2 * Copyright (c) 1994, Sean Eric Fagan
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by Sean Eric Fagan.
16 * 4. The name of the author may not be used to endorse or promote products
17 * derived from this software without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 #include <sys/cdefs.h>
33 __FBSDID("$FreeBSD$");
35 #include "opt_compat.h"
37 #include <sys/param.h>
38 #include <sys/systm.h>
40 #include <sys/mutex.h>
41 #include <sys/syscallsubr.h>
42 #include <sys/sysproto.h>
44 #include <sys/vnode.h>
45 #include <sys/ptrace.h>
47 #include <sys/malloc.h>
48 #include <sys/signalvar.h>
50 #include <machine/reg.h>
54 #include <vm/vm_extern.h>
55 #include <vm/vm_map.h>
56 #include <vm/vm_kern.h>
57 #include <vm/vm_object.h>
58 #include <vm/vm_page.h>
61 #include <sys/procfs.h>
62 #include <machine/fpu.h>
63 #include <compat/ia32/ia32_reg.h>
65 extern struct sysentvec ia32_freebsd_sysvec;
67 struct ptrace_io_desc32 {
76 * Functions implemented using PROC_ACTION():
78 * proc_read_regs(proc, regs)
79 * Get the current user-visible register set from the process
80 * and copy it into the regs structure (<machine/reg.h>).
81 * The process is stopped at the time read_regs is called.
83 * proc_write_regs(proc, regs)
84 * Update the current register set from the passed in regs
85 * structure. Take care to avoid clobbering special CPU
86 * registers or privileged bits in the PSL.
87 * Depending on the architecture this may have fix-up work to do,
88 * especially if the IAR or PCW are modified.
89 * The process is stopped at the time write_regs is called.
91 * proc_read_fpregs, proc_write_fpregs
92 * deal with the floating point register set, otherwise as above.
94 * proc_read_dbregs, proc_write_dbregs
95 * deal with the processor debug register set, otherwise as above.
98 * Arrange for the process to trap after executing a single instruction.
101 #define PROC_ACTION(action) do { \
104 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); \
105 if ((td->td_proc->p_sflag & PS_INMEM) == 0) \
113 proc_read_regs(struct thread *td, struct reg *regs)
116 PROC_ACTION(fill_regs(td, regs));
120 proc_write_regs(struct thread *td, struct reg *regs)
123 PROC_ACTION(set_regs(td, regs));
127 proc_read_dbregs(struct thread *td, struct dbreg *dbregs)
130 PROC_ACTION(fill_dbregs(td, dbregs));
134 proc_write_dbregs(struct thread *td, struct dbreg *dbregs)
137 PROC_ACTION(set_dbregs(td, dbregs));
141 * Ptrace doesn't support fpregs at all, and there are no security holes
142 * or translations for fpregs, so we can just copy them.
145 proc_read_fpregs(struct thread *td, struct fpreg *fpregs)
148 PROC_ACTION(fill_fpregs(td, fpregs));
152 proc_write_fpregs(struct thread *td, struct fpreg *fpregs)
155 PROC_ACTION(set_fpregs(td, fpregs));
159 /* For 32 bit binaries, we need to expose the 32 bit regs layouts. */
161 proc_read_regs32(struct thread *td, struct reg32 *regs32)
164 PROC_ACTION(fill_regs32(td, regs32));
168 proc_write_regs32(struct thread *td, struct reg32 *regs32)
171 PROC_ACTION(set_regs32(td, regs32));
175 proc_read_dbregs32(struct thread *td, struct dbreg32 *dbregs32)
178 PROC_ACTION(fill_dbregs32(td, dbregs32));
182 proc_write_dbregs32(struct thread *td, struct dbreg32 *dbregs32)
185 PROC_ACTION(set_dbregs32(td, dbregs32));
189 proc_read_fpregs32(struct thread *td, struct fpreg32 *fpregs32)
192 PROC_ACTION(fill_fpregs32(td, fpregs32));
196 proc_write_fpregs32(struct thread *td, struct fpreg32 *fpregs32)
199 PROC_ACTION(set_fpregs32(td, fpregs32));
204 proc_sstep(struct thread *td)
207 PROC_ACTION(ptrace_single_step(td));
211 proc_rwmem(struct proc *p, struct uio *uio)
215 vm_object_t backing_object, object = NULL;
216 vm_offset_t pageno = 0; /* page number */
218 int error, refcnt, writing;
221 * if the vmspace is in the midst of being deallocated or the
222 * process is exiting, don't try to grab anything. The page table
223 * usage in that process can be messed up.
226 if ((p->p_flag & P_WEXIT))
229 if ((refcnt = vm->vm_refcnt) < 1)
231 } while (!atomic_cmpset_int(&vm->vm_refcnt, refcnt, refcnt + 1));
238 writing = uio->uio_rw == UIO_WRITE;
239 reqprot = writing ? (VM_PROT_WRITE | VM_PROT_OVERRIDE_WRITE) :
243 * Only map in one page at a time. We don't have to, but it
244 * makes things easier. This way is trivial - right?
249 int page_offset; /* offset into page */
250 vm_map_entry_t out_entry;
259 uva = (vm_offset_t)uio->uio_offset;
262 * Get the page number of this segment.
264 pageno = trunc_page(uva);
265 page_offset = uva - pageno;
268 * How many bytes to copy
270 len = min(PAGE_SIZE - page_offset, uio->uio_resid);
273 * Fault the page on behalf of the process
275 error = vm_fault(map, pageno, reqprot, VM_FAULT_NORMAL);
282 * Now we need to get the page. out_entry, out_prot, wired,
283 * and single_use aren't used. One would think the vm code
284 * would be a *bit* nicer... We use tmap because
285 * vm_map_lookup() can change the map argument.
288 error = vm_map_lookup(&tmap, pageno, reqprot, &out_entry,
289 &object, &pindex, &out_prot, &wired);
294 VM_OBJECT_LOCK(object);
295 while ((m = vm_page_lookup(object, pindex)) == NULL &&
297 (backing_object = object->backing_object) != NULL) {
299 * Allow fallback to backing objects if we are reading.
301 VM_OBJECT_LOCK(backing_object);
302 pindex += OFF_TO_IDX(object->backing_object_offset);
303 VM_OBJECT_UNLOCK(object);
304 object = backing_object;
306 VM_OBJECT_UNLOCK(object);
308 vm_map_lookup_done(tmap, out_entry);
314 * Hold the page in memory.
316 vm_page_lock_queues();
318 vm_page_unlock_queues();
321 * We're done with tmap now.
323 vm_map_lookup_done(tmap, out_entry);
326 * Now do the i/o move.
328 error = uiomove_fromphys(&m, page_offset, len, uio);
333 vm_page_lock_queues();
335 vm_page_unlock_queues();
337 } while (error == 0 && uio->uio_resid > 0);
344 * Process debugging system call.
346 #ifndef _SYS_SYSPROTO_H_
357 * This CPP subterfuge is to try and reduce the number of ifdefs in
358 * the body of the code.
359 * COPYIN(uap->addr, &r.reg, sizeof r.reg);
361 * copyin(uap->addr, &r.reg, sizeof r.reg);
363 * copyin(uap->addr, &r.reg32, sizeof r.reg32);
364 * .. except this is done at runtime.
366 #define COPYIN(u, k, s) wrap32 ? \
367 copyin(u, k ## 32, s ## 32) : \
369 #define COPYOUT(k, u, s) wrap32 ? \
370 copyout(k ## 32, u, s ## 32) : \
373 #define COPYIN(u, k, s) copyin(u, k, s)
374 #define COPYOUT(k, u, s) copyout(k, u, s)
380 ptrace(struct thread *td, struct ptrace_args *uap)
383 * XXX this obfuscation is to reduce stack usage, but the register
384 * structs may be too large to put on the stack anyway.
387 struct ptrace_io_desc piod;
388 struct ptrace_lwpinfo pl;
393 struct dbreg32 dbreg32;
394 struct fpreg32 fpreg32;
396 struct ptrace_io_desc32 piod32;
404 if (td->td_proc->p_sysent == &ia32_freebsd_sysvec)
415 error = COPYIN(uap->addr, &r.reg, sizeof r.reg);
418 error = COPYIN(uap->addr, &r.fpreg, sizeof r.fpreg);
421 error = COPYIN(uap->addr, &r.dbreg, sizeof r.dbreg);
424 error = COPYIN(uap->addr, &r.piod, sizeof r.piod);
433 error = kern_ptrace(td, uap->req, uap->pid, addr, uap->data);
439 error = COPYOUT(&r.piod, uap->addr, sizeof r.piod);
442 error = COPYOUT(&r.reg, uap->addr, sizeof r.reg);
445 error = COPYOUT(&r.fpreg, uap->addr, sizeof r.fpreg);
448 error = COPYOUT(&r.dbreg, uap->addr, sizeof r.dbreg);
451 error = copyout(&r.pl, uap->addr, uap->data);
462 * PROC_READ(regs, td2, addr);
464 * proc_read_regs(td2, addr);
466 * proc_read_regs32(td2, addr);
467 * .. except this is done at runtime. There is an additional
468 * complication in that PROC_WRITE disallows 32 bit consumers
469 * from writing to 64 bit address space targets.
471 #define PROC_READ(w, t, a) wrap32 ? \
472 proc_read_ ## w ## 32(t, a) : \
473 proc_read_ ## w (t, a)
474 #define PROC_WRITE(w, t, a) wrap32 ? \
475 (safe ? proc_write_ ## w ## 32(t, a) : EINVAL ) : \
476 proc_write_ ## w (t, a)
478 #define PROC_READ(w, t, a) proc_read_ ## w (t, a)
479 #define PROC_WRITE(w, t, a) proc_write_ ## w (t, a)
483 kern_ptrace(struct thread *td, int req, pid_t pid, void *addr, int data)
487 struct proc *curp, *p, *pp;
488 struct thread *td2 = NULL;
489 struct ptrace_io_desc *piod = NULL;
490 struct ptrace_lwpinfo *pl;
491 int error, write, tmp, num;
492 int proctree_locked = 0;
493 lwpid_t tid = 0, *buf;
494 pid_t saved_pid = pid;
496 int wrap32 = 0, safe = 0;
497 struct ptrace_io_desc32 *piod32 = NULL;
502 /* Lock proctree before locking the process. */
512 sx_xlock(&proctree_lock);
520 if (req == PT_TRACE_ME) {
524 if (pid <= PID_MAX) {
525 if ((p = pfind(pid)) == NULL) {
527 sx_xunlock(&proctree_lock);
531 /* this is slow, should be optimized */
532 sx_slock(&allproc_lock);
533 FOREACH_PROC_IN_SYSTEM(p) {
535 mtx_lock_spin(&sched_lock);
536 FOREACH_THREAD_IN_PROC(p, td2) {
537 if (td2->td_tid == pid)
540 mtx_unlock_spin(&sched_lock);
542 break; /* proc lock held */
545 sx_sunlock(&allproc_lock);
548 sx_xunlock(&proctree_lock);
555 if ((error = p_cansee(td, p)) != 0)
558 if ((error = p_candebug(td, p)) != 0)
562 * System processes can't be debugged.
564 if ((p->p_flag & P_SYSTEM) != 0) {
570 td2 = FIRST_THREAD_IN_PROC(p);
576 * Test if we're a 32 bit client and what the target is.
577 * Set the wrap controls accordingly.
579 if (td->td_proc->p_sysent == &ia32_freebsd_sysvec) {
580 if (td2->td_proc->p_sysent == &ia32_freebsd_sysvec)
595 if (p->p_pid == td->td_proc->p_pid) {
601 if (p->p_flag & P_TRACED) {
606 /* Can't trace an ancestor if you're being traced. */
607 if (curp->p_flag & P_TRACED) {
608 for (pp = curp->p_pptr; pp != NULL; pp = pp->p_pptr) {
621 /* Allow thread to clear single step for itself */
622 if (td->td_tid == tid)
627 /* not being traced... */
628 if ((p->p_flag & P_TRACED) == 0) {
633 /* not being traced by YOU */
634 if (p->p_pptr != td->td_proc) {
639 /* not currently stopped */
640 if (!P_SHOULDSTOP(p) || p->p_suspcount != p->p_numthreads ||
641 (p->p_flag & P_WAITED) == 0) {
652 * Single step fixup ala procfs
654 FIX_SSTEP(td2); /* XXXKSE */
658 * Actually do the requests
661 td->td_retval[0] = 0;
665 /* set my trace flag and "owner" so it can read/write me */
666 p->p_flag |= P_TRACED;
667 p->p_oppid = p->p_pptr->p_pid;
669 sx_xunlock(&proctree_lock);
673 /* security check done above */
674 p->p_flag |= P_TRACED;
675 p->p_oppid = p->p_pptr->p_pid;
676 if (p->p_pptr != td->td_proc)
677 proc_reparent(p, td->td_proc);
679 goto sendsig; /* in PT_CONTINUE below */
683 error = ptrace_clear_single_step(td2);
692 error = ptrace_single_step(td2);
701 mtx_lock_spin(&sched_lock);
702 td2->td_flags |= TDF_DBSUSPEND;
703 mtx_unlock_spin(&sched_lock);
710 mtx_lock_spin(&sched_lock);
711 td2->td_flags &= ~TDF_DBSUSPEND;
712 mtx_unlock_spin(&sched_lock);
723 /* Zero means do not send any signal */
724 if (data < 0 || data > _SIG_MAXSIG) {
734 error = ptrace_single_step(td2);
742 p->p_stops |= S_PT_SCE;
745 p->p_stops |= S_PT_SCX;
748 p->p_stops |= S_PT_SCE | S_PT_SCX;
752 if (addr != (void *)1) {
754 error = ptrace_set_pc(td2, (u_long)(uintfptr_t)addr);
763 if (req == PT_DETACH) {
764 /* reset process parent */
765 if (p->p_oppid != p->p_pptr->p_pid) {
769 pp = pfind(p->p_oppid);
775 proc_reparent(p, pp);
777 p->p_sigparent = SIGCHLD;
779 p->p_flag &= ~(P_TRACED | P_WAITED);
782 /* should we send SIGCHLD? */
787 sx_xunlock(&proctree_lock);
788 /* deliver or queue signal */
789 if (P_SHOULDSTOP(p)) {
791 p->p_flag &= ~(P_STOPPED_TRACE|P_STOPPED_SIG);
792 mtx_lock_spin(&sched_lock);
793 if (saved_pid <= PID_MAX) {
794 p->p_xthread->td_flags &= ~TDF_XSIG;
795 p->p_xthread->td_xsig = data;
797 td2->td_flags &= ~TDF_XSIG;
801 if (req == PT_DETACH) {
803 FOREACH_THREAD_IN_PROC(p, td3)
804 td3->td_flags &= ~TDF_DBSUSPEND;
807 * unsuspend all threads, to not let a thread run,
808 * you should use PT_SUSPEND to suspend it before
809 * continuing process.
813 mtx_unlock_spin(&sched_lock);
829 /* write = 0 set above */
830 iov.iov_base = write ? (caddr_t)&data : (caddr_t)&tmp;
831 iov.iov_len = sizeof(int);
834 uio.uio_offset = (off_t)(uintptr_t)addr;
835 uio.uio_resid = sizeof(int);
836 uio.uio_segflg = UIO_SYSSPACE; /* i.e.: the uap */
837 uio.uio_rw = write ? UIO_WRITE : UIO_READ;
839 error = proc_rwmem(p, &uio);
840 if (uio.uio_resid != 0) {
842 * XXX proc_rwmem() doesn't currently return ENOSPC,
843 * so I think write() can bogusly return 0.
844 * XXX what happens for short writes? We don't want
845 * to write partial data.
846 * XXX proc_rwmem() returns EPERM for other invalid
847 * addresses. Convert this to EINVAL. Does this
848 * clobber returns of EPERM for other reasons?
850 if (error == 0 || error == ENOSPC || error == EPERM)
851 error = EINVAL; /* EOF */
854 td->td_retval[0] = tmp;
862 iov.iov_base = (void *)(uintptr_t)piod32->piod_addr;
863 iov.iov_len = piod32->piod_len;
864 uio.uio_offset = (off_t)(uintptr_t)piod32->piod_offs;
865 uio.uio_resid = piod32->piod_len;
870 iov.iov_base = piod->piod_addr;
871 iov.iov_len = piod->piod_len;
872 uio.uio_offset = (off_t)(uintptr_t)piod->piod_offs;
873 uio.uio_resid = piod->piod_len;
877 uio.uio_segflg = UIO_USERSPACE;
880 tmp = wrap32 ? piod32->piod_op : piod->piod_op;
887 uio.uio_rw = UIO_READ;
891 uio.uio_rw = UIO_WRITE;
896 error = proc_rwmem(p, &uio);
899 piod32->piod_len -= uio.uio_resid;
902 piod->piod_len -= uio.uio_resid;
907 goto sendsig; /* in PT_CONTINUE above */
911 error = PROC_WRITE(regs, td2, addr);
918 error = PROC_READ(regs, td2, addr);
925 error = PROC_WRITE(fpregs, td2, addr);
932 error = PROC_READ(fpregs, td2, addr);
939 error = PROC_WRITE(dbregs, td2, addr);
946 error = PROC_READ(dbregs, td2, addr);
952 if (data == 0 || data > sizeof(*pl))
956 if (saved_pid <= PID_MAX) {
957 pl->pl_lwpid = p->p_xthread->td_tid;
958 pl->pl_event = PL_EVENT_SIGNAL;
960 pl->pl_lwpid = td2->td_tid;
961 if (td2->td_flags & TDF_XSIG)
962 pl->pl_event = PL_EVENT_SIGNAL;
966 if (td2->td_pflags & TDP_SA) {
967 pl->pl_flags = PL_FLAG_SA;
968 if (td2->td_upcall && !TD_CAN_UNBIND(td2))
969 pl->pl_flags |= PL_FLAG_BOUND;
978 td->td_retval[0] = p->p_numthreads;
987 num = imin(p->p_numthreads, data);
989 buf = malloc(num * sizeof(lwpid_t), M_TEMP, M_WAITOK);
992 mtx_lock_spin(&sched_lock);
993 FOREACH_THREAD_IN_PROC(p, td2) {
996 buf[tmp++] = td2->td_tid;
998 mtx_unlock_spin(&sched_lock);
1000 error = copyout(buf, addr, tmp * sizeof(lwpid_t));
1003 td->td_retval[0] = num;
1007 #ifdef __HAVE_PTRACE_MACHDEP
1008 if (req >= PT_FIRSTMACH) {
1011 error = cpu_ptrace(td2, req, addr, data);
1019 /* Unknown request. */
1025 if (proctree_locked)
1026 sx_xunlock(&proctree_lock);
1033 * Stop a process because of a debugging event;
1034 * stay stopped until p->p_step is cleared
1035 * (cleared by PIOCCONT in procfs).
1038 stopevent(struct proc *p, unsigned int event, unsigned int val)
1041 PROC_LOCK_ASSERT(p, MA_OWNED);
1045 p->p_xthread = NULL;
1046 p->p_stype = event; /* Which event caused the stop? */
1047 wakeup(&p->p_stype); /* Wake up any PIOCWAIT'ing procs */
1048 msleep(&p->p_step, &p->p_mtx, PWAIT, "stopevent", 0);
1049 } while (p->p_step);