struct reg *regs)
137 PROC_ACTION(set_regs(td, regs));
141 proc_read_dbregs(struct thread *td, struct dbreg *dbregs)
144 PROC_ACTION(fill_dbregs(td, dbregs));
148 proc_write_dbregs(struct thread *td, struct dbreg *dbregs)
151 PROC_ACTION(set_dbregs(td, dbregs));
155 * Ptrace doesn't support fpregs at all, and there are no security holes
156 * or translations for fpregs, so we can just copy them.
159 proc_read_fpregs(struct thread *td, struct fpreg *fpregs)
162 PROC_ACTION(fill_fpregs(td, fpregs));
166 proc_write_fpregs(struct thread *td, struct fpreg *fpregs)
169 PROC_ACTION(set_fpregs(td, fpregs));
173 /* For 32 bit binaries, we need to expose the 32 bit regs layouts. */
175 proc_read_regs32(struct thread *td, struct reg32 *regs32)
178 PROC_ACTION(fill_regs32(td, regs32));
182 proc_write_regs32(struct thread *td, struct reg32 *regs32)
185 PROC_ACTION(set_regs32(td, regs32));
189 proc_read_dbregs32(struct thread *td, struct dbreg32 *dbregs32)
192 PROC_ACTION(fill_dbregs32(td, dbregs32));
196 proc_write_dbregs32(struct thread *td, struct dbreg32 *dbregs32)
199 PROC_ACTION(set_dbregs32(td, dbregs32));
203 proc_read_fpregs32(struct thread *td, struct fpreg32 *fpregs32)
206 PROC_ACTION(fill_fpregs32(td, fpregs32));
210 proc_write_fpregs32(struct thread *td, struct fpreg32 *fpregs32)
213 PROC_ACTION(set_fpregs32(td, fpregs32));
218 proc_sstep(struct thread *td)
221 PROC_ACTION(ptrace_single_step(td));
225 proc_rwmem(struct proc *p, struct uio *uio)
228 vm_object_t backing_object, object;
229 vm_offset_t pageno; /* page number */
234 * Assert that someone has locked this vmspace. (Should be
235 * curthread but we can't assert that.) This keeps the process
236 * from exiting out from under us until this operation completes.
238 KASSERT(p->p_lock >= 1, ("%s: process %p (pid %d) not held", __func__,
244 map = &p->p_vmspace->vm_map;
246 writing = uio->uio_rw == UIO_WRITE;
247 reqprot = writing ? VM_PROT_COPY | VM_PROT_READ : VM_PROT_READ;
250 * Only map in one page at a time. We don't have to, but it
251 * makes things easier. This way is trivial - right?
256 int page_offset; /* offset into page */
257 vm_map_entry_t out_entry;
266 uva = (vm_offset_t)uio->uio_offset;
269 * Get the page number of this segment.
271 pageno = trunc_page(uva);
272 page_offset = uva - pageno;
275 * How many bytes to copy
277 len = min(PAGE_SIZE - page_offset, uio->uio_resid);
280 * Fault the page on behalf of the process
282 error = vm_fault(map, pageno, reqprot, VM_FAULT_NORMAL);
284 if (error == KERN_RESOURCE_SHORTAGE)
292 * Now we need to get the page. out_entry and wired
293 * aren't used. One would think the vm code
294 * would be a *bit* nicer... We use tmap because
295 * vm_map_lookup() can change the map argument.
298 error = vm_map_lookup(&tmap, pageno, reqprot, &out_entry,
299 &object, &pindex, &out_prot, &wired);
304 VM_OBJECT_LOCK(object);
305 while ((m = vm_page_lookup(object, pindex)) == NULL &&
307 (backing_object = object->backing_object) != NULL) {
309 * Allow fallback to backing objects if we are reading.
311 VM_OBJECT_LOCK(backing_object);
312 pindex += OFF_TO_IDX(object->backing_object_offset);
313 VM_OBJECT_UNLOCK(object);
314 object = backing_object;
316 if (writing && m != NULL) {
318 vm_pager_page_unswapped(m);
320 VM_OBJECT_UNLOCK(object);
322 vm_map_lookup_done(tmap, out_entry);
328 * Hold the page in memory.
330 vm_page_lock_queues();
332 vm_page_unlock_queues();
335 * We're done with tmap now.
337 vm_map_lookup_done(tmap, out_entry);
340 * Now do the i/o move.
342 error = uiomove_fromphys(&m, page_offset, len, uio);
344 /* Make the I-cache coherent for breakpoints. */
345 if (!error && writing && (out_prot & VM_PROT_EXECUTE))
346 vm_sync_icache(map, uva, len);
351 vm_page_lock_queues();
353 vm_page_unlock_queues();
355 } while (error == 0 && uio->uio_resid > 0);
361 ptrace_vm_entry(struct thread *td, struct proc *p, struct ptrace_vm_entry *pve)
364 vm_map_entry_t entry;
365 vm_object_t obj, tobj, lobj;
367 char *freepath, *fullpath;
369 int error, vfslocked;
371 map = &p->p_vmspace->vm_map;
372 entry = map->header.next;
373 if (pve->pve_cookie != NULL) {
374 while (entry != &map->header && entry != pve->pve_cookie)
376 if (entry != pve->pve_cookie)
380 while (entry != &map->header && (entry->eflags & MAP_ENTRY_IS_SUB_MAP))
382 if (entry == &map->header)
385 /* We got an entry. */
386 pve->pve_cookie = entry;
387 pve->pve_start = entry->start;
388 pve->pve_end = entry->end - 1;
389 pve->pve_offset = entry->offset;
390 pve->pve_prot = entry->protection;
392 /* Backing object's path needed? */
393 if (pve->pve_pathlen == 0)
396 pathlen = pve->pve_pathlen;
397 pve->pve_pathlen = 0;
399 obj = entry->object.vm_object;
404 for (lobj = tobj = obj; tobj; tobj = tobj->backing_object) {
406 VM_OBJECT_LOCK(tobj);
408 VM_OBJECT_UNLOCK(lobj);
410 pve->pve_offset += tobj->backing_object_offset;
413 vp = (lobj->type == OBJT_VNODE) ? lobj->handle : NULL;
417 VM_OBJECT_UNLOCK(lobj);
418 VM_OBJECT_UNLOCK(obj);
427 vn_fullpath(td, vp, &fullpath, &freepath);
428 vfslocked = VFS_LOCK_GIANT(vp->v_mount);
430 VFS_UNLOCK_GIANT(vfslocked);
433 if (fullpath != NULL) {
434 pve->pve_pathlen = strlen(fullpath) + 1;
435 if (pve->pve_pathlen <= pathlen) {
436 error = copyout(fullpath, pve->pve_path,
439 error = ENAMETOOLONG;
441 if (freepath != NULL)
442 free(freepath, M_TEMP);
447 * Process debugging system call.
449 #ifndef _SYS_SYSPROTO_H_
460 * This CPP subterfuge is to try and reduce the number of ifdefs in
461 * the body of the code.
462 * COPYIN(uap->addr, &r.reg, sizeof r.reg);
464 * copyin(uap->addr, &r.reg, sizeof r.reg);
466 * copyin(uap->addr, &r.reg32, sizeof r.reg32);
467 * .. except this is done at runtime.
469 #define COPYIN(u, k, s) wrap32 ? \
470 copyin(u, k ## 32, s ## 32) : \
472 #define COPYOUT(k, u, s) wrap32 ? \
473 copyout(k ## 32, u, s ## 32) : \
476 #define COPYIN(u, k, s) copyin(u, k, s)
477 #define COPYOUT(k, u, s) copyout(k, u, s)
480 ptrace(struct thread *td, struct ptrace_args *uap)
483 * XXX this obfuscation is to reduce stack usage, but the register
484 * structs may be too large to put on the stack anyway.
487 struct ptrace_io_desc piod;
488 struct ptrace_lwpinfo pl;
489 struct ptrace_vm_entry pve;
494 struct dbreg32 dbreg32;
495 struct fpreg32 fpreg32;
497 struct ptrace_io_desc32 piod32;
498 struct ptrace_vm_entry32 pve32;
506 if (SV_CURPROC_FLAG(SV_ILP32))
509 AUDIT_ARG_PID(uap->pid);
510 AUDIT_ARG_CMD(uap->req);
511 AUDIT_ARG_VALUE(uap->data);
520 error = COPYIN(uap->addr, &r.reg, sizeof r.reg);
523 error = COPYIN(uap->addr, &r.fpreg, sizeof r.fpreg);
526 error = COPYIN(uap->addr, &r.dbreg, sizeof r.dbreg);
529 error = COPYIN(uap->addr, &r.piod, sizeof r.piod);
532 error = COPYIN(uap->addr, &r.pve, sizeof r.pve);
541 error = kern_ptrace(td, uap->req, uap->pid, addr, uap->data);
547 error = COPYOUT(&r.pve, uap->addr, sizeof r.pve);
550 error = COPYOUT(&r.piod, uap->addr, sizeof r.piod);
553 error = COPYOUT(&r.reg, uap->addr, sizeof r.reg);
556 error = COPYOUT(&r.fpreg, uap->addr, sizeof r.fpreg);
559 error = COPYOUT(&r.dbreg, uap->addr, sizeof r.dbreg);
562 error = copyout(&r.pl, uap->addr, uap->data);
573 * PROC_READ(regs, td2, addr);
575 * proc_read_regs(td2, addr);
577 * proc_read_regs32(td2, addr);
578 * .. except this is done at runtime. There is an additional
579 * complication in that PROC_WRITE disallows 32 bit consumers
580 * from writing to 64 bit address space targets.
582 #define PROC_READ(w, t, a) wrap32 ? \
583 proc_read_ ## w ## 32(t, a) : \
584 proc_read_ ## w (t, a)
585 #define PROC_WRITE(w, t, a) wrap32 ? \
586 (safe ? proc_write_ ## w ## 32(t, a) : EINVAL ) : \
587 proc_write_ ## w (t, a)
589 #define PROC_READ(w, t, a) proc_read_ ## w (t, a)
590 #define PROC_WRITE(w, t, a) proc_write_ ## w (t, a)
594 kern_ptrace(struct thread *td, int req, pid_t pid, void *addr, int data)
598 struct proc *curp, *p, *pp;
599 struct thread *td2 = NULL;
600 struct ptrace_io_desc *piod = NULL;
601 struct ptrace_lwpinfo *pl;
602 int error, write, tmp, num;
603 int proctree_locked = 0;
604 lwpid_t tid = 0, *buf;
606 int wrap32 = 0, safe = 0;
607 struct ptrace_io_desc32 *piod32 = NULL;
612 /* Lock proctree before locking the process. */
622 sx_xlock(&proctree_lock);
630 if (req == PT_TRACE_ME) {
634 if (pid <= PID_MAX) {
635 if ((p = pfind(pid)) == NULL) {
637 sx_xunlock(&proctree_lock);
641 /* this is slow, should be optimized */
642 sx_slock(&allproc_lock);
643 FOREACH_PROC_IN_SYSTEM(p) {
645 FOREACH_THREAD_IN_PROC(p, td2) {
646 if (td2->td_tid == pid)
650 break; /* proc lock held */
653 sx_sunlock(&allproc_lock);
656 sx_xunlock(&proctree_lock);
663 AUDIT_ARG_PROCESS(p);
665 if ((p->p_flag & P_WEXIT) != 0) {
669 if ((error = p_cansee(td, p)) != 0)
672 if ((error = p_candebug(td, p)) != 0)
676 * System processes can't be debugged.
678 if ((p->p_flag & P_SYSTEM) != 0) {
684 if ((p->p_flag & P_STOPPED_TRACE) != 0) {
685 KASSERT(p->p_xthread != NULL, ("NULL p_xthread"));
688 td2 = FIRST_THREAD_IN_PROC(p);
695 * Test if we're a 32 bit client and what the target is.
696 * Set the wrap controls accordingly.
698 if (SV_CURPROC_FLAG(SV_ILP32)) {
699 if (td2->td_proc->p_sysent->sv_flags & SV_ILP32)
714 if (p->p_pid == td->td_proc->p_pid) {
720 if (p->p_flag & P_TRACED) {
725 /* Can't trace an ancestor if you're being traced. */
726 if (curp->p_flag & P_TRACED) {
727 for (pp = curp->p_pptr; pp != NULL; pp = pp->p_pptr) {
740 /* Allow thread to clear single step for itself */
741 if (td->td_tid == tid)
746 /* not being traced... */
747 if ((p->p_flag & P_TRACED) == 0) {
752 /* not being traced by YOU */
753 if (p->p_pptr != td->td_proc) {
758 /* not currently stopped */
759 if ((p->p_flag & (P_STOPPED_SIG | P_STOPPED_TRACE)) == 0 ||
760 p->p_suspcount != p->p_numthreads ||
761 (p->p_flag & P_WAITED) == 0) {
766 if ((p->p_flag & P_STOPPED_TRACE) == 0) {
767 static int count = 0;
769 printf("P_STOPPED_TRACE not set.\n");
776 /* Keep this process around until we finish this request. */
781 * Single step fixup ala procfs
787 * Actually do the requests
790 td->td_retval[0] = 0;
794 /* set my trace flag and "owner" so it can read/write me */
795 p->p_flag |= P_TRACED;
796 p->p_oppid = p->p_pptr->p_pid;
800 /* security check done above */
801 p->p_flag |= P_TRACED;
802 p->p_oppid = p->p_pptr->p_pid;
803 if (p->p_pptr != td->td_proc)
804 proc_reparent(p, td->td_proc);
806 goto sendsig; /* in PT_CONTINUE below */
809 error = ptrace_clear_single_step(td2);
813 error = ptrace_single_step(td2);
817 td2->td_dbgflags |= TDB_SUSPEND;
819 td2->td_flags |= TDF_NEEDSUSPCHK;
824 td2->td_dbgflags &= ~TDB_SUSPEND;
833 /* Zero means do not send any signal */
834 if (data < 0 || data > _SIG_MAXSIG) {
841 error = ptrace_single_step(td2);
846 p->p_stops |= S_PT_SCE;
849 p->p_stops |= S_PT_SCX;
852 p->p_stops |= S_PT_SCE | S_PT_SCX;
856 if (addr != (void *)1) {
857 error = ptrace_set_pc(td2, (u_long)(uintfptr_t)addr);
862 if (req == PT_DETACH) {
863 /* reset process parent */
864 if (p->p_oppid != p->p_pptr->p_pid) {
867 PROC_LOCK(p->p_pptr);
868 sigqueue_take(p->p_ksi);
869 PROC_UNLOCK(p->p_pptr);
872 pp = pfind(p->p_oppid);
878 proc_reparent(p, pp);
880 p->p_sigparent = SIGCHLD;
882 p->p_flag &= ~(P_TRACED | P_WAITED);
885 /* should we send SIGCHLD? */
886 /* childproc_continued(p); */
890 if (proctree_locked) {
891 sx_xunlock(&proctree_lock);
896 if ((p->p_flag & (P_STOPPED_SIG | P_STOPPED_TRACE)) != 0) {
897 /* deliver or queue signal */
898 td2->td_dbgflags &= ~TDB_XSIG;
901 if (req == PT_DETACH) {
903 FOREACH_THREAD_IN_PROC(p, td3) {
904 td3->td_dbgflags &= ~TDB_SUSPEND;
908 * unsuspend all threads, to not let a thread run,
909 * you should use PT_SUSPEND to suspend it before
910 * continuing process.
913 p->p_flag &= ~(P_STOPPED_TRACE|P_STOPPED_SIG|P_WAITED);
924 td2->td_dbgflags |= TDB_USERWR;
931 /* write = 0 set above */
932 iov.iov_base = write ? (caddr_t)&data : (caddr_t)&tmp;
933 iov.iov_len = sizeof(int);
936 uio.uio_offset = (off_t)(uintptr_t)addr;
937 uio.uio_resid = sizeof(int);
938 uio.uio_segflg = UIO_SYSSPACE; /* i.e.: the uap */
939 uio.uio_rw = write ? UIO_WRITE : UIO_READ;
941 error = proc_rwmem(p, &uio);
942 if (uio.uio_resid != 0) {
944 * XXX proc_rwmem() doesn't currently return ENOSPC,
945 * so I think write() can bogusly return 0.
946 * XXX what happens for short writes? We don't want
947 * to write partial data.
948 * XXX proc_rwmem() returns EPERM for other invalid
949 * addresses. Convert this to EINVAL. Does this
950 * clobber returns of EPERM for other reasons?
952 if (error == 0 || error == ENOSPC || error == EPERM)
953 error = EINVAL; /* EOF */
956 td->td_retval[0] = tmp;
964 iov.iov_base = (void *)(uintptr_t)piod32->piod_addr;
965 iov.iov_len = piod32->piod_len;
966 uio.uio_offset = (off_t)(uintptr_t)piod32->piod_offs;
967 uio.uio_resid = piod32->piod_len;
972 iov.iov_base = piod->piod_addr;
973 iov.iov_len = piod->piod_len;
974 uio.uio_offset = (off_t)(uintptr_t)piod->piod_offs;
975 uio.uio_resid = piod->piod_len;
979 uio.uio_segflg = UIO_USERSPACE;
982 tmp = wrap32 ? piod32->piod_op : piod->piod_op;
989 uio.uio_rw = UIO_READ;
993 td2->td_dbgflags |= TDB_USERWR;
994 uio.uio_rw = UIO_WRITE;
1001 error = proc_rwmem(p, &uio);
1004 piod32->piod_len -= uio.uio_resid;
1007 piod->piod_len -= uio.uio_resid;
1013 goto sendsig; /* in PT_CONTINUE above */
1016 td2->td_dbgflags |= TDB_USERWR;
1017 error = PROC_WRITE(regs, td2, addr);
1021 error = PROC_READ(regs, td2, addr);
1025 td2->td_dbgflags |= TDB_USERWR;
1026 error = PROC_WRITE(fpregs, td2, addr);
1030 error = PROC_READ(fpregs, td2, addr);
1034 td2->td_dbgflags |= TDB_USERWR;
1035 error = PROC_WRITE(dbregs, td2, addr);
1039 error = PROC_READ(dbregs, td2, addr);
1043 if (data <= 0 || data > sizeof(*pl)) {
1048 pl->pl_lwpid = td2->td_tid;
1049 if (td2->td_dbgflags & TDB_XSIG)
1050 pl->pl_event = PL_EVENT_SIGNAL;
1054 pl->pl_sigmask = td2->td_sigmask;
1055 pl->pl_siglist = td2->td_siglist;
1059 td->td_retval[0] = p->p_numthreads;
1067 num = imin(p->p_numthreads, data);
1069 buf = malloc(num * sizeof(lwpid_t), M_TEMP, M_WAITOK);
1072 FOREACH_THREAD_IN_PROC(p, td2) {
1075 buf[tmp++] = td2->td_tid;
1078 error = copyout(buf, addr, tmp * sizeof(lwpid_t));
1081 td->td_retval[0] = tmp;
1085 case PT_VM_TIMESTAMP:
1086 td->td_retval[0] = p->p_vmspace->vm_map.timestamp;
1091 /* XXX to be implemented. */
1098 error = ptrace_vm_entry(td, p, addr);
1103 #ifdef __HAVE_PTRACE_MACHDEP
1104 if (req >= PT_FIRSTMACH) {
1106 error = cpu_ptrace(td2, req, addr, data);
1110 /* Unknown request. */
1116 /* Drop our hold on this process now that the request has completed. */
1120 if (proctree_locked)
1121 sx_xunlock(&proctree_lock);
1128 * Stop a process because of a debugging event;
1129 * stay stopped until p->p_step is cleared
1130 * (cleared by PIOCCONT in procfs).
1133 stopevent(struct proc *p, unsigned int event, unsigned int val)
1136 PROC_LOCK_ASSERT(p, MA_OWNED);
1140 p->p_xthread = NULL;
1141 p->p_stype = event; /* Which event caused the stop? */
1142 wakeup(&p->p_stype); /* Wake up any PIOCWAIT'ing procs */
1143 msleep(&p->p_step, &p->p_mtx, PWAIT, "stopevent", 0);
1144 } while (p->p_step);