1 /* $OpenBSD: sys_process.c,v 1.45 2010/05/02 11:15:29 kettenis Exp $ */ 2 /* $NetBSD: sys_process.c,v 1.55 1996/05/15 06:17:47 tls Exp $ */ 3 4 /*- 5 * Copyright (c) 1994 Christopher G. Demetriou. All rights reserved. 6 * Copyright (c) 1982, 1986, 1989, 1993 7 * The Regents of the University of California. All rights reserved. 8 * (c) UNIX System Laboratories, Inc. 9 * All or some portions of this file are derived from material licensed 10 * to the University of California by American Telephone and Telegraph 11 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 12 * the permission of UNIX System Laboratories, Inc. 13 * 14 * Redistribution and use in source and binary forms, with or without 15 * modification, are permitted provided that the following conditions 16 * are met: 17 * 1. Redistributions of source code must retain the above copyright 18 * notice, this list of conditions and the following disclaimer. 19 * 2. Redistributions in binary form must reproduce the above copyright 20 * notice, this list of conditions and the following disclaimer in the 21 * documentation and/or other materials provided with the distribution. 22 * 3. Neither the name of the University nor the names of its contributors 23 * may be used to endorse or promote products derived from this software 24 * without specific prior written permission. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 * 38 * from: @(#)sys_process.c 8.1 (Berkeley) 6/10/93 39 */ 40 41 /* 42 * References: 43 * (1) Bach's "The Design of the UNIX Operating System", 44 * (2) sys/miscfs/procfs from UCB's 4.4BSD-Lite distribution, 45 * (3) the "4.4BSD Programmer's Reference Manual" published 46 * by USENIX and O'Reilly & Associates. 47 * The 4.4BSD PRM does a reasonably good job of documenting what the various 48 * ptrace() requests should actually do, and its text is quoted several times 49 * in this file. 50 */ 51 52 #include <sys/param.h> 53 #include <sys/systm.h> 54 #include <sys/exec.h> 55 #include <sys/proc.h> 56 #include <sys/signalvar.h> 57 #include <sys/errno.h> 58 #include <sys/malloc.h> 59 #include <sys/ptrace.h> 60 #include <sys/uio.h> 61 #include <sys/user.h> 62 #include <sys/sched.h> 63 64 #include <sys/mount.h> 65 #include <sys/syscallargs.h> 66 67 #include <uvm/uvm_extern.h> 68 69 #include <machine/reg.h> 70 71 int process_auxv_offset(struct proc *, struct proc *, struct uio *); 72 73 #ifdef PTRACE 74 /* 75 * Process debugging system call. 76 */ 77 int 78 sys_ptrace(struct proc *p, void *v, register_t *retval) 79 { 80 struct sys_ptrace_args /* { 81 syscallarg(int) req; 82 syscallarg(pid_t) pid; 83 syscallarg(caddr_t) addr; 84 syscallarg(int) data; 85 } */ *uap = v; 86 struct proc *t; /* target process */ 87 struct uio uio; 88 struct iovec iov; 89 struct ptrace_io_desc piod; 90 struct ptrace_event pe; 91 struct reg *regs; 92 #if defined (PT_SETFPREGS) || defined (PT_GETFPREGS) 93 struct fpreg *fpregs; 94 #endif 95 #if defined (PT_SETXMMREGS) || defined (PT_GETXMMREGS) 96 struct xmmregs *xmmregs; 97 #endif 98 #ifdef PT_WCOOKIE 99 register_t wcookie; 100 #endif 101 int error, write; 102 int temp; 103 int req; 104 int s; 105 106 /* "A foolish consistency..." XXX */ 107 if (SCARG(uap, req) == PT_TRACE_ME) 108 t = p; 109 else { 110 111 /* Find the process we're supposed to be operating on. */ 112 if ((t = pfind(SCARG(uap, pid))) == NULL) 113 return (ESRCH); 114 } 115 116 if ((t->p_flag & P_INEXEC) != 0) 117 return (EAGAIN); 118 119 /* Make sure we can operate on it. */ 120 switch (SCARG(uap, req)) { 121 case PT_TRACE_ME: 122 /* Saying that you're being traced is always legal. */ 123 break; 124 125 case PT_ATTACH: 126 /* 127 * You can't attach to a process if: 128 * (1) it's the process that's doing the attaching, 129 */ 130 if (t->p_pid == p->p_pid) 131 return (EINVAL); 132 133 /* 134 * (2) it's a system process 135 */ 136 if (ISSET(t->p_flag, P_SYSTEM)) 137 return (EPERM); 138 139 /* 140 * (3) it's already being traced, or 141 */ 142 if (ISSET(t->p_flag, P_TRACED)) 143 return (EBUSY); 144 145 /* 146 * (4) it's not owned by you, or the last exec 147 * gave us setuid/setgid privs (unless 148 * you're root), or... 149 * 150 * [Note: once P_SUGID or P_SUGIDEXEC gets set in 151 * execve(), they stay set until the process does 152 * another execve(). Hence this prevents a setuid 153 * process which revokes its special privileges using 154 * setuid() from being traced. This is good security.] 155 */ 156 if ((t->p_cred->p_ruid != p->p_cred->p_ruid || 157 ISSET(t->p_flag, P_SUGIDEXEC) || 158 ISSET(t->p_flag, P_SUGID)) && 159 (error = suser(p, 0)) != 0) 160 return (error); 161 162 /* 163 * (5) ...it's init, which controls the security level 164 * of the entire system, and the system was not 165 * compiled with permanently insecure mode turned 166 * on. 167 */ 168 if ((t->p_pid == 1) && (securelevel > -1)) 169 return (EPERM); 170 171 /* 172 * (6) it's an ancestor of the current process and 173 * not init (because that would create a loop in 174 * the process graph). 175 */ 176 if (t->p_pid != 1 && inferior(p, t)) 177 return (EINVAL); 178 break; 179 180 case PT_READ_I: 181 case PT_READ_D: 182 case PT_WRITE_I: 183 case PT_WRITE_D: 184 case PT_IO: 185 case PT_CONTINUE: 186 case PT_KILL: 187 case PT_DETACH: 188 #ifdef PT_STEP 189 case PT_STEP: 190 #endif 191 case PT_SET_EVENT_MASK: 192 case PT_GET_EVENT_MASK: 193 case PT_GET_PROCESS_STATE: 194 case PT_GETREGS: 195 case PT_SETREGS: 196 #ifdef PT_GETFPREGS 197 case PT_GETFPREGS: 198 #endif 199 #ifdef PT_SETFPREGS 200 case PT_SETFPREGS: 201 #endif 202 #ifdef PT_GETXMMREGS 203 case PT_GETXMMREGS: 204 #endif 205 #ifdef PT_SETXMMREGS 206 case PT_SETXMMREGS: 207 #endif 208 #ifdef PT_WCOOKIE 209 case PT_WCOOKIE: 210 #endif 211 /* 212 * You can't do what you want to the process if: 213 * (1) It's not being traced at all, 214 */ 215 if (!ISSET(t->p_flag, P_TRACED)) 216 return (EPERM); 217 218 /* 219 * (2) it's not being traced by _you_, or 220 */ 221 if (t->p_pptr != p) 222 return (EBUSY); 223 224 /* 225 * (3) it's not currently stopped. 226 */ 227 if (t->p_stat != SSTOP || !ISSET(t->p_flag, P_WAITED)) 228 return (EBUSY); 229 break; 230 231 default: /* It was not a legal request. */ 232 return (EINVAL); 233 } 234 235 /* Do single-step fixup if needed. */ 236 FIX_SSTEP(t); 237 238 /* Now do the operation. */ 239 write = 0; 240 *retval = 0; 241 242 switch (SCARG(uap, req)) { 243 case PT_TRACE_ME: 244 /* Just set the trace flag. */ 245 atomic_setbits_int(&t->p_flag, P_TRACED); 246 t->p_oppid = t->p_pptr->p_pid; 247 if (t->p_ptstat == NULL) 248 t->p_ptstat = malloc(sizeof(*t->p_ptstat), 249 M_SUBPROC, M_WAITOK); 250 bzero(t->p_ptstat, sizeof(*t->p_ptstat)); 251 return (0); 252 253 case PT_WRITE_I: /* XXX no separate I and D spaces */ 254 case PT_WRITE_D: 255 write = 1; 256 temp = SCARG(uap, data); 257 case PT_READ_I: /* XXX no separate I and D spaces */ 258 case PT_READ_D: 259 /* write = 0 done above. */ 260 iov.iov_base = (caddr_t)&temp; 261 iov.iov_len = sizeof(int); 262 uio.uio_iov = &iov; 263 uio.uio_iovcnt = 1; 264 uio.uio_offset = (off_t)(vaddr_t)SCARG(uap, addr); 265 uio.uio_resid = sizeof(int); 266 uio.uio_segflg = UIO_SYSSPACE; 267 uio.uio_rw = write ? UIO_WRITE : UIO_READ; 268 uio.uio_procp = p; 269 error = process_domem(p, t, &uio, write ? PT_WRITE_I : 270 PT_READ_I); 271 if (write == 0) 272 *retval = temp; 273 return (error); 274 case PT_IO: 275 error = copyin(SCARG(uap, addr), &piod, sizeof(piod)); 276 if (error) 277 return (error); 278 iov.iov_base = piod.piod_addr; 279 iov.iov_len = piod.piod_len; 280 uio.uio_iov = &iov; 281 uio.uio_iovcnt = 1; 282 uio.uio_offset = (off_t)(vaddr_t)piod.piod_offs; 283 uio.uio_resid = piod.piod_len; 284 uio.uio_segflg = UIO_USERSPACE; 285 uio.uio_procp = p; 286 switch (piod.piod_op) { 287 case PIOD_READ_I: 288 req = PT_READ_I; 289 uio.uio_rw = UIO_READ; 290 break; 291 case PIOD_READ_D: 292 req = PT_READ_D; 293 uio.uio_rw = UIO_READ; 294 break; 295 case PIOD_WRITE_I: 296 req = PT_WRITE_I; 297 uio.uio_rw = UIO_WRITE; 298 break; 299 case PIOD_WRITE_D: 300 req = PT_WRITE_D; 301 uio.uio_rw = UIO_WRITE; 302 break; 303 case PIOD_READ_AUXV: 304 req = PT_READ_D; 305 uio.uio_rw = UIO_READ; 306 temp = t->p_emul->e_arglen * sizeof(char *); 307 if (uio.uio_offset > temp) 308 return (EIO); 309 if (uio.uio_resid > temp - uio.uio_offset) 310 uio.uio_resid = temp - uio.uio_offset; 311 piod.piod_len = iov.iov_len = uio.uio_resid; 312 error = process_auxv_offset(p, t, &uio); 313 if (error) 314 return (error); 315 break; 316 default: 317 return (EINVAL); 318 } 319 error = process_domem(p, t, &uio, req); 320 piod.piod_len -= uio.uio_resid; 321 (void) copyout(&piod, SCARG(uap, addr), sizeof(piod)); 322 return (error); 323 #ifdef PT_STEP 324 case PT_STEP: 325 /* 326 * From the 4.4BSD PRM: 327 * "Execution continues as in request PT_CONTINUE; however 328 * as soon as possible after execution of at least one 329 * instruction, execution stops again. [ ... ]" 330 */ 331 #endif 332 case PT_CONTINUE: 333 /* 334 * From the 4.4BSD PRM: 335 * "The data argument is taken as a signal number and the 336 * child's execution continues at location addr as if it 337 * incurred that signal. Normally the signal number will 338 * be either 0 to indicate that the signal that caused the 339 * stop should be ignored, or that value fetched out of 340 * the process's image indicating which signal caused 341 * the stop. If addr is (int *)1 then execution continues 342 * from where it stopped." 343 */ 344 345 /* Check that the data is a valid signal number or zero. */ 346 if (SCARG(uap, data) < 0 || SCARG(uap, data) >= NSIG) 347 return (EINVAL); 348 349 /* If the address parameter is not (int *)1, set the pc. */ 350 if ((int *)SCARG(uap, addr) != (int *)1) 351 if ((error = process_set_pc(t, SCARG(uap, addr))) != 0) 352 goto relebad; 353 354 #ifdef PT_STEP 355 /* 356 * Arrange for a single-step, if that's requested and possible. 357 */ 358 error = process_sstep(t, SCARG(uap, req) == PT_STEP); 359 if (error) 360 goto relebad; 361 #endif 362 goto sendsig; 363 364 case PT_DETACH: 365 /* 366 * From the 4.4BSD PRM: 367 * "The data argument is taken as a signal number and the 368 * child's execution continues at location addr as if it 369 * incurred that signal. Normally the signal number will 370 * be either 0 to indicate that the signal that caused the 371 * stop should be ignored, or that value fetched out of 372 * the process's image indicating which signal caused 373 * the stop. If addr is (int *)1 then execution continues 374 * from where it stopped." 375 */ 376 377 /* Check that the data is a valid signal number or zero. */ 378 if (SCARG(uap, data) < 0 || SCARG(uap, data) >= NSIG) 379 return (EINVAL); 380 381 #ifdef PT_STEP 382 /* 383 * Arrange for a single-step, if that's requested and possible. 384 */ 385 error = process_sstep(t, SCARG(uap, req) == PT_STEP); 386 if (error) 387 goto relebad; 388 #endif 389 390 /* give process back to original parent or init */ 391 if (t->p_oppid != t->p_pptr->p_pid) { 392 struct proc *pp; 393 394 pp = pfind(t->p_oppid); 395 proc_reparent(t, pp ? pp : initproc); 396 } 397 398 /* not being traced any more */ 399 t->p_oppid = 0; 400 atomic_clearbits_int(&t->p_flag, P_TRACED|P_WAITED); 401 402 sendsig: 403 bzero(t->p_ptstat, sizeof(*t->p_ptstat)); 404 405 /* Finally, deliver the requested signal (or none). */ 406 if (t->p_stat == SSTOP) { 407 t->p_xstat = SCARG(uap, data); 408 SCHED_LOCK(s); 409 setrunnable(t); 410 SCHED_UNLOCK(s); 411 } else { 412 if (SCARG(uap, data) != 0) 413 psignal(t, SCARG(uap, data)); 414 } 415 return (0); 416 417 relebad: 418 return (error); 419 420 case PT_KILL: 421 /* just send the process a KILL signal. */ 422 SCARG(uap, data) = SIGKILL; 423 goto sendsig; /* in PT_CONTINUE, above. */ 424 425 case PT_ATTACH: 426 /* 427 * As done in procfs: 428 * Go ahead and set the trace flag. 429 * Save the old parent (it's reset in 430 * _DETACH, and also in kern_exit.c:wait4() 431 * Reparent the process so that the tracing 432 * proc gets to see all the action. 433 * Stop the target. 434 */ 435 atomic_setbits_int(&t->p_flag, P_TRACED); 436 t->p_oppid = t->p_pptr->p_pid; 437 if (t->p_pptr != p) 438 proc_reparent(t, p); 439 if (t->p_ptstat == NULL) 440 t->p_ptstat = malloc(sizeof(*t->p_ptstat), 441 M_SUBPROC, M_WAITOK); 442 SCARG(uap, data) = SIGSTOP; 443 goto sendsig; 444 445 case PT_GET_EVENT_MASK: 446 if (SCARG(uap, data) != sizeof(pe)) 447 return (EINVAL); 448 bzero(&pe, sizeof(pe)); 449 pe.pe_set_event = t->p_ptmask; 450 return (copyout(&pe, SCARG(uap, addr), sizeof(pe))); 451 case PT_SET_EVENT_MASK: 452 if (SCARG(uap, data) != sizeof(pe)) 453 return (EINVAL); 454 if ((error = copyin(SCARG(uap, addr), &pe, sizeof(pe)))) 455 return (error); 456 t->p_ptmask = pe.pe_set_event; 457 return (0); 458 459 case PT_GET_PROCESS_STATE: 460 if (SCARG(uap, data) != sizeof(*t->p_ptstat)) 461 return (EINVAL); 462 return (copyout(t->p_ptstat, SCARG(uap, addr), 463 sizeof(*t->p_ptstat))); 464 465 case PT_SETREGS: 466 KASSERT((p->p_flag & P_SYSTEM) == 0); 467 if ((error = process_checkioperm(p, t)) != 0) 468 return (error); 469 470 regs = malloc(sizeof(*regs), M_TEMP, M_WAITOK); 471 error = copyin(SCARG(uap, addr), regs, sizeof(*regs)); 472 if (error == 0) { 473 error = process_write_regs(t, regs); 474 } 475 free(regs, M_TEMP); 476 return (error); 477 case PT_GETREGS: 478 KASSERT((p->p_flag & P_SYSTEM) == 0); 479 if ((error = process_checkioperm(p, t)) != 0) 480 return (error); 481 482 regs = malloc(sizeof(*regs), M_TEMP, M_WAITOK); 483 error = process_read_regs(t, regs); 484 if (error == 0) 485 error = copyout(regs, 486 SCARG(uap, addr), sizeof (*regs)); 487 free(regs, M_TEMP); 488 return (error); 489 #ifdef PT_SETFPREGS 490 case PT_SETFPREGS: 491 KASSERT((p->p_flag & P_SYSTEM) == 0); 492 if ((error = process_checkioperm(p, t)) != 0) 493 return (error); 494 495 fpregs = malloc(sizeof(*fpregs), M_TEMP, M_WAITOK); 496 error = copyin(SCARG(uap, addr), fpregs, sizeof(*fpregs)); 497 if (error == 0) { 498 error = process_write_fpregs(t, fpregs); 499 } 500 free(fpregs, M_TEMP); 501 return (error); 502 #endif 503 #ifdef PT_GETFPREGS 504 case PT_GETFPREGS: 505 KASSERT((p->p_flag & P_SYSTEM) == 0); 506 if ((error = process_checkioperm(p, t)) != 0) 507 return (error); 508 509 fpregs = malloc(sizeof(*fpregs), M_TEMP, M_WAITOK); 510 error = process_read_fpregs(t, fpregs); 511 if (error == 0) 512 error = copyout(fpregs, 513 SCARG(uap, addr), sizeof(*fpregs)); 514 free(fpregs, M_TEMP); 515 return (error); 516 #endif 517 #ifdef PT_SETXMMREGS 518 case PT_SETXMMREGS: 519 KASSERT((p->p_flag & P_SYSTEM) == 0); 520 if ((error = process_checkioperm(p, t)) != 0) 521 return (error); 522 523 xmmregs = malloc(sizeof(*xmmregs), M_TEMP, M_WAITOK); 524 error = copyin(SCARG(uap, addr), xmmregs, sizeof(*xmmregs)); 525 if (error == 0) { 526 error = process_write_xmmregs(t, xmmregs); 527 } 528 free(xmmregs, M_TEMP); 529 return (error); 530 #endif 531 #ifdef PT_GETXMMREGS 532 case PT_GETXMMREGS: 533 KASSERT((p->p_flag & P_SYSTEM) == 0); 534 if ((error = process_checkioperm(p, t)) != 0) 535 return (error); 536 537 xmmregs = malloc(sizeof(*xmmregs), M_TEMP, M_WAITOK); 538 error = process_read_xmmregs(t, xmmregs); 539 if (error == 0) 540 error = copyout(xmmregs, 541 SCARG(uap, addr), sizeof(*xmmregs)); 542 free(xmmregs, M_TEMP); 543 return (error); 544 #endif 545 #ifdef PT_WCOOKIE 546 case PT_WCOOKIE: 547 wcookie = process_get_wcookie (t); 548 return (copyout(&wcookie, SCARG(uap, addr), 549 sizeof (register_t))); 550 #endif 551 } 552 553 #ifdef DIAGNOSTIC 554 panic("ptrace: impossible"); 555 #endif 556 return 0; 557 } 558 #endif /* PTRACE */ 559 560 /* 561 * Check if a process is allowed to fiddle with the memory of another. 562 * 563 * p = tracer 564 * t = tracee 565 * 566 * 1. You can't attach to a process not owned by you or one that has raised 567 * its privileges. 568 * 1a. ...unless you are root. 569 * 570 * 2. init is always off-limits because it can control the securelevel. 571 * 2a. ...unless securelevel is permanently set to insecure. 572 * 573 * 3. Processes that are in the process of doing an exec() are always 574 * off-limits because of the can of worms they are. Just wait a 575 * second. 576 */ 577 int 578 process_checkioperm(struct proc *p, struct proc *t) 579 { 580 int error; 581 582 if ((t->p_cred->p_ruid != p->p_cred->p_ruid || 583 ISSET(t->p_flag, P_SUGIDEXEC) || 584 ISSET(t->p_flag, P_SUGID)) && 585 (error = suser(p, 0)) != 0) 586 return (error); 587 588 if ((t->p_pid == 1) && (securelevel > -1)) 589 return (EPERM); 590 591 if (t->p_flag & P_INEXEC) 592 return (EAGAIN); 593 594 return (0); 595 } 596 597 int 598 process_domem(struct proc *curp, struct proc *p, struct uio *uio, int req) 599 { 600 struct vmspace *vm; 601 int error; 602 vaddr_t addr; 603 vsize_t len; 604 605 len = uio->uio_resid; 606 if (len == 0) 607 return (0); 608 609 if ((error = process_checkioperm(curp, p)) != 0) 610 return (error); 611 612 /* XXXCDC: how should locking work here? */ 613 if ((p->p_flag & P_WEXIT) || (p->p_vmspace->vm_refcnt < 1)) 614 return(EFAULT); 615 addr = uio->uio_offset; 616 617 vm = p->p_vmspace; 618 vm->vm_refcnt++; 619 620 error = uvm_io(&vm->vm_map, uio, 621 (req == PT_WRITE_I) ? UVM_IO_FIXPROT : 0); 622 623 uvmspace_free(vm); 624 625 if (error == 0 && req == PT_WRITE_I) 626 pmap_proc_iflush(p, addr, len); 627 628 return (error); 629 } 630 631 #ifdef PTRACE 632 int 633 process_auxv_offset(struct proc *curp, struct proc *p, struct uio *uiop) 634 { 635 struct ps_strings pss; 636 struct iovec iov; 637 struct uio uio; 638 int error; 639 640 iov.iov_base = &pss; 641 iov.iov_len = sizeof(pss); 642 uio.uio_iov = &iov; 643 uio.uio_iovcnt = 1; 644 uio.uio_offset = (off_t)(vaddr_t)PS_STRINGS; 645 uio.uio_resid = sizeof(pss); 646 uio.uio_segflg = UIO_SYSSPACE; 647 uio.uio_rw = UIO_READ; 648 uio.uio_procp = curp; 649 650 if ((error = uvm_io(&p->p_vmspace->vm_map, &uio, 0)) != 0) 651 return (error); 652 653 if (pss.ps_envstr == NULL) 654 return (EIO); 655 656 uiop->uio_offset += (off_t)(vaddr_t)(pss.ps_envstr + pss.ps_nenvstr + 1); 657 #ifdef MACHINE_STACK_GROWS_UP 658 if (uiop->uio_offset < (off_t)(vaddr_t)PS_STRINGS) 659 return (EIO); 660 #else 661 if (uiop->uio_offset > (off_t)(vaddr_t)PS_STRINGS) 662 return (EIO); 663 if ((uiop->uio_offset + uiop->uio_resid) > (off_t)(vaddr_t)PS_STRINGS) 664 uiop->uio_resid = (off_t)(vaddr_t)PS_STRINGS - uiop->uio_offset; 665 #endif 666 667 return (0); 668 } 669 #endif 670