1 /* $OpenBSD: sys_process.c,v 1.89 2021/12/07 04:19:24 guenther Exp $ */ 2 /* $NetBSD: sys_process.c,v 1.55 1996/05/15 06:17:47 tls Exp $ */ 3 4 /*- 5 * Copyright (c) 1994 Christopher G. Demetriou. All rights reserved. 6 * Copyright (c) 1982, 1986, 1989, 1993 7 * The Regents of the University of California. All rights reserved. 8 * (c) UNIX System Laboratories, Inc. 9 * All or some portions of this file are derived from material licensed 10 * to the University of California by American Telephone and Telegraph 11 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 12 * the permission of UNIX System Laboratories, Inc. 13 * 14 * Redistribution and use in source and binary forms, with or without 15 * modification, are permitted provided that the following conditions 16 * are met: 17 * 1. Redistributions of source code must retain the above copyright 18 * notice, this list of conditions and the following disclaimer. 19 * 2. Redistributions in binary form must reproduce the above copyright 20 * notice, this list of conditions and the following disclaimer in the 21 * documentation and/or other materials provided with the distribution. 22 * 3. Neither the name of the University nor the names of its contributors 23 * may be used to endorse or promote products derived from this software 24 * without specific prior written permission. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 * 38 * from: @(#)sys_process.c 8.1 (Berkeley) 6/10/93 39 */ 40 41 /* 42 * References: 43 * (1) Bach's "The Design of the UNIX Operating System", 44 * (2) sys/miscfs/procfs from UCB's 4.4BSD-Lite distribution, 45 * (3) the "4.4BSD Programmer's Reference Manual" published 46 * by USENIX and O'Reilly & Associates. 47 * The 4.4BSD PRM does a reasonably good job of documenting what the various 48 * ptrace() requests should actually do, and its text is quoted several times 49 * in this file. 50 */ 51 52 #include <sys/param.h> 53 #include <sys/systm.h> 54 #include <sys/exec.h> 55 #include <sys/proc.h> 56 #include <sys/signalvar.h> 57 #include <sys/errno.h> 58 #include <sys/malloc.h> 59 #include <sys/ptrace.h> 60 #include <sys/uio.h> 61 #include <sys/sched.h> 62 #include <sys/exec_elf.h> 63 64 #include <sys/mount.h> 65 #include <sys/syscallargs.h> 66 67 #include <uvm/uvm_extern.h> 68 69 #include <machine/reg.h> 70 71 #ifdef PTRACE 72 73 static inline int process_checktracestate(struct process *_curpr, 74 struct process *_tr, struct proc *_t); 75 static inline struct process *process_tprfind(pid_t _tpid, struct proc **_tp); 76 77 int ptrace_ctrl(struct proc *, int, pid_t, caddr_t, int); 78 int ptrace_ustate(struct proc *, int, pid_t, void *, int, register_t *); 79 int ptrace_kstate(struct proc *, int, pid_t, void *); 80 int process_auxv_offset(struct proc *, struct process *, struct uio *); 81 82 int global_ptrace; /* permit tracing of not children */ 83 84 85 /* 86 * Process debugging system call. 87 */ 88 int 89 sys_ptrace(struct proc *p, void *v, register_t *retval) 90 { 91 struct sys_ptrace_args /* { 92 syscallarg(int) req; 93 syscallarg(pid_t) pid; 94 syscallarg(caddr_t) addr; 95 syscallarg(int) data; 96 } */ *uap = v; 97 int req = SCARG(uap, req); 98 pid_t pid = SCARG(uap, pid); 99 caddr_t uaddr = SCARG(uap, addr); /* userspace */ 100 void *kaddr = NULL; /* kernelspace */ 101 int data = SCARG(uap, data); 102 union { 103 struct ptrace_thread_state u_pts; 104 struct ptrace_io_desc u_piod; 105 struct ptrace_event u_pe; 106 struct ptrace_state u_ps; 107 register_t u_wcookie; 108 } u; 109 int size = 0; 110 enum { NONE, IN, IN_ALLOC, OUT, OUT_ALLOC, IN_OUT } mode; 111 int kstate = 0; 112 int error; 113 114 *retval = 0; 115 116 /* Figure out what sort of copyin/out operations we'll do */ 117 switch (req) { 118 case PT_TRACE_ME: 119 case PT_CONTINUE: 120 case PT_KILL: 121 case PT_ATTACH: 122 case PT_DETACH: 123 #ifdef PT_STEP 124 case PT_STEP: 125 #endif 126 /* control operations do no copyin/out; dispatch directly */ 127 return ptrace_ctrl(p, req, pid, uaddr, data); 128 129 case PT_READ_I: 130 case PT_READ_D: 131 case PT_WRITE_I: 132 case PT_WRITE_D: 133 mode = NONE; 134 break; 135 case PT_IO: 136 mode = IN_OUT; 137 size = sizeof u.u_piod; 138 data = size; /* suppress the data == size check */ 139 break; 140 case PT_GET_THREAD_FIRST: 141 mode = OUT; 142 size = sizeof u.u_pts; 143 kstate = 1; 144 break; 145 case PT_GET_THREAD_NEXT: 146 mode = IN_OUT; 147 size = sizeof u.u_pts; 148 kstate = 1; 149 break; 150 case PT_GET_EVENT_MASK: 151 mode = OUT; 152 size = sizeof u.u_pe; 153 kstate = 1; 154 break; 155 case PT_SET_EVENT_MASK: 156 mode = IN; 157 size = sizeof u.u_pe; 158 kstate = 1; 159 break; 160 case PT_GET_PROCESS_STATE: 161 mode = OUT; 162 size = sizeof u.u_ps; 163 kstate = 1; 164 break; 165 case PT_GETREGS: 166 mode = OUT_ALLOC; 167 size = sizeof(struct reg); 168 break; 169 case PT_SETREGS: 170 mode = IN_ALLOC; 171 size = sizeof(struct reg); 172 break; 173 #ifdef PT_GETFPREGS 174 case PT_GETFPREGS: 175 mode = OUT_ALLOC; 176 size = sizeof(struct fpreg); 177 break; 178 #endif 179 #ifdef PT_SETFPREGS 180 case PT_SETFPREGS: 181 mode = IN_ALLOC; 182 size = sizeof(struct fpreg); 183 break; 184 #endif 185 #ifdef PT_GETXMMREGS 186 case PT_GETXMMREGS: 187 mode = OUT_ALLOC; 188 size = sizeof(struct xmmregs); 189 break; 190 #endif 191 #ifdef PT_SETXMMREGS 192 case PT_SETXMMREGS: 193 mode = IN_ALLOC; 194 size = sizeof(struct xmmregs); 195 break; 196 #endif 197 #ifdef PT_WCOOKIE 198 case PT_WCOOKIE: 199 mode = OUT; 200 size = sizeof u.u_wcookie; 201 data = size; /* suppress the data == size check */ 202 break; 203 #endif 204 default: 205 return EINVAL; 206 } 207 208 209 /* Now do any copyin()s and allocations in a consistent manner */ 210 switch (mode) { 211 case NONE: 212 kaddr = uaddr; 213 break; 214 case IN: 215 case IN_OUT: 216 case OUT: 217 KASSERT(size <= sizeof u); 218 if (data != size) 219 return EINVAL; 220 if (mode == OUT) 221 memset(&u, 0, size); 222 else { /* IN or IN_OUT */ 223 if ((error = copyin(uaddr, &u, size))) 224 return error; 225 } 226 kaddr = &u; 227 break; 228 case IN_ALLOC: 229 kaddr = malloc(size, M_TEMP, M_WAITOK); 230 if ((error = copyin(uaddr, kaddr, size))) { 231 free(kaddr, M_TEMP, size); 232 return error; 233 } 234 break; 235 case OUT_ALLOC: 236 kaddr = malloc(size, M_TEMP, M_WAITOK | M_ZERO); 237 break; 238 } 239 240 if (kstate) 241 error = ptrace_kstate(p, req, pid, kaddr); 242 else 243 error = ptrace_ustate(p, req, pid, kaddr, data, retval); 244 245 /* Do any copyout()s and frees */ 246 if (error == 0) { 247 switch (mode) { 248 case NONE: 249 case IN: 250 case IN_ALLOC: 251 break; 252 case IN_OUT: 253 case OUT: 254 error = copyout(&u, uaddr, size); 255 if (req == PT_IO) { 256 /* historically, errors here are ignored */ 257 error = 0; 258 } 259 break; 260 case OUT_ALLOC: 261 error = copyout(kaddr, uaddr, size); 262 break; 263 } 264 } 265 266 if (mode == IN_ALLOC || mode == OUT_ALLOC) 267 free(kaddr, M_TEMP, size); 268 return error; 269 } 270 271 /* 272 * ptrace control requests: attach, detach, continue, kill, single-step, etc 273 */ 274 int 275 ptrace_ctrl(struct proc *p, int req, pid_t pid, caddr_t addr, int data) 276 { 277 struct proc *t; /* target thread */ 278 struct process *tr; /* target process */ 279 int error = 0; 280 int s; 281 282 switch (req) { 283 case PT_TRACE_ME: 284 /* Just set the trace flag. */ 285 tr = p->p_p; 286 if (ISSET(tr->ps_flags, PS_TRACED)) 287 return EBUSY; 288 atomic_setbits_int(&tr->ps_flags, PS_TRACED); 289 tr->ps_oppid = tr->ps_pptr->ps_pid; 290 if (tr->ps_ptstat == NULL) 291 tr->ps_ptstat = malloc(sizeof(*tr->ps_ptstat), 292 M_SUBPROC, M_WAITOK); 293 memset(tr->ps_ptstat, 0, sizeof(*tr->ps_ptstat)); 294 return 0; 295 296 /* calls that only operate on the PID */ 297 case PT_KILL: 298 case PT_ATTACH: 299 case PT_DETACH: 300 /* Find the process we're supposed to be operating on. */ 301 if ((tr = prfind(pid)) == NULL) { 302 error = ESRCH; 303 goto fail; 304 } 305 t = TAILQ_FIRST(&tr->ps_threads); 306 break; 307 308 /* calls that accept a PID or a thread ID */ 309 case PT_CONTINUE: 310 #ifdef PT_STEP 311 case PT_STEP: 312 #endif 313 if ((tr = process_tprfind(pid, &t)) == NULL) { 314 error = ESRCH; 315 goto fail; 316 } 317 break; 318 } 319 320 /* Check permissions/state */ 321 if (req != PT_ATTACH) { 322 /* Check that the data is a valid signal number or zero. */ 323 if (req != PT_KILL && (data < 0 || data >= NSIG)) { 324 error = EINVAL; 325 goto fail; 326 } 327 328 /* Most operations require the target to already be traced */ 329 if ((error = process_checktracestate(p->p_p, tr, t))) 330 goto fail; 331 332 /* Do single-step fixup if needed. */ 333 FIX_SSTEP(t); 334 } else { 335 /* 336 * PT_ATTACH is the opposite; you can't attach to a process if: 337 * (1) it's the process that's doing the attaching, 338 */ 339 if (tr == p->p_p) { 340 error = EINVAL; 341 goto fail; 342 } 343 344 /* 345 * (2) it's a system process 346 */ 347 if (ISSET(tr->ps_flags, PS_SYSTEM)) { 348 error = EPERM; 349 goto fail; 350 } 351 352 /* 353 * (3) it's already being traced, or 354 */ 355 if (ISSET(tr->ps_flags, PS_TRACED)) { 356 error = EBUSY; 357 goto fail; 358 } 359 360 /* 361 * (4) it's in the middle of execve(2) 362 */ 363 if (ISSET(tr->ps_flags, PS_INEXEC)) { 364 error = EAGAIN; 365 goto fail; 366 } 367 368 /* 369 * (5) it's not owned by you, or the last exec 370 * gave us setuid/setgid privs (unless 371 * you're root), or... 372 * 373 * [Note: once PS_SUGID or PS_SUGIDEXEC gets set in 374 * execve(), they stay set until the process does 375 * another execve(). Hence this prevents a setuid 376 * process which revokes its special privileges using 377 * setuid() from being traced. This is good security.] 378 */ 379 if ((tr->ps_ucred->cr_ruid != p->p_ucred->cr_ruid || 380 ISSET(tr->ps_flags, PS_SUGIDEXEC | PS_SUGID)) && 381 (error = suser(p)) != 0) 382 goto fail; 383 384 /* 385 * (5.5) it's not a child of the tracing process. 386 */ 387 if (global_ptrace == 0 && !inferior(tr, p->p_p) && 388 (error = suser(p)) != 0) 389 goto fail; 390 391 /* 392 * (6) ...it's init, which controls the security level 393 * of the entire system, and the system was not 394 * compiled with permanently insecure mode turned 395 * on. 396 */ 397 if ((tr->ps_pid == 1) && (securelevel > -1)) { 398 error = EPERM; 399 goto fail; 400 } 401 402 /* 403 * (7) it's an ancestor of the current process and 404 * not init (because that would create a loop in 405 * the process graph). 406 */ 407 if (tr->ps_pid != 1 && inferior(p->p_p, tr)) { 408 error = EINVAL; 409 goto fail; 410 } 411 } 412 413 switch (req) { 414 415 #ifdef PT_STEP 416 case PT_STEP: 417 /* 418 * From the 4.4BSD PRM: 419 * "Execution continues as in request PT_CONTINUE; however 420 * as soon as possible after execution of at least one 421 * instruction, execution stops again. [ ... ]" 422 */ 423 #endif 424 case PT_CONTINUE: 425 /* 426 * From the 4.4BSD PRM: 427 * "The data argument is taken as a signal number and the 428 * child's execution continues at location addr as if it 429 * incurred that signal. Normally the signal number will 430 * be either 0 to indicate that the signal that caused the 431 * stop should be ignored, or that value fetched out of 432 * the process's image indicating which signal caused 433 * the stop. If addr is (int *)1 then execution continues 434 * from where it stopped." 435 */ 436 437 if (pid < THREAD_PID_OFFSET && tr->ps_single) 438 t = tr->ps_single; 439 440 /* If the address parameter is not (int *)1, set the pc. */ 441 if ((int *)addr != (int *)1) 442 if ((error = process_set_pc(t, addr)) != 0) 443 goto fail; 444 445 #ifdef PT_STEP 446 /* 447 * Arrange for a single-step, if that's requested and possible. 448 */ 449 error = process_sstep(t, req == PT_STEP); 450 if (error) 451 goto fail; 452 #endif 453 goto sendsig; 454 455 case PT_DETACH: 456 /* 457 * From the 4.4BSD PRM: 458 * "The data argument is taken as a signal number and the 459 * child's execution continues at location addr as if it 460 * incurred that signal. Normally the signal number will 461 * be either 0 to indicate that the signal that caused the 462 * stop should be ignored, or that value fetched out of 463 * the process's image indicating which signal caused 464 * the stop. If addr is (int *)1 then execution continues 465 * from where it stopped." 466 */ 467 468 if (pid < THREAD_PID_OFFSET && tr->ps_single) 469 t = tr->ps_single; 470 471 #ifdef PT_STEP 472 /* 473 * Stop single stepping. 474 */ 475 error = process_sstep(t, 0); 476 if (error) 477 goto fail; 478 #endif 479 480 process_untrace(tr); 481 atomic_clearbits_int(&tr->ps_flags, PS_WAITED); 482 483 sendsig: 484 memset(tr->ps_ptstat, 0, sizeof(*tr->ps_ptstat)); 485 486 /* Finally, deliver the requested signal (or none). */ 487 if (t->p_stat == SSTOP) { 488 tr->ps_xsig = data; 489 SCHED_LOCK(s); 490 setrunnable(t); 491 SCHED_UNLOCK(s); 492 } else { 493 if (data != 0) 494 psignal(t, data); 495 } 496 break; 497 498 case PT_KILL: 499 if (pid < THREAD_PID_OFFSET && tr->ps_single) 500 t = tr->ps_single; 501 502 /* just send the process a KILL signal. */ 503 data = SIGKILL; 504 goto sendsig; /* in PT_CONTINUE, above. */ 505 506 case PT_ATTACH: 507 /* 508 * As was done in procfs: 509 * Go ahead and set the trace flag. 510 * Save the old parent (it's reset in 511 * _DETACH, and also in kern_exit.c:wait4() 512 * Reparent the process so that the tracing 513 * proc gets to see all the action. 514 * Stop the target. 515 */ 516 atomic_setbits_int(&tr->ps_flags, PS_TRACED); 517 tr->ps_oppid = tr->ps_pptr->ps_pid; 518 process_reparent(tr, p->p_p); 519 if (tr->ps_ptstat == NULL) 520 tr->ps_ptstat = malloc(sizeof(*tr->ps_ptstat), 521 M_SUBPROC, M_WAITOK); 522 data = SIGSTOP; 523 goto sendsig; 524 default: 525 KASSERTMSG(0, "%s: unhandled request %d", __func__, req); 526 break; 527 } 528 529 fail: 530 return error; 531 } 532 533 /* 534 * ptrace kernel-state requests: thread list, event mask, process state 535 */ 536 int 537 ptrace_kstate(struct proc *p, int req, pid_t pid, void *addr) 538 { 539 struct process *tr; /* target process */ 540 struct ptrace_event *pe = addr; 541 int error; 542 543 KASSERT((p->p_flag & P_SYSTEM) == 0); 544 545 /* Find the process we're supposed to be operating on. */ 546 if ((tr = prfind(pid)) == NULL) 547 return ESRCH; 548 549 if ((error = process_checktracestate(p->p_p, tr, NULL))) 550 return error; 551 552 switch (req) { 553 case PT_GET_THREAD_FIRST: 554 case PT_GET_THREAD_NEXT: 555 { 556 struct ptrace_thread_state *pts = addr; 557 struct proc *t; 558 559 if (req == PT_GET_THREAD_NEXT) { 560 t = tfind(pts->pts_tid - THREAD_PID_OFFSET); 561 if (t == NULL || ISSET(t->p_flag, P_WEXIT)) 562 return ESRCH; 563 if (t->p_p != tr) 564 return EINVAL; 565 t = TAILQ_NEXT(t, p_thr_link); 566 } else { 567 t = TAILQ_FIRST(&tr->ps_threads); 568 } 569 570 if (t == NULL) 571 pts->pts_tid = -1; 572 else 573 pts->pts_tid = t->p_tid + THREAD_PID_OFFSET; 574 return 0; 575 } 576 } 577 578 switch (req) { 579 case PT_GET_EVENT_MASK: 580 pe->pe_set_event = tr->ps_ptmask; 581 break; 582 case PT_SET_EVENT_MASK: 583 tr->ps_ptmask = pe->pe_set_event; 584 break; 585 case PT_GET_PROCESS_STATE: 586 if (tr->ps_single) 587 tr->ps_ptstat->pe_tid = 588 tr->ps_single->p_tid + THREAD_PID_OFFSET; 589 memcpy(addr, tr->ps_ptstat, sizeof *tr->ps_ptstat); 590 break; 591 default: 592 KASSERTMSG(0, "%s: unhandled request %d", __func__, req); 593 break; 594 } 595 596 return 0; 597 } 598 599 /* 600 * ptrace user-state requests: memory access, registers, stack cookie 601 */ 602 int 603 ptrace_ustate(struct proc *p, int req, pid_t pid, void *addr, int data, 604 register_t *retval) 605 { 606 struct proc *t; /* target thread */ 607 struct process *tr; /* target process */ 608 struct uio uio; 609 struct iovec iov; 610 int error, write; 611 int temp = 0; 612 613 KASSERT((p->p_flag & P_SYSTEM) == 0); 614 615 /* Accept either PID or TID */ 616 if ((tr = process_tprfind(pid, &t)) == NULL) 617 return ESRCH; 618 619 if ((error = process_checktracestate(p->p_p, tr, t))) 620 return error; 621 622 FIX_SSTEP(t); 623 624 /* Now do the operation. */ 625 write = 0; 626 627 if ((error = process_checkioperm(p, tr)) != 0) 628 return error; 629 630 switch (req) { 631 case PT_WRITE_I: /* XXX no separate I and D spaces */ 632 case PT_WRITE_D: 633 write = 1; 634 temp = data; 635 case PT_READ_I: /* XXX no separate I and D spaces */ 636 case PT_READ_D: 637 /* write = 0 done above. */ 638 iov.iov_base = (caddr_t)&temp; 639 iov.iov_len = sizeof(int); 640 uio.uio_iov = &iov; 641 uio.uio_iovcnt = 1; 642 uio.uio_offset = (off_t)(vaddr_t)addr; 643 uio.uio_resid = sizeof(int); 644 uio.uio_segflg = UIO_SYSSPACE; 645 uio.uio_rw = write ? UIO_WRITE : UIO_READ; 646 uio.uio_procp = p; 647 error = process_domem(p, tr, &uio, write ? PT_WRITE_I : 648 PT_READ_I); 649 if (write == 0) 650 *retval = temp; 651 return error; 652 653 case PT_IO: 654 { 655 struct ptrace_io_desc *piod = addr; 656 657 iov.iov_base = piod->piod_addr; 658 iov.iov_len = piod->piod_len; 659 uio.uio_iov = &iov; 660 uio.uio_iovcnt = 1; 661 uio.uio_offset = (off_t)(vaddr_t)piod->piod_offs; 662 uio.uio_resid = piod->piod_len; 663 uio.uio_segflg = UIO_USERSPACE; 664 uio.uio_procp = p; 665 switch (piod->piod_op) { 666 case PIOD_READ_I: 667 req = PT_READ_I; 668 uio.uio_rw = UIO_READ; 669 break; 670 case PIOD_READ_D: 671 req = PT_READ_D; 672 uio.uio_rw = UIO_READ; 673 break; 674 case PIOD_WRITE_I: 675 req = PT_WRITE_I; 676 uio.uio_rw = UIO_WRITE; 677 break; 678 case PIOD_WRITE_D: 679 req = PT_WRITE_D; 680 uio.uio_rw = UIO_WRITE; 681 break; 682 case PIOD_READ_AUXV: 683 req = PT_READ_D; 684 uio.uio_rw = UIO_READ; 685 temp = ELF_AUX_WORDS * sizeof(char *); 686 if (uio.uio_offset > temp) 687 return EIO; 688 if (uio.uio_resid > temp - uio.uio_offset) 689 uio.uio_resid = temp - uio.uio_offset; 690 piod->piod_len = iov.iov_len = uio.uio_resid; 691 error = process_auxv_offset(p, tr, &uio); 692 if (error) 693 return error; 694 break; 695 default: 696 return EINVAL; 697 } 698 error = process_domem(p, tr, &uio, req); 699 piod->piod_len -= uio.uio_resid; 700 return error; 701 } 702 703 case PT_SETREGS: 704 return process_write_regs(t, addr); 705 case PT_GETREGS: 706 return process_read_regs(t, addr); 707 708 #ifdef PT_SETFPREGS 709 case PT_SETFPREGS: 710 return process_write_fpregs(t, addr); 711 #endif 712 #ifdef PT_SETFPREGS 713 case PT_GETFPREGS: 714 return process_read_fpregs(t, addr); 715 #endif 716 #ifdef PT_SETXMMREGS 717 case PT_SETXMMREGS: 718 return process_write_xmmregs(t, addr); 719 #endif 720 #ifdef PT_SETXMMREGS 721 case PT_GETXMMREGS: 722 return process_read_xmmregs(t, addr); 723 #endif 724 #ifdef PT_WCOOKIE 725 case PT_WCOOKIE: 726 *(register_t *)addr = process_get_wcookie(t); 727 return 0; 728 #endif 729 default: 730 KASSERTMSG(0, "%s: unhandled request %d", __func__, req); 731 break; 732 } 733 734 return 0; 735 } 736 737 738 /* 739 * Helper for doing "it could be a PID or TID" lookup. On failure 740 * returns NULL; on success returns the selected process and sets *tp 741 * to an appropriate thread in that process. 742 */ 743 static inline struct process * 744 process_tprfind(pid_t tpid, struct proc **tp) 745 { 746 if (tpid > THREAD_PID_OFFSET) { 747 struct proc *t = tfind(tpid - THREAD_PID_OFFSET); 748 749 if (t == NULL) 750 return NULL; 751 *tp = t; 752 return t->p_p; 753 } else { 754 struct process *tr = prfind(tpid); 755 756 if (tr == NULL) 757 return NULL; 758 *tp = TAILQ_FIRST(&tr->ps_threads); 759 return tr; 760 } 761 } 762 763 764 /* 765 * Check whether 'tr' is currently traced by 'curpr' and in a state 766 * to be manipulated. If 't' is supplied then it must be stopped and 767 * waited for. 768 */ 769 static inline int 770 process_checktracestate(struct process *curpr, struct process *tr, 771 struct proc *t) 772 { 773 /* 774 * You can't do what you want to the process if: 775 * (1) It's not being traced at all, 776 */ 777 if (!ISSET(tr->ps_flags, PS_TRACED)) 778 return EPERM; 779 780 /* 781 * (2) it's not being traced by _you_, or 782 */ 783 if (tr->ps_pptr != curpr) 784 return EBUSY; 785 786 /* 787 * (3) it's in the middle of execve(2) 788 */ 789 if (ISSET(tr->ps_flags, PS_INEXEC)) 790 return EAGAIN; 791 792 /* 793 * (4) if a thread was specified and it's not currently stopped. 794 */ 795 if (t != NULL && 796 (t->p_stat != SSTOP || !ISSET(tr->ps_flags, PS_WAITED))) 797 return EBUSY; 798 799 return 0; 800 } 801 802 803 /* 804 * Check if a process is allowed to fiddle with the memory of another. 805 * 806 * p = tracer 807 * tr = tracee 808 * 809 * 1. You can't attach to a process not owned by you or one that has raised 810 * its privileges. 811 * 1a. ...unless you are root. 812 * 813 * 2. init is always off-limits because it can control the securelevel. 814 * 2a. ...unless securelevel is permanently set to insecure. 815 * 816 * 3. Processes that are in the process of doing an exec() are always 817 * off-limits because of the can of worms they are. Just wait a 818 * second. 819 */ 820 int 821 process_checkioperm(struct proc *p, struct process *tr) 822 { 823 int error; 824 825 if ((tr->ps_ucred->cr_ruid != p->p_ucred->cr_ruid || 826 ISSET(tr->ps_flags, PS_SUGIDEXEC | PS_SUGID)) && 827 (error = suser(p)) != 0) 828 return (error); 829 830 if ((tr->ps_pid == 1) && (securelevel > -1)) 831 return (EPERM); 832 833 if (ISSET(tr->ps_flags, PS_INEXEC)) 834 return (EAGAIN); 835 836 return (0); 837 } 838 839 int 840 process_domem(struct proc *curp, struct process *tr, struct uio *uio, int req) 841 { 842 struct vmspace *vm; 843 int error; 844 vaddr_t addr; 845 vsize_t len; 846 847 len = uio->uio_resid; 848 if (len == 0) 849 return 0; 850 851 if ((error = process_checkioperm(curp, tr)) != 0) 852 return error; 853 854 vm = tr->ps_vmspace; 855 if ((tr->ps_flags & PS_EXITING) || (vm->vm_refcnt < 1)) 856 return EFAULT; 857 addr = uio->uio_offset; 858 859 uvmspace_addref(vm); 860 861 error = uvm_io(&vm->vm_map, uio, 862 (uio->uio_rw == UIO_WRITE) ? UVM_IO_FIXPROT : 0); 863 864 uvmspace_free(vm); 865 866 if (error == 0 && req == PT_WRITE_I) 867 pmap_proc_iflush(tr, addr, len); 868 869 return error; 870 } 871 872 int 873 process_auxv_offset(struct proc *curp, struct process *tr, struct uio *uiop) 874 { 875 struct vmspace *vm; 876 struct ps_strings pss; 877 struct iovec iov; 878 struct uio uio; 879 int error; 880 881 iov.iov_base = &pss; 882 iov.iov_len = sizeof(pss); 883 uio.uio_iov = &iov; 884 uio.uio_iovcnt = 1; 885 uio.uio_offset = (off_t)tr->ps_strings; 886 uio.uio_resid = sizeof(pss); 887 uio.uio_segflg = UIO_SYSSPACE; 888 uio.uio_rw = UIO_READ; 889 uio.uio_procp = curp; 890 891 vm = tr->ps_vmspace; 892 if ((tr->ps_flags & PS_EXITING) || (vm->vm_refcnt < 1)) 893 return EFAULT; 894 895 uvmspace_addref(vm); 896 error = uvm_io(&vm->vm_map, &uio, 0); 897 uvmspace_free(vm); 898 899 if (error != 0) 900 return error; 901 902 if (pss.ps_envstr == NULL) 903 return EIO; 904 905 uiop->uio_offset += (off_t)(vaddr_t)(pss.ps_envstr + pss.ps_nenvstr + 1); 906 #ifdef MACHINE_STACK_GROWS_UP 907 if (uiop->uio_offset < (off_t)tr->ps_strings) 908 return EIO; 909 #else 910 if (uiop->uio_offset > (off_t)tr->ps_strings) 911 return EIO; 912 if ((uiop->uio_offset + uiop->uio_resid) > (off_t)tr->ps_strings) 913 uiop->uio_resid = (off_t)tr->ps_strings - uiop->uio_offset; 914 #endif 915 916 return 0; 917 } 918 #endif 919