1 /* $OpenBSD: sys_process.c,v 1.105 2024/12/15 18:25:12 mvs Exp $ */
2 /* $NetBSD: sys_process.c,v 1.55 1996/05/15 06:17:47 tls Exp $ */
3
4 /*-
5 * Copyright (c) 1994 Christopher G. Demetriou. All rights reserved.
6 * Copyright (c) 1982, 1986, 1989, 1993
7 * The Regents of the University of California. All rights reserved.
8 * (c) UNIX System Laboratories, Inc.
9 * All or some portions of this file are derived from material licensed
10 * to the University of California by American Telephone and Telegraph
11 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
12 * the permission of UNIX System Laboratories, Inc.
13 *
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
16 * are met:
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 * 2. Redistributions in binary form must reproduce the above copyright
20 * notice, this list of conditions and the following disclaimer in the
21 * documentation and/or other materials provided with the distribution.
22 * 3. Neither the name of the University nor the names of its contributors
23 * may be used to endorse or promote products derived from this software
24 * without specific prior written permission.
25 *
26 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 * SUCH DAMAGE.
37 *
38 * from: @(#)sys_process.c 8.1 (Berkeley) 6/10/93
39 */
40
41 /*
42 * References:
43 * (1) Bach's "The Design of the UNIX Operating System",
44 * (2) sys/miscfs/procfs from UCB's 4.4BSD-Lite distribution,
45 * (3) the "4.4BSD Programmer's Reference Manual" published
46 * by USENIX and O'Reilly & Associates.
47 * The 4.4BSD PRM does a reasonably good job of documenting what the various
48 * ptrace() requests should actually do, and its text is quoted several times
49 * in this file.
50 */
51
52 #include <sys/param.h>
53 #include <sys/systm.h>
54 #include <sys/exec.h>
55 #include <sys/proc.h>
56 #include <sys/signalvar.h>
57 #include <sys/errno.h>
58 #include <sys/malloc.h>
59 #include <sys/ptrace.h>
60 #include <sys/uio.h>
61 #include <sys/sched.h>
62 #include <sys/exec_elf.h>
63
64 #include <sys/mount.h>
65 #include <sys/syscallargs.h>
66
67 #include <uvm/uvm_extern.h>
68
69 #include <machine/reg.h>
70
71 #ifdef PTRACE
72
73 /*
74 * Locks used to protect data:
75 * a atomic
76 */
77
78 static inline int process_checktracestate(struct process *_curpr,
79 struct process *_tr, struct proc *_t);
80 static inline struct process *process_tprfind(pid_t _tpid, struct proc **_tp);
81
82 int ptrace_ctrl(struct proc *, int, pid_t, caddr_t, int);
83 int ptrace_ustate(struct proc *, int, pid_t, void *, int, register_t *);
84 int ptrace_kstate(struct proc *, int, pid_t, void *);
85
86 int global_ptrace; /* [a] permit tracing of not children */
87
88
89 /*
90 * Process debugging system call.
91 */
92 int
sys_ptrace(struct proc * p,void * v,register_t * retval)93 sys_ptrace(struct proc *p, void *v, register_t *retval)
94 {
95 struct sys_ptrace_args /* {
96 syscallarg(int) req;
97 syscallarg(pid_t) pid;
98 syscallarg(caddr_t) addr;
99 syscallarg(int) data;
100 } */ *uap = v;
101 int req = SCARG(uap, req);
102 pid_t pid = SCARG(uap, pid);
103 caddr_t uaddr = SCARG(uap, addr); /* userspace */
104 void *kaddr = NULL; /* kernelspace */
105 int data = SCARG(uap, data);
106 union {
107 struct ptrace_thread_state u_pts;
108 struct ptrace_io_desc u_piod;
109 struct ptrace_event u_pe;
110 struct ptrace_state u_ps;
111 register_t u_wcookie;
112 register_t u_pacmask[2];
113 } u;
114 int size = 0;
115 enum { NONE, IN, IN_ALLOC, OUT, OUT_ALLOC, IN_OUT } mode;
116 int kstate = 0;
117 int error;
118
119 *retval = 0;
120
121 /* Figure out what sort of copyin/out operations we'll do */
122 switch (req) {
123 case PT_TRACE_ME:
124 case PT_CONTINUE:
125 case PT_KILL:
126 case PT_ATTACH:
127 case PT_DETACH:
128 #ifdef PT_STEP
129 case PT_STEP:
130 #endif
131 /* control operations do no copyin/out; dispatch directly */
132 return ptrace_ctrl(p, req, pid, uaddr, data);
133
134 case PT_READ_I:
135 case PT_READ_D:
136 case PT_WRITE_I:
137 case PT_WRITE_D:
138 mode = NONE;
139 break;
140 case PT_IO:
141 mode = IN_OUT;
142 size = sizeof u.u_piod;
143 data = size; /* suppress the data == size check */
144 break;
145 case PT_GET_THREAD_FIRST:
146 mode = OUT;
147 size = sizeof u.u_pts;
148 kstate = 1;
149 break;
150 case PT_GET_THREAD_NEXT:
151 mode = IN_OUT;
152 size = sizeof u.u_pts;
153 kstate = 1;
154 break;
155 case PT_GET_EVENT_MASK:
156 mode = OUT;
157 size = sizeof u.u_pe;
158 kstate = 1;
159 break;
160 case PT_SET_EVENT_MASK:
161 mode = IN;
162 size = sizeof u.u_pe;
163 kstate = 1;
164 break;
165 case PT_GET_PROCESS_STATE:
166 mode = OUT;
167 size = sizeof u.u_ps;
168 kstate = 1;
169 break;
170 case PT_GETREGS:
171 mode = OUT_ALLOC;
172 size = sizeof(struct reg);
173 break;
174 case PT_SETREGS:
175 mode = IN_ALLOC;
176 size = sizeof(struct reg);
177 break;
178 #ifdef PT_GETFPREGS
179 case PT_GETFPREGS:
180 mode = OUT_ALLOC;
181 size = sizeof(struct fpreg);
182 break;
183 #endif
184 #ifdef PT_SETFPREGS
185 case PT_SETFPREGS:
186 mode = IN_ALLOC;
187 size = sizeof(struct fpreg);
188 break;
189 #endif
190 #ifdef PT_GETXMMREGS
191 case PT_GETXMMREGS:
192 mode = OUT_ALLOC;
193 size = sizeof(struct xmmregs);
194 break;
195 #endif
196 #ifdef PT_SETXMMREGS
197 case PT_SETXMMREGS:
198 mode = IN_ALLOC;
199 size = sizeof(struct xmmregs);
200 break;
201 #endif
202 #ifdef PT_WCOOKIE
203 case PT_WCOOKIE:
204 mode = OUT;
205 size = sizeof u.u_wcookie;
206 data = size; /* suppress the data == size check */
207 break;
208 #endif
209 #ifdef PT_PACMASK
210 case PT_PACMASK:
211 mode = OUT;
212 size = sizeof u.u_pacmask;
213 break;
214 #endif
215 #ifdef PT_GETXSTATE_INFO
216 case PT_GETXSTATE_INFO:
217 mode = OUT_ALLOC;
218 size = sizeof(struct ptrace_xstate_info);
219 break;
220 #endif
221 #ifdef PT_GETXSTATE
222 case PT_GETXSTATE:
223 mode = OUT_ALLOC;
224 size = fpu_save_len;
225 break;
226 #endif
227 #ifdef PT_SETXSTATE
228 case PT_SETXSTATE:
229 mode = IN_ALLOC;
230 size = fpu_save_len;
231 break;
232 #endif
233 default:
234 return EINVAL;
235 }
236
237
238 /* Now do any copyin()s and allocations in a consistent manner */
239 switch (mode) {
240 case NONE:
241 kaddr = uaddr;
242 break;
243 case IN:
244 case IN_OUT:
245 case OUT:
246 KASSERT(size <= sizeof u);
247 if (data != size)
248 return EINVAL;
249 if (mode == OUT)
250 memset(&u, 0, size);
251 else { /* IN or IN_OUT */
252 if ((error = copyin(uaddr, &u, size)))
253 return error;
254 }
255 kaddr = &u;
256 break;
257 case IN_ALLOC:
258 kaddr = malloc(size, M_TEMP, M_WAITOK);
259 if ((error = copyin(uaddr, kaddr, size))) {
260 free(kaddr, M_TEMP, size);
261 return error;
262 }
263 break;
264 case OUT_ALLOC:
265 kaddr = malloc(size, M_TEMP, M_WAITOK | M_ZERO);
266 break;
267 }
268
269 if (kstate)
270 error = ptrace_kstate(p, req, pid, kaddr);
271 else
272 error = ptrace_ustate(p, req, pid, kaddr, data, retval);
273
274 /* Do any copyout()s and frees */
275 if (error == 0) {
276 switch (mode) {
277 case NONE:
278 case IN:
279 case IN_ALLOC:
280 break;
281 case IN_OUT:
282 case OUT:
283 error = copyout(&u, uaddr, size);
284 if (req == PT_IO) {
285 /* historically, errors here are ignored */
286 error = 0;
287 }
288 break;
289 case OUT_ALLOC:
290 error = copyout(kaddr, uaddr, size);
291 break;
292 }
293 }
294
295 if (mode == IN_ALLOC || mode == OUT_ALLOC)
296 free(kaddr, M_TEMP, size);
297 return error;
298 }
299
300 /*
301 * ptrace control requests: attach, detach, continue, kill, single-step, etc
302 */
303 int
ptrace_ctrl(struct proc * p,int req,pid_t pid,caddr_t addr,int data)304 ptrace_ctrl(struct proc *p, int req, pid_t pid, caddr_t addr, int data)
305 {
306 struct proc *t; /* target thread */
307 struct process *tr; /* target process */
308 int error = 0;
309
310 switch (req) {
311 case PT_TRACE_ME:
312 /* Just set the trace flag. */
313 tr = p->p_p;
314 mtx_enter(&tr->ps_mtx);
315 if (ISSET(tr->ps_flags, PS_TRACED)) {
316 mtx_leave(&tr->ps_mtx);
317 return EBUSY;
318 }
319 atomic_setbits_int(&tr->ps_flags, PS_TRACED);
320 tr->ps_opptr = tr->ps_pptr;
321 mtx_leave(&tr->ps_mtx);
322 if (tr->ps_ptstat == NULL)
323 tr->ps_ptstat = malloc(sizeof(*tr->ps_ptstat),
324 M_SUBPROC, M_WAITOK);
325 memset(tr->ps_ptstat, 0, sizeof(*tr->ps_ptstat));
326 return 0;
327
328 /* calls that only operate on the PID */
329 case PT_KILL:
330 case PT_ATTACH:
331 case PT_DETACH:
332 /* Find the process we're supposed to be operating on. */
333 if ((tr = prfind(pid)) == NULL) {
334 error = ESRCH;
335 goto fail;
336 }
337 t = TAILQ_FIRST(&tr->ps_threads);
338 break;
339
340 /* calls that accept a PID or a thread ID */
341 case PT_CONTINUE:
342 #ifdef PT_STEP
343 case PT_STEP:
344 #endif
345 if ((tr = process_tprfind(pid, &t)) == NULL) {
346 error = ESRCH;
347 goto fail;
348 }
349 break;
350 }
351
352 /* Check permissions/state */
353 if (req != PT_ATTACH) {
354 /* Check that the data is a valid signal number or zero. */
355 if (req != PT_KILL && (data < 0 || data >= NSIG)) {
356 error = EINVAL;
357 goto fail;
358 }
359
360 /* Most operations require the target to already be traced */
361 if ((error = process_checktracestate(p->p_p, tr, t)))
362 goto fail;
363
364 /* Do single-step fixup if needed. */
365 FIX_SSTEP(t);
366 } else {
367 /*
368 * PT_ATTACH is the opposite; you can't attach to a process if:
369 * (1) it's the process that's doing the attaching,
370 */
371 if (tr == p->p_p) {
372 error = EINVAL;
373 goto fail;
374 }
375
376 /*
377 * (2) it's a system process
378 */
379 if (ISSET(tr->ps_flags, PS_SYSTEM)) {
380 error = EPERM;
381 goto fail;
382 }
383
384 /*
385 * (3) it's already being traced, or
386 */
387 if (ISSET(tr->ps_flags, PS_TRACED)) {
388 error = EBUSY;
389 goto fail;
390 }
391
392 /*
393 * (4) it's in the middle of execve(2)
394 */
395 if (ISSET(tr->ps_flags, PS_INEXEC)) {
396 error = EAGAIN;
397 goto fail;
398 }
399
400 /*
401 * (5) it's not owned by you, or the last exec
402 * gave us setuid/setgid privs (unless
403 * you're root), or...
404 *
405 * [Note: once PS_SUGID or PS_SUGIDEXEC gets set in
406 * execve(), they stay set until the process does
407 * another execve(). Hence this prevents a setuid
408 * process which revokes its special privileges using
409 * setuid() from being traced. This is good security.]
410 */
411 if ((tr->ps_ucred->cr_ruid != p->p_ucred->cr_ruid ||
412 ISSET(tr->ps_flags, PS_SUGIDEXEC | PS_SUGID)) &&
413 (error = suser(p)) != 0)
414 goto fail;
415
416 /*
417 * (5.5) it's not a child of the tracing process.
418 */
419 if (atomic_load_int(&global_ptrace) == 0 &&
420 !inferior(tr, p->p_p) && (error = suser(p)) != 0)
421 goto fail;
422
423 /*
424 * (6) ...it's init, which controls the security level
425 * of the entire system, and the system was not
426 * compiled with permanently insecure mode turned
427 * on.
428 */
429 if ((tr->ps_pid == 1) && (securelevel > -1)) {
430 error = EPERM;
431 goto fail;
432 }
433
434 /*
435 * (7) it's an ancestor of the current process and
436 * not init (because that would create a loop in
437 * the process graph).
438 */
439 if (tr->ps_pid != 1 && inferior(p->p_p, tr)) {
440 error = EINVAL;
441 goto fail;
442 }
443 }
444
445 switch (req) {
446
447 #ifdef PT_STEP
448 case PT_STEP:
449 /*
450 * From the 4.4BSD PRM:
451 * "Execution continues as in request PT_CONTINUE; however
452 * as soon as possible after execution of at least one
453 * instruction, execution stops again. [ ... ]"
454 */
455 #endif
456 case PT_CONTINUE:
457 /*
458 * From the 4.4BSD PRM:
459 * "The data argument is taken as a signal number and the
460 * child's execution continues at location addr as if it
461 * incurred that signal. Normally the signal number will
462 * be either 0 to indicate that the signal that caused the
463 * stop should be ignored, or that value fetched out of
464 * the process's image indicating which signal caused
465 * the stop. If addr is (int *)1 then execution continues
466 * from where it stopped."
467 */
468
469 if (pid < THREAD_PID_OFFSET && tr->ps_single)
470 t = tr->ps_single;
471 else if (t == tr->ps_single)
472 atomic_setbits_int(&t->p_flag, P_TRACESINGLE);
473 else {
474 error = EINVAL;
475 goto fail;
476 }
477
478
479 /* If the address parameter is not (int *)1, set the pc. */
480 if ((int *)addr != (int *)1)
481 if ((error = process_set_pc(t, addr)) != 0)
482 goto fail;
483
484 #ifdef PT_STEP
485 /*
486 * Arrange for a single-step, if that's requested and possible.
487 */
488 error = process_sstep(t, req == PT_STEP);
489 if (error)
490 goto fail;
491 #endif
492 goto sendsig;
493
494 case PT_DETACH:
495 /*
496 * From the 4.4BSD PRM:
497 * "The data argument is taken as a signal number and the
498 * child's execution continues at location addr as if it
499 * incurred that signal. Normally the signal number will
500 * be either 0 to indicate that the signal that caused the
501 * stop should be ignored, or that value fetched out of
502 * the process's image indicating which signal caused
503 * the stop. If addr is (int *)1 then execution continues
504 * from where it stopped."
505 */
506
507 if (pid < THREAD_PID_OFFSET && tr->ps_single)
508 t = tr->ps_single;
509
510 #ifdef PT_STEP
511 /*
512 * Stop single stepping.
513 */
514 error = process_sstep(t, 0);
515 if (error)
516 goto fail;
517 #endif
518
519 mtx_enter(&tr->ps_mtx);
520 process_untrace(tr);
521 atomic_clearbits_int(&tr->ps_flags, PS_WAITED);
522 mtx_leave(&tr->ps_mtx);
523
524 sendsig:
525 memset(tr->ps_ptstat, 0, sizeof(*tr->ps_ptstat));
526
527 /* Finally, deliver the requested signal (or none). */
528 if (t->p_stat == SSTOP) {
529 tr->ps_xsig = data;
530 SCHED_LOCK();
531 unsleep(t);
532 setrunnable(t);
533 SCHED_UNLOCK();
534 } else {
535 if (data != 0)
536 psignal(t, data);
537 }
538 break;
539
540 case PT_KILL:
541 if (pid < THREAD_PID_OFFSET && tr->ps_single)
542 t = tr->ps_single;
543
544 /* just send the process a KILL signal. */
545 data = SIGKILL;
546 goto sendsig; /* in PT_CONTINUE, above. */
547
548 case PT_ATTACH:
549 /*
550 * As was done in procfs:
551 * Go ahead and set the trace flag.
552 * Save the old parent (it's reset in
553 * _DETACH, and also in kern_exit.c:wait4()
554 * Reparent the process so that the tracing
555 * proc gets to see all the action.
556 * Stop the target.
557 */
558 mtx_enter(&tr->ps_mtx);
559 atomic_setbits_int(&tr->ps_flags, PS_TRACED);
560 tr->ps_opptr = tr->ps_pptr;
561 process_reparent(tr, p->p_p);
562 mtx_leave(&tr->ps_mtx);
563 if (tr->ps_ptstat == NULL)
564 tr->ps_ptstat = malloc(sizeof(*tr->ps_ptstat),
565 M_SUBPROC, M_WAITOK);
566 data = SIGSTOP;
567 goto sendsig;
568 default:
569 KASSERTMSG(0, "%s: unhandled request %d", __func__, req);
570 break;
571 }
572
573 fail:
574 return error;
575 }
576
577 /*
578 * ptrace kernel-state requests: thread list, event mask, process state
579 */
580 int
ptrace_kstate(struct proc * p,int req,pid_t pid,void * addr)581 ptrace_kstate(struct proc *p, int req, pid_t pid, void *addr)
582 {
583 struct process *tr; /* target process */
584 struct ptrace_event *pe = addr;
585 int error;
586
587 KASSERT((p->p_flag & P_SYSTEM) == 0);
588
589 /* Find the process we're supposed to be operating on. */
590 if ((tr = prfind(pid)) == NULL)
591 return ESRCH;
592
593 if ((error = process_checktracestate(p->p_p, tr, NULL)))
594 return error;
595
596 switch (req) {
597 case PT_GET_THREAD_FIRST:
598 case PT_GET_THREAD_NEXT:
599 {
600 struct ptrace_thread_state *pts = addr;
601 struct proc *t;
602
603 if (req == PT_GET_THREAD_NEXT) {
604 t = tfind_user(pts->pts_tid, tr);
605 if (t == NULL || ISSET(t->p_flag, P_WEXIT))
606 return ESRCH;
607 t = TAILQ_NEXT(t, p_thr_link);
608 } else {
609 t = TAILQ_FIRST(&tr->ps_threads);
610 }
611
612 if (t == NULL)
613 pts->pts_tid = -1;
614 else
615 pts->pts_tid = t->p_tid + THREAD_PID_OFFSET;
616 return 0;
617 }
618 }
619
620 switch (req) {
621 case PT_GET_EVENT_MASK:
622 pe->pe_set_event = tr->ps_ptmask;
623 break;
624 case PT_SET_EVENT_MASK:
625 tr->ps_ptmask = pe->pe_set_event;
626 break;
627 case PT_GET_PROCESS_STATE:
628 if (tr->ps_single)
629 tr->ps_ptstat->pe_tid =
630 tr->ps_single->p_tid + THREAD_PID_OFFSET;
631 memcpy(addr, tr->ps_ptstat, sizeof *tr->ps_ptstat);
632 break;
633 default:
634 KASSERTMSG(0, "%s: unhandled request %d", __func__, req);
635 break;
636 }
637
638 return 0;
639 }
640
641 /*
642 * ptrace user-state requests: memory access, registers, stack cookie
643 */
644 int
ptrace_ustate(struct proc * p,int req,pid_t pid,void * addr,int data,register_t * retval)645 ptrace_ustate(struct proc *p, int req, pid_t pid, void *addr, int data,
646 register_t *retval)
647 {
648 struct proc *t; /* target thread */
649 struct process *tr; /* target process */
650 struct uio uio;
651 struct iovec iov;
652 int error, write;
653 int temp = 0;
654
655 KASSERT((p->p_flag & P_SYSTEM) == 0);
656
657 /* Accept either PID or TID */
658 if ((tr = process_tprfind(pid, &t)) == NULL)
659 return ESRCH;
660
661 if ((error = process_checktracestate(p->p_p, tr, t)))
662 return error;
663
664 FIX_SSTEP(t);
665
666 /* Now do the operation. */
667 write = 0;
668
669 if ((error = process_checkioperm(p, tr)) != 0)
670 return error;
671
672 switch (req) {
673 case PT_WRITE_I: /* XXX no separate I and D spaces */
674 case PT_WRITE_D:
675 write = 1;
676 temp = data;
677 case PT_READ_I: /* XXX no separate I and D spaces */
678 case PT_READ_D:
679 /* write = 0 done above. */
680 iov.iov_base = (caddr_t)&temp;
681 iov.iov_len = sizeof(int);
682 uio.uio_iov = &iov;
683 uio.uio_iovcnt = 1;
684 uio.uio_offset = (off_t)(vaddr_t)addr;
685 uio.uio_resid = sizeof(int);
686 uio.uio_segflg = UIO_SYSSPACE;
687 uio.uio_rw = write ? UIO_WRITE : UIO_READ;
688 uio.uio_procp = p;
689 error = process_domem(p, tr, &uio, write ? PT_WRITE_I :
690 PT_READ_I);
691 if (write == 0)
692 *retval = temp;
693 return error;
694
695 case PT_IO:
696 {
697 struct ptrace_io_desc *piod = addr;
698
699 iov.iov_base = piod->piod_addr;
700 iov.iov_len = piod->piod_len;
701 uio.uio_iov = &iov;
702 uio.uio_iovcnt = 1;
703 uio.uio_offset = (off_t)(vaddr_t)piod->piod_offs;
704 uio.uio_resid = piod->piod_len;
705 uio.uio_segflg = UIO_USERSPACE;
706 uio.uio_procp = p;
707 switch (piod->piod_op) {
708 case PIOD_READ_I:
709 req = PT_READ_I;
710 uio.uio_rw = UIO_READ;
711 break;
712 case PIOD_READ_D:
713 req = PT_READ_D;
714 uio.uio_rw = UIO_READ;
715 break;
716 case PIOD_WRITE_I:
717 req = PT_WRITE_I;
718 uio.uio_rw = UIO_WRITE;
719 break;
720 case PIOD_WRITE_D:
721 req = PT_WRITE_D;
722 uio.uio_rw = UIO_WRITE;
723 break;
724 case PIOD_READ_AUXV:
725 req = PT_READ_D;
726 uio.uio_rw = UIO_READ;
727 temp = ELF_AUX_WORDS * sizeof(char *);
728 if (uio.uio_offset > temp)
729 return EIO;
730 if (uio.uio_resid > temp - uio.uio_offset)
731 uio.uio_resid = temp - uio.uio_offset;
732 piod->piod_len = iov.iov_len = uio.uio_resid;
733 uio.uio_offset += tr->ps_auxinfo;
734 #ifdef MACHINE_STACK_GROWS_UP
735 if (uio.uio_offset < (off_t)tr->ps_strings)
736 return EIO;
737 #else
738 if (uio.uio_offset > (off_t)tr->ps_strings)
739 return EIO;
740 if ((uio.uio_offset + uio.uio_resid) >
741 (off_t)tr->ps_strings)
742 uio.uio_resid = (off_t)tr->ps_strings -
743 uio.uio_offset;
744 #endif
745 break;
746 default:
747 return EINVAL;
748 }
749 error = process_domem(p, tr, &uio, req);
750 piod->piod_len -= uio.uio_resid;
751 return error;
752 }
753
754 case PT_SETREGS:
755 return process_write_regs(t, addr);
756 case PT_GETREGS:
757 return process_read_regs(t, addr);
758
759 #ifdef PT_SETFPREGS
760 case PT_SETFPREGS:
761 return process_write_fpregs(t, addr);
762 #endif
763 #ifdef PT_SETFPREGS
764 case PT_GETFPREGS:
765 return process_read_fpregs(t, addr);
766 #endif
767 #ifdef PT_SETXMMREGS
768 case PT_SETXMMREGS:
769 return process_write_xmmregs(t, addr);
770 #endif
771 #ifdef PT_SETXMMREGS
772 case PT_GETXMMREGS:
773 return process_read_xmmregs(t, addr);
774 #endif
775 #ifdef PT_WCOOKIE
776 case PT_WCOOKIE:
777 *(register_t *)addr = process_get_wcookie(t);
778 return 0;
779 #endif
780 #ifdef PT_PACMASK
781 case PT_PACMASK:
782 ((register_t *)addr)[0] = process_get_pacmask(t);
783 ((register_t *)addr)[1] = process_get_pacmask(t);
784 return 0;
785 #endif
786 #ifdef PT_GETXSTATE_INFO
787 case PT_GETXSTATE_INFO:
788 return process_read_xstate_info(t, addr);
789 #endif
790 #ifdef PT_GETXSTATE
791 case PT_GETXSTATE:
792 return process_read_xstate(t, addr);
793 #endif
794 #ifdef PT_SETXSTATE
795 case PT_SETXSTATE:
796 return process_write_xstate(t, addr);
797 #endif
798 default:
799 KASSERTMSG(0, "%s: unhandled request %d", __func__, req);
800 break;
801 }
802
803 return 0;
804 }
805
806
807 /*
808 * Helper for doing "it could be a PID or TID" lookup. On failure
809 * returns NULL; on success returns the selected process and sets *tp
810 * to an appropriate thread in that process.
811 */
812 static inline struct process *
process_tprfind(pid_t tpid,struct proc ** tp)813 process_tprfind(pid_t tpid, struct proc **tp)
814 {
815 if (tpid > THREAD_PID_OFFSET) {
816 struct proc *t = tfind(tpid - THREAD_PID_OFFSET);
817
818 if (t == NULL)
819 return NULL;
820 *tp = t;
821 return t->p_p;
822 } else {
823 struct process *tr = prfind(tpid);
824
825 if (tr == NULL)
826 return NULL;
827 *tp = TAILQ_FIRST(&tr->ps_threads);
828 return tr;
829 }
830 }
831
832
833 /*
834 * Check whether 'tr' is currently traced by 'curpr' and in a state
835 * to be manipulated. If 't' is supplied then it must be stopped and
836 * waited for.
837 */
838 static inline int
process_checktracestate(struct process * curpr,struct process * tr,struct proc * t)839 process_checktracestate(struct process *curpr, struct process *tr,
840 struct proc *t)
841 {
842 /*
843 * You can't do what you want to the process if:
844 * (1) It's not being traced at all,
845 */
846 if (!ISSET(tr->ps_flags, PS_TRACED))
847 return EPERM;
848
849 /*
850 * (2) it's not being traced by _you_, or
851 */
852 if (tr->ps_pptr != curpr)
853 return EBUSY;
854
855 /*
856 * (3) it's in the middle of execve(2)
857 */
858 if (ISSET(tr->ps_flags, PS_INEXEC))
859 return EAGAIN;
860
861 /*
862 * (4) if a thread was specified and it's not currently stopped.
863 */
864 if (t != NULL &&
865 (t->p_stat != SSTOP || !ISSET(tr->ps_flags, PS_WAITED)))
866 return EBUSY;
867
868 return 0;
869 }
870
871 #endif /* PTRACE */
872
873 /*
874 * Check if a process is allowed to fiddle with the memory of another.
875 *
876 * p = tracer
877 * tr = tracee
878 *
879 * 1. You can't attach to a process not owned by you or one that has raised
880 * its privileges.
881 * 1a. ...unless you are root.
882 *
883 * 2. init is always off-limits because it can control the securelevel.
884 * 2a. ...unless securelevel is permanently set to insecure.
885 *
886 * 3. Processes that are in the process of doing an exec() are always
887 * off-limits because of the can of worms they are. Just wait a
888 * second.
889 */
890 int
process_checkioperm(struct proc * p,struct process * tr)891 process_checkioperm(struct proc *p, struct process *tr)
892 {
893 int error;
894
895 if ((tr->ps_ucred->cr_ruid != p->p_ucred->cr_ruid ||
896 ISSET(tr->ps_flags, PS_SUGIDEXEC | PS_SUGID)) &&
897 (error = suser(p)) != 0)
898 return (error);
899
900 if ((tr->ps_pid == 1) && (securelevel > -1))
901 return (EPERM);
902
903 if (ISSET(tr->ps_flags, PS_INEXEC))
904 return (EAGAIN);
905
906 return (0);
907 }
908
909 int
process_domem(struct proc * curp,struct process * tr,struct uio * uio,int req)910 process_domem(struct proc *curp, struct process *tr, struct uio *uio, int req)
911 {
912 struct vmspace *vm;
913 int error;
914 vaddr_t addr;
915 vsize_t len;
916
917 len = uio->uio_resid;
918 if (len == 0)
919 return 0;
920
921 if ((error = process_checkioperm(curp, tr)) != 0)
922 return error;
923
924 vm = tr->ps_vmspace;
925 if ((tr->ps_flags & PS_EXITING) || (vm->vm_refcnt < 1))
926 return EFAULT;
927 addr = uio->uio_offset;
928
929 uvmspace_addref(vm);
930
931 error = uvm_io(&vm->vm_map, uio, UVM_IO_FIXPROT);
932
933 uvmspace_free(vm);
934
935 if (error == 0 && req == PT_WRITE_I)
936 pmap_proc_iflush(tr, addr, len);
937
938 return error;
939 }
940