2 * Copyright (c) 1994, Sean Eric Fagan
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by Sean Eric Fagan.
16 * 4. The name of the author may not be used to endorse or promote products
17 * derived from this software without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 #include <sys/cdefs.h>
33 __FBSDID("$FreeBSD$");
35 #include "opt_compat.h"
37 #include <sys/param.h>
38 #include <sys/systm.h>
40 #include <sys/mutex.h>
41 #include <sys/syscallsubr.h>
42 #include <sys/sysproto.h>
44 #include <sys/vnode.h>
45 #include <sys/ptrace.h>
47 #include <sys/malloc.h>
48 #include <sys/signalvar.h>
50 #include <machine/reg.h>
52 #include <security/audit/audit.h>
56 #include <vm/vm_extern.h>
57 #include <vm/vm_map.h>
58 #include <vm/vm_kern.h>
59 #include <vm/vm_object.h>
60 #include <vm/vm_page.h>
63 #include <sys/procfs.h>
64 #include <machine/fpu.h>
65 #include <compat/ia32/ia32_reg.h>
67 extern struct sysentvec ia32_freebsd_sysvec
;
69 struct ptrace_io_desc32
{
78 * Functions implemented using PROC_ACTION():
80 * proc_read_regs(proc, regs)
81 * Get the current user-visible register set from the process
82 * and copy it into the regs structure (<machine/reg.h>).
83 * The process is stopped at the time read_regs is called.
85 * proc_write_regs(proc, regs)
86 * Update the current register set from the passed in regs
87 * structure. Take care to avoid clobbering special CPU
88 * registers or privileged bits in the PSL.
89 * Depending on the architecture this may have fix-up work to do,
90 * especially if the IAR or PCW are modified.
91 * The process is stopped at the time write_regs is called.
93 * proc_read_fpregs, proc_write_fpregs
94 * deal with the floating point register set, otherwise as above.
96 * proc_read_dbregs, proc_write_dbregs
97 * deal with the processor debug register set, otherwise as above.
100 * Arrange for the process to trap after executing a single instruction.
103 #define PROC_ACTION(action) do { \
106 PROC_LOCK_ASSERT(td->td_proc, MA_OWNED); \
107 if ((td->td_proc->p_flag & P_INMEM) == 0) \
115 proc_read_regs(struct thread
*td
, struct reg
*regs
)
118 PROC_ACTION(fill_regs(td
, regs
));
122 proc_write_regs(struct thread
*td
, struct reg
*regs
)
125 PROC_ACTION(set_regs(td
, regs
));
129 proc_read_dbregs(struct thread
*td
, struct dbreg
*dbregs
)
132 PROC_ACTION(fill_dbregs(td
, dbregs
));
136 proc_write_dbregs(struct thread
*td
, struct dbreg
*dbregs
)
139 PROC_ACTION(set_dbregs(td
, dbregs
));
143 * Ptrace doesn't support fpregs at all, and there are no security holes
144 * or translations for fpregs, so we can just copy them.
147 proc_read_fpregs(struct thread
*td
, struct fpreg
*fpregs
)
150 PROC_ACTION(fill_fpregs(td
, fpregs
));
154 proc_write_fpregs(struct thread
*td
, struct fpreg
*fpregs
)
157 PROC_ACTION(set_fpregs(td
, fpregs
));
161 /* For 32 bit binaries, we need to expose the 32 bit regs layouts. */
163 proc_read_regs32(struct thread
*td
, struct reg32
*regs32
)
166 PROC_ACTION(fill_regs32(td
, regs32
));
170 proc_write_regs32(struct thread
*td
, struct reg32
*regs32
)
173 PROC_ACTION(set_regs32(td
, regs32
));
177 proc_read_dbregs32(struct thread
*td
, struct dbreg32
*dbregs32
)
180 PROC_ACTION(fill_dbregs32(td
, dbregs32
));
184 proc_write_dbregs32(struct thread
*td
, struct dbreg32
*dbregs32
)
187 PROC_ACTION(set_dbregs32(td
, dbregs32
));
191 proc_read_fpregs32(struct thread
*td
, struct fpreg32
*fpregs32
)
194 PROC_ACTION(fill_fpregs32(td
, fpregs32
));
198 proc_write_fpregs32(struct thread
*td
, struct fpreg32
*fpregs32
)
201 PROC_ACTION(set_fpregs32(td
, fpregs32
));
206 proc_sstep(struct thread
*td
)
209 PROC_ACTION(ptrace_single_step(td
));
213 proc_rwmem(struct proc
*p
, struct uio
*uio
)
216 vm_object_t backing_object
, object
= NULL
;
217 vm_offset_t pageno
= 0; /* page number */
219 int error
, fault_flags
, writing
;
222 * Assert that someone has locked this vmspace. (Should be
223 * curthread but we can't assert that.) This keeps the process
224 * from exiting out from under us until this operation completes.
226 KASSERT(p
->p_lock
>= 1, ("%s: process %p (pid %d) not held", __func__
,
232 map
= &p
->p_vmspace
->vm_map
;
234 writing
= uio
->uio_rw
== UIO_WRITE
;
235 reqprot
= writing
? (VM_PROT_WRITE
| VM_PROT_OVERRIDE_WRITE
) :
237 fault_flags
= writing
? VM_FAULT_DIRTY
: VM_FAULT_NORMAL
;
240 * Only map in one page at a time. We don't have to, but it
241 * makes things easier. This way is trivial - right?
246 int page_offset
; /* offset into page */
247 vm_map_entry_t out_entry
;
256 uva
= (vm_offset_t
)uio
->uio_offset
;
259 * Get the page number of this segment.
261 pageno
= trunc_page(uva
);
262 page_offset
= uva
- pageno
;
265 * How many bytes to copy
267 len
= min(PAGE_SIZE
- page_offset
, uio
->uio_resid
);
270 * Fault the page on behalf of the process
272 error
= vm_fault(map
, pageno
, reqprot
, fault_flags
);
279 * Now we need to get the page. out_entry, out_prot, wired,
280 * and single_use aren't used. One would think the vm code
281 * would be a *bit* nicer... We use tmap because
282 * vm_map_lookup() can change the map argument.
285 error
= vm_map_lookup(&tmap
, pageno
, reqprot
, &out_entry
,
286 &object
, &pindex
, &out_prot
, &wired
);
291 VM_OBJECT_LOCK(object
);
292 while ((m
= vm_page_lookup(object
, pindex
)) == NULL
&&
294 (backing_object
= object
->backing_object
) != NULL
) {
296 * Allow fallback to backing objects if we are reading.
298 VM_OBJECT_LOCK(backing_object
);
299 pindex
+= OFF_TO_IDX(object
->backing_object_offset
);
300 VM_OBJECT_UNLOCK(object
);
301 object
= backing_object
;
303 VM_OBJECT_UNLOCK(object
);
305 vm_map_lookup_done(tmap
, out_entry
);
311 * Hold the page in memory.
313 vm_page_lock_queues();
315 vm_page_unlock_queues();
318 * We're done with tmap now.
320 vm_map_lookup_done(tmap
, out_entry
);
323 * Now do the i/o move.
325 error
= uiomove_fromphys(&m
, page_offset
, len
, uio
);
330 vm_page_lock_queues();
332 vm_page_unlock_queues();
334 } while (error
== 0 && uio
->uio_resid
> 0);
340 * Process debugging system call.
342 #ifndef _SYS_SYSPROTO_H_
353 * This CPP subterfuge is to try and reduce the number of ifdefs in
354 * the body of the code.
355 * COPYIN(uap->addr, &r.reg, sizeof r.reg);
357 * copyin(uap->addr, &r.reg, sizeof r.reg);
359 * copyin(uap->addr, &r.reg32, sizeof r.reg32);
360 * .. except this is done at runtime.
362 #define COPYIN(u, k, s) wrap32 ? \
363 copyin(u, k ## 32, s ## 32) : \
365 #define COPYOUT(k, u, s) wrap32 ? \
366 copyout(k ## 32, u, s ## 32) : \
369 #define COPYIN(u, k, s) copyin(u, k, s)
370 #define COPYOUT(k, u, s) copyout(k, u, s)
373 ptrace(struct thread
*td
, struct ptrace_args
*uap
)
376 * XXX this obfuscation is to reduce stack usage, but the register
377 * structs may be too large to put on the stack anyway.
380 struct ptrace_io_desc piod
;
381 struct ptrace_lwpinfo pl
;
386 struct dbreg32 dbreg32
;
387 struct fpreg32 fpreg32
;
389 struct ptrace_io_desc32 piod32
;
397 if (td
->td_proc
->p_sysent
== &ia32_freebsd_sysvec
)
400 AUDIT_ARG(pid
, uap
->pid
);
401 AUDIT_ARG(cmd
, uap
->req
);
402 AUDIT_ARG(addr
, uap
->addr
);
403 AUDIT_ARG(value
, uap
->data
);
412 error
= COPYIN(uap
->addr
, &r
.reg
, sizeof r
.reg
);
415 error
= COPYIN(uap
->addr
, &r
.fpreg
, sizeof r
.fpreg
);
418 error
= COPYIN(uap
->addr
, &r
.dbreg
, sizeof r
.dbreg
);
421 error
= COPYIN(uap
->addr
, &r
.piod
, sizeof r
.piod
);
430 error
= kern_ptrace(td
, uap
->req
, uap
->pid
, addr
, uap
->data
);
436 error
= COPYOUT(&r
.piod
, uap
->addr
, sizeof r
.piod
);
439 error
= COPYOUT(&r
.reg
, uap
->addr
, sizeof r
.reg
);
442 error
= COPYOUT(&r
.fpreg
, uap
->addr
, sizeof r
.fpreg
);
445 error
= COPYOUT(&r
.dbreg
, uap
->addr
, sizeof r
.dbreg
);
448 error
= copyout(&r
.pl
, uap
->addr
, uap
->data
);
459 * PROC_READ(regs, td2, addr);
461 * proc_read_regs(td2, addr);
463 * proc_read_regs32(td2, addr);
464 * .. except this is done at runtime. There is an additional
465 * complication in that PROC_WRITE disallows 32 bit consumers
466 * from writing to 64 bit address space targets.
468 #define PROC_READ(w, t, a) wrap32 ? \
469 proc_read_ ## w ## 32(t, a) : \
470 proc_read_ ## w (t, a)
471 #define PROC_WRITE(w, t, a) wrap32 ? \
472 (safe ? proc_write_ ## w ## 32(t, a) : EINVAL ) : \
473 proc_write_ ## w (t, a)
475 #define PROC_READ(w, t, a) proc_read_ ## w (t, a)
476 #define PROC_WRITE(w, t, a) proc_write_ ## w (t, a)
480 kern_ptrace(struct thread
*td
, int req
, pid_t pid
, void *addr
, int data
)
484 struct proc
*curp
, *p
, *pp
;
485 struct thread
*td2
= NULL
;
486 struct ptrace_io_desc
*piod
= NULL
;
487 struct ptrace_lwpinfo
*pl
;
488 int error
, write
, tmp
, num
;
489 int proctree_locked
= 0;
490 lwpid_t tid
= 0, *buf
;
492 int wrap32
= 0, safe
= 0;
493 struct ptrace_io_desc32
*piod32
= NULL
;
498 /* Lock proctree before locking the process. */
508 sx_xlock(&proctree_lock
);
516 if (req
== PT_TRACE_ME
) {
520 if (pid
<= PID_MAX
) {
521 if ((p
= pfind(pid
)) == NULL
) {
523 sx_xunlock(&proctree_lock
);
527 /* this is slow, should be optimized */
528 sx_slock(&allproc_lock
);
529 FOREACH_PROC_IN_SYSTEM(p
) {
531 FOREACH_THREAD_IN_PROC(p
, td2
) {
532 if (td2
->td_tid
== pid
)
536 break; /* proc lock held */
539 sx_sunlock(&allproc_lock
);
542 sx_xunlock(&proctree_lock
);
549 AUDIT_ARG(process
, p
);
551 if ((p
->p_flag
& P_WEXIT
) != 0) {
555 if ((error
= p_cansee(td
, p
)) != 0)
558 if ((error
= p_candebug(td
, p
)) != 0)
562 * System processes can't be debugged.
564 if ((p
->p_flag
& P_SYSTEM
) != 0) {
570 if ((p
->p_flag
& P_STOPPED_TRACE
) != 0) {
571 KASSERT(p
->p_xthread
!= NULL
, ("NULL p_xthread"));
574 td2
= FIRST_THREAD_IN_PROC(p
);
581 * Test if we're a 32 bit client and what the target is.
582 * Set the wrap controls accordingly.
584 if (td
->td_proc
->p_sysent
== &ia32_freebsd_sysvec
) {
585 if (td2
->td_proc
->p_sysent
== &ia32_freebsd_sysvec
)
600 if (p
->p_pid
== td
->td_proc
->p_pid
) {
606 if (p
->p_flag
& P_TRACED
) {
611 /* Can't trace an ancestor if you're being traced. */
612 if (curp
->p_flag
& P_TRACED
) {
613 for (pp
= curp
->p_pptr
; pp
!= NULL
; pp
= pp
->p_pptr
) {
626 /* Allow thread to clear single step for itself */
627 if (td
->td_tid
== tid
)
632 /* not being traced... */
633 if ((p
->p_flag
& P_TRACED
) == 0) {
638 /* not being traced by YOU */
639 if (p
->p_pptr
!= td
->td_proc
) {
644 /* not currently stopped */
645 if ((p
->p_flag
& (P_STOPPED_SIG
| P_STOPPED_TRACE
)) == 0 ||
646 p
->p_suspcount
!= p
->p_numthreads
||
647 (p
->p_flag
& P_WAITED
) == 0) {
652 if ((p
->p_flag
& P_STOPPED_TRACE
) == 0) {
653 static int count
= 0;
655 printf("P_STOPPED_TRACE not set.\n");
662 /* Keep this process around until we finish this request. */
667 * Single step fixup ala procfs
673 * Actually do the requests
676 td
->td_retval
[0] = 0;
680 /* set my trace flag and "owner" so it can read/write me */
681 p
->p_flag
|= P_TRACED
;
682 p
->p_oppid
= p
->p_pptr
->p_pid
;
686 /* security check done above */
687 p
->p_flag
|= P_TRACED
;
688 p
->p_oppid
= p
->p_pptr
->p_pid
;
689 if (p
->p_pptr
!= td
->td_proc
)
690 proc_reparent(p
, td
->td_proc
);
692 goto sendsig
; /* in PT_CONTINUE below */
695 error
= ptrace_clear_single_step(td2
);
699 error
= ptrace_single_step(td2
);
704 td2
->td_flags
|= TDF_DBSUSPEND
;
710 td2
->td_flags
&= ~TDF_DBSUSPEND
;
720 /* Zero means do not send any signal */
721 if (data
< 0 || data
> _SIG_MAXSIG
) {
728 error
= ptrace_single_step(td2
);
733 p
->p_stops
|= S_PT_SCE
;
736 p
->p_stops
|= S_PT_SCX
;
739 p
->p_stops
|= S_PT_SCE
| S_PT_SCX
;
743 if (addr
!= (void *)1) {
744 error
= ptrace_set_pc(td2
, (u_long
)(uintfptr_t
)addr
);
749 if (req
== PT_DETACH
) {
750 /* reset process parent */
751 if (p
->p_oppid
!= p
->p_pptr
->p_pid
) {
754 PROC_LOCK(p
->p_pptr
);
755 sigqueue_take(p
->p_ksi
);
756 PROC_UNLOCK(p
->p_pptr
);
759 pp
= pfind(p
->p_oppid
);
765 proc_reparent(p
, pp
);
767 p
->p_sigparent
= SIGCHLD
;
769 p
->p_flag
&= ~(P_TRACED
| P_WAITED
);
772 /* should we send SIGCHLD? */
773 /* childproc_continued(p); */
777 if (proctree_locked
) {
778 sx_xunlock(&proctree_lock
);
783 if ((p
->p_flag
& (P_STOPPED_SIG
| P_STOPPED_TRACE
)) != 0) {
784 /* deliver or queue signal */
786 td2
->td_flags
&= ~TDF_XSIG
;
790 if (req
== PT_DETACH
) {
792 FOREACH_THREAD_IN_PROC(p
, td3
) {
794 td3
->td_flags
&= ~TDF_DBSUSPEND
;
799 * unsuspend all threads, to not let a thread run,
800 * you should use PT_SUSPEND to suspend it before
801 * continuing process.
804 p
->p_flag
&= ~(P_STOPPED_TRACE
|P_STOPPED_SIG
|P_WAITED
);
821 /* write = 0 set above */
822 iov
.iov_base
= write
? (caddr_t
)&data
: (caddr_t
)&tmp
;
823 iov
.iov_len
= sizeof(int);
826 uio
.uio_offset
= (off_t
)(uintptr_t)addr
;
827 uio
.uio_resid
= sizeof(int);
828 uio
.uio_segflg
= UIO_SYSSPACE
; /* i.e.: the uap */
829 uio
.uio_rw
= write
? UIO_WRITE
: UIO_READ
;
831 error
= proc_rwmem(p
, &uio
);
832 if (uio
.uio_resid
!= 0) {
834 * XXX proc_rwmem() doesn't currently return ENOSPC,
835 * so I think write() can bogusly return 0.
836 * XXX what happens for short writes? We don't want
837 * to write partial data.
838 * XXX proc_rwmem() returns EPERM for other invalid
839 * addresses. Convert this to EINVAL. Does this
840 * clobber returns of EPERM for other reasons?
842 if (error
== 0 || error
== ENOSPC
|| error
== EPERM
)
843 error
= EINVAL
; /* EOF */
846 td
->td_retval
[0] = tmp
;
854 iov
.iov_base
= (void *)(uintptr_t)piod32
->piod_addr
;
855 iov
.iov_len
= piod32
->piod_len
;
856 uio
.uio_offset
= (off_t
)(uintptr_t)piod32
->piod_offs
;
857 uio
.uio_resid
= piod32
->piod_len
;
862 iov
.iov_base
= piod
->piod_addr
;
863 iov
.iov_len
= piod
->piod_len
;
864 uio
.uio_offset
= (off_t
)(uintptr_t)piod
->piod_offs
;
865 uio
.uio_resid
= piod
->piod_len
;
869 uio
.uio_segflg
= UIO_USERSPACE
;
872 tmp
= wrap32
? piod32
->piod_op
: piod
->piod_op
;
879 uio
.uio_rw
= UIO_READ
;
883 uio
.uio_rw
= UIO_WRITE
;
890 error
= proc_rwmem(p
, &uio
);
893 piod32
->piod_len
-= uio
.uio_resid
;
896 piod
->piod_len
-= uio
.uio_resid
;
902 goto sendsig
; /* in PT_CONTINUE above */
905 error
= PROC_WRITE(regs
, td2
, addr
);
909 error
= PROC_READ(regs
, td2
, addr
);
913 error
= PROC_WRITE(fpregs
, td2
, addr
);
917 error
= PROC_READ(fpregs
, td2
, addr
);
921 error
= PROC_WRITE(dbregs
, td2
, addr
);
925 error
= PROC_READ(dbregs
, td2
, addr
);
929 if (data
<= 0 || data
> sizeof(*pl
)) {
934 pl
->pl_lwpid
= td2
->td_tid
;
935 if (td2
->td_flags
& TDF_XSIG
)
936 pl
->pl_event
= PL_EVENT_SIGNAL
;
940 pl
->pl_sigmask
= td2
->td_sigmask
;
941 pl
->pl_siglist
= td2
->td_siglist
;
945 td
->td_retval
[0] = p
->p_numthreads
;
953 num
= imin(p
->p_numthreads
, data
);
955 buf
= malloc(num
* sizeof(lwpid_t
), M_TEMP
, M_WAITOK
);
958 FOREACH_THREAD_IN_PROC(p
, td2
) {
961 buf
[tmp
++] = td2
->td_tid
;
964 error
= copyout(buf
, addr
, tmp
* sizeof(lwpid_t
));
967 td
->td_retval
[0] = tmp
;
972 #ifdef __HAVE_PTRACE_MACHDEP
973 if (req
>= PT_FIRSTMACH
) {
975 error
= cpu_ptrace(td2
, req
, addr
, data
);
979 /* Unknown request. */
985 /* Drop our hold on this process now that the request has completed. */
990 sx_xunlock(&proctree_lock
);
997 * Stop a process because of a debugging event;
998 * stay stopped until p->p_step is cleared
999 * (cleared by PIOCCONT in procfs).
1002 stopevent(struct proc
*p
, unsigned int event
, unsigned int val
)
1005 PROC_LOCK_ASSERT(p
, MA_OWNED
);
1009 p
->p_xthread
= NULL
;
1010 p
->p_stype
= event
; /* Which event caused the stop? */
1011 wakeup(&p
->p_stype
); /* Wake up any PIOCWAIT'ing procs */
1012 msleep(&p
->p_step
, &p
->p_mtx
, PWAIT
, "stopevent", 0);
1013 } while (p
->p_step
);