1 /*--------------------------------------------------------------------*/
2 /*--- Implementation of vgdb invoker subsystem on Solaris */
3 /* via /proc filesystem and control messages. ---*/
4 /*--------------------------------------------------------------------*/
5
6 /*
7 This file is part of Valgrind, a dynamic binary instrumentation
8 framework.
9
10 Copyright (C) 2014-2015 Ivo Raisr <ivosh@ivosh.net>
11
12 This program is free software; you can redistribute it and/or
13 modify it under the terms of the GNU General Public License as
14 published by the Free Software Foundation; either version 2 of the
15 License, or (at your option) any later version.
16
17 This program is distributed in the hope that it will be useful, but
18 WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
20 General Public License for more details.
21
22 You should have received a copy of the GNU General Public License
23 along with this program; if not, write to the Free Software
24 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
25 02111-1307, USA.
26
27 The GNU General Public License is contained in the file COPYING.
28 */
29
30 /* This module implements vgdb-invoker subsystem as per vgdb.h
31 on Solaris. It differs significantly from the other ptrace-based
32 implementation found in vgdb-invoker-ptrace.c. However the goal
33 is the same - to work on the following scenario:
34
35 - A valgrind process (referred to also as an inferior process)
36 is remotely debugged with gdb.
37 - All threads of the inferior process are stuck in blocking
38 syscalls.
39 - Therefore no thread can process packets received from gdb.
40
41 When module vgdb.c detects this situation then it calls
42 function invoker_invoke_gdbserver() within the context of
43 invoke_gdbserver_in_valgrind_thread thread. The steps of
44 interaction between vgdb and m_gdbserver module are as follows:
45
46 1. Function invoker_invoke_gdbserver() attaches to the inferior
47 process and stops all threads.
48 2. It gets registers of the first thread and modifies them
49 and the stack so that a call to "invoke_gdbserver" function
50 is arranged along with a function parameter.
51 3. Then it creates an agent thread within the inferior process
52 with these modified registers and waits until the agent thread
53 exits.
54 4. Meanwhile in the inferior process function
55 VG_(invoke_gdbserver)() is invoked within the context of the
56 agent thread; all other threads are still stopped.
57 5. The agent thread processes packets from gdb relayed by vgdb.
58 6. Eventually processing is finished and the agent thread exits
59 in function give_control_back_to_vgdb().
60 7. vgdb then detaches from the inferior process and thus resumes
61 all the stopped threads.
62 */
63
64 #include "vgdb.h"
65
66 #include <assert.h>
67 #include <errno.h>
68 #include <string.h>
69
70 typedef Addr CORE_ADDR;
71
72 typedef struct {
73 long cmd;
74 union {
75 long flags;
76 prgregset_t regs;
77 } arg;
78 } ctl_t;
79
80 /* Process control file /proc/<pid>/ctl.
81 Once this file is closed, PR_RLC flag takes effect and
82 inferior process resumes automatically. */
83 static int ctl_fd = -1;
84
85 /* Copy LEN bytes of data from vgdb memory at MYADDR
86 to valgrind memory at MEMADDR.
87 On failure (cannot write the valgrind memory)
88 returns the value of errno. */
write_memory(pid_t pid,CORE_ADDR memaddr,const void * myaddr,size_t len)89 static int write_memory(pid_t pid, CORE_ADDR memaddr,
90 const void *myaddr, size_t len)
91 {
92 char procname[PATH_MAX];
93 snprintf(procname, sizeof(procname), "/proc/%d/as", pid);
94
95 /* Open the process address-space file. */
96 int as_fd = open(procname, O_WRONLY, 0);
97 if (as_fd < 0) {
98 int error = errno;
99 ERROR(error, "Failed to open %s.\n", procname);
100 return error;
101 }
102
103 if (debuglevel >= 1) {
104 DEBUG(1, "Writing bytes '");
105 size_t i;
106 for (i = 0; i < len; i++)
107 PDEBUG(1, "%02x", ((const unsigned char *) myaddr)[i]);
108 PDEBUG(1, "' to address %#lx.\n", memaddr);
109 }
110
111 ssize_t written = pwrite(as_fd, myaddr, len, memaddr);
112 if ((written < 0) || (written != len)) {
113 int error = errno;
114 ERROR(error, "Failed to write to file %s, memory block of %zu"
115 " bytes at %#lx to %#lx.\n",
116 procname, len, (Addr) myaddr, memaddr);
117 close(as_fd);
118 return error;
119 }
120
121 DEBUG(1, "Written ok.\n");
122 close(as_fd);
123 return 0;
124 }
125
126 /* Attaches to a process identified by pid and stops all threads. */
attach(pid_t pid)127 static Bool attach(pid_t pid)
128 {
129 char procname[PATH_MAX];
130 snprintf(procname, sizeof(procname), "/proc/%d/ctl", pid);
131
132 DEBUG(1, "Attaching to pid %d.\n", pid);
133
134 /* Open the process control file. */
135 ctl_fd = open(procname, O_WRONLY, 0);
136 if (ctl_fd < 0) {
137 ERROR(errno, "Failed to open %s.\n", procname);
138 return False;
139 }
140
141 DEBUG(1, "Setting run-on-last-close-flag (PR_RLC) to pid %d.\n", pid);
142
143 /* Set run-on-last-close flag. */
144 ctl_t ctl;
145 ctl.cmd = PCSET;
146 ctl.arg.flags = PR_RLC;
147 size_t bytes = sizeof(ctl.cmd) + sizeof(ctl.arg.flags);
148 ssize_t written = write(ctl_fd, (void *) &ctl, bytes);
149 if ((written < 0) || (written != bytes)) {
150 ERROR(errno, "Failed to write to ctl_fd: PCSET + PR_RLC.\n");
151 return False;
152 }
153
154 DEBUG(1, "Stopping process %d.\n", pid);
155
156 /* Stop the whole process - all threads. */
157 ctl.cmd = PCSTOP;
158 bytes = sizeof(ctl.cmd);
159 written = write(ctl_fd, (void *) &ctl, bytes);
160 if ((written < 0) || (written != bytes)) {
161 ERROR(errno, "Failed to write to ctl_fd: PCSTOP.\n");
162 return False;
163 }
164
165 DEBUG(1, "Process %d stopped.\n", pid);
166
167 /* Now confirm it is actually the case. */
168 snprintf(procname, sizeof(procname), "/proc/%d/status", pid);
169 int status_fd = open(procname, O_RDONLY, 0);
170 if (status_fd < 0) {
171 ERROR(errno, "Failed to open %s.\n", procname);
172 return False;
173 }
174
175 pstatus_t pstatus;
176 bytes = read(status_fd, &pstatus, sizeof(pstatus));
177 if ((bytes < 0) || (bytes != sizeof(pstatus))) {
178 ERROR(errno, "Failed to read from %s.\n", procname);
179 close(status_fd);
180 return False;
181 }
182
183 if (pstatus.pr_flags & PR_RLC) {
184 DEBUG(2, "Process %d has run-on-last-close flag set. Good.\n", pid);
185 } else {
186 ERROR(0, "Process %d does not have run-on-last-close flag set!\n", pid);
187 close(status_fd);
188 return False;
189 }
190
191 if (pstatus.pr_lwp.pr_flags & PR_STOPPED) {
192 DEBUG(3, "Process %d seems to be stopped. Good.\n", pid);
193 } else {
194 ERROR(0, "Process %d is not stopped!\n", pid);
195 close(status_fd);
196 return False;
197 }
198
199 close(status_fd);
200 return True;
201 }
202
detach(pid_t pid)203 static void detach(pid_t pid)
204 {
205 if (ctl_fd != -1) {
206 close(ctl_fd);
207 ctl_fd = -1;
208 }
209
210 DEBUG(1, "Detached from pid %d.\n", pid);
211 }
212
213 /* Gets the registers of the first thread. */
get_regs(pid_t pid,prgregset_t * regs)214 static Bool get_regs(pid_t pid, prgregset_t *regs)
215 {
216 char procname[PATH_MAX];
217 snprintf(procname, sizeof(procname), "/proc/%d/lwp/1/lwpstatus", pid);
218
219 DEBUG(1, "Getting registers from the first thread of process %d.\n", pid);
220
221 /* Open the first thread's status file. */
222 int status_fd = open(procname, O_RDONLY, 0);
223 if (status_fd < 0) {
224 ERROR(errno, "Failed to open file %s.\n", procname);
225 return False;
226 }
227
228 lwpstatus_t status;
229 ssize_t bytes = read(status_fd, &status, sizeof(status));
230 if ((bytes < 0) || (bytes != sizeof(status))) {
231 ERROR(errno, "Failed to read from %s.\n", procname);
232 close(status_fd);
233 return False;
234 }
235
236 DEBUG(3, "Registers of thread %d from process %d: ", status.pr_lwpid, pid);
237 unsigned int i;
238 for (i = 0; i < _NGREG; i++) {
239 PDEBUG(3, "%u: %#lx, ", i, (unsigned long) status.pr_reg[i]);
240 }
241 PDEBUG(3, "\n");
242
243 memcpy(regs, &status.pr_reg, sizeof(prgregset_t));
244 close(status_fd);
245 return True;
246 }
247
248 /* Modifies the register set so that a new stack frame is created
249 for "invoke_gdbserver" function with an extra argument.
250 The argument is written to the stack of the first thread.
251 */
setup_stack_frame(pid_t pid,prgregset_t * regs)252 static Bool setup_stack_frame(pid_t pid, prgregset_t *regs)
253 {
254 DEBUG(1, "Setting up new stack frame of process %d.\n", pid);
255
256 /* A specific int value is passed to invoke_gdbserver(), to check
257 everything goes according to the plan. */
258 const int check = 0x8BADF00D; // ate bad food.
259
260 /* A bad return address will be pushed on the stack.
261 Function invoke_gdbserver() cannot return. If it ever returns,
262 a NULL address pushed on the stack should ensure this is
263 detected. */
264 const Addr bad_return = 0;
265
266 #if defined(VGA_x86)
267 Addr sp = (*regs)[UESP];
268 #elif defined(VGA_amd64)
269 Addr sp = (*regs)[REG_RSP];
270 #else
271 I_die_here : (sp) architecture missing in vgdb-invoker-solaris.c
272 #endif
273
274 if (shared32 != NULL) {
275 /* vgdb speaking with a 32bit executable. */
276 #if defined(VGA_x86) || defined(VGA_amd64)
277 const size_t regsize = 4;
278
279 /* Push check argument on the stack - according to C/ia32 ABI. */
280 sp = sp - regsize;
281 DEBUG(1, "Pushing check argument to process %d memory.\n", pid);
282 assert(regsize == sizeof(check));
283 int error = write_memory(pid, sp, &check, regsize);
284 if (error != 0) {
285 ERROR(error, "Failed to push check argument to process %d memory.\n",
286 pid);
287 detach(pid);
288 return False;
289 }
290
291 sp = sp - regsize;
292 DEBUG(1, "Pushing bad_return return address to process %d memory.\n",
293 pid);
294 /* Note that even for a 64 bits vgdb, only 4 bytes
295 of NULL bad_return are written. */
296 error = write_memory(pid, sp, &bad_return, regsize);
297 if (error != 0) {
298 ERROR(error, "Failed to push bad_return return address to process %d "
299 "memory.\n", pid);
300 detach(pid);
301 return False;
302 }
303
304 #if defined(VGA_x86)
305 /* Set EBP, ESP, EIP to invoke gdbserver.
306 vgdb is 32bits, speaking with a 32bits process. */
307 (*regs)[EBP] = sp; // bp set to sp
308 (*regs)[UESP] = sp;
309 (*regs)[EIP] = shared32->invoke_gdbserver;
310 #elif defined(VGA_amd64)
311 /* Set RBP, RSP, RIP to invoke gdbserver.
312 vgdb is 64bits, speaking with a 32bits process. */
313 (*regs)[REG_RBP] = sp; // bp set to sp
314 (*regs)[REG_RSP] = sp;
315 (*regs)[REG_RIP] = shared32->invoke_gdbserver;
316 #else
317 I_die_here : not x86 or amd64 in x86/amd64 section/
318 #endif
319
320 #else
321 I_die_here : architecture missing in vgdb-invoker-solaris.c
322 #endif
323
324 } else if (shared64 != NULL) {
325 #if defined(VGA_x86)
326 assert(0); /* 64bits process with a 32bits vgdb - no way */
327 #elif defined(VGA_amd64)
328 /* 64bits vgdb speaking with a 64 bit process. */
329 const int regsize = 8;
330
331 /* Give check argument in rdi - according to C/amd64 ABI. */
332 (*regs)[REG_RDI] = check;
333
334 /* Push return address on stack: return to breakaddr. */
335 sp = sp - regsize;
336 DEBUG(1, "Pushing bad_return return address to process %d memory.\n",
337 pid);
338 int error = write_memory(pid, sp, &bad_return,
339 sizeof(bad_return));
340 if (error != 0) {
341 ERROR(error, "Failed to push bad_return return address to process %d "
342 "memory.\n", pid);
343 detach(pid);
344 return False;
345 }
346
347 /* set RBP, RSP, RIP to invoke gdbserver */
348 (*regs)[REG_RBP] = sp; // bp set to sp
349 (*regs)[REG_RSP] = sp;
350 (*regs)[REG_RIP] = shared64->invoke_gdbserver;
351 #else
352 I_die_here: architecture missing in vgdb-invoker-solaris.c
353 #endif
354 } else {
355 assert(0);
356 }
357
358 DEBUG(1, "New stack frame set up for process %d.\n", pid);
359 return True;
360 }
361
362 /* Creates and starts an agent thread within the inferior process.
363 The agent thread is created stopped and with its held signal set
364 (the signal mask) having all signals except SIGKILL and SIGSTOP
365 blocked. All these signals need to remain blocked while the agent
366 thread is running because valgrind syscall/signal machinery expects
367 that (remember: all valgrind threads are blocked in VgTs_WaitSys
368 - that is the reason why we are invoking the agent, after all).
369 It is necessary to resume the agent thread afterwards.
370 */
invoke_agent(pid_t pid,prgregset_t * regs,id_t * agent_lwpid)371 static Bool invoke_agent(pid_t pid, prgregset_t *regs, id_t *agent_lwpid)
372 {
373 assert(ctl_fd != -1);
374
375 DEBUG(1, "Creating an agent thread within process %d.\n", pid);
376
377 /* Create the agent thread. */
378 ctl_t ctl;
379 ctl.cmd = PCAGENT;
380 memcpy(&ctl.arg.regs, regs, sizeof(prgregset_t));
381 size_t bytes = sizeof(ctl.cmd) + sizeof(ctl.arg.regs);
382 ssize_t written = write(ctl_fd, (void *) &ctl, bytes);
383 if ((written < 0) || (written != bytes)) {
384 ERROR(errno, "Failed to write to ctl_fd: PCAGENT.\n");
385 return False;
386 }
387
388 DEBUG(1, "Obtaining agent thread lwpid for process %d.\n", pid);
389
390 char procname[PATH_MAX];
391 snprintf(procname, sizeof(procname),
392 "/proc/%d/lwp/agent/lwpstatus", pid);
393
394 int status_fd = open(procname, O_RDONLY, 0);
395 if (status_fd < 0) {
396 /* Operation failed but there is no way to get rid of the agent
397 thread from outside. We are doomed... */
398 ERROR(errno, "Failed to open file %s.\n", procname);
399 return False;
400 }
401
402 lwpstatus_t status;
403 bytes = read(status_fd, &status, sizeof(status));
404 if ((bytes < 0) || (bytes != sizeof(status))) {
405 ERROR(errno, "Failed to read from %s.\n", procname);
406 close(status_fd);
407 return False;
408 }
409
410 close(status_fd);
411 *agent_lwpid = status.pr_lwpid;
412
413 snprintf(procname, sizeof(procname),
414 "/proc/%d/lwp/agent/lwpctl", pid);
415
416 int agent_ctl_fd = open(procname, O_WRONLY, 0);
417 if (agent_ctl_fd < 0) {
418 /* Resuming failed but there is no way to get rid of the agent
419 thread from outside. We are doomed... */
420 ERROR(errno, "Failed to open file %s.\n", procname);
421 return False;
422 }
423
424 DEBUG(1, "Resuming the agent thread for process %d.\n", pid);
425
426 /* Resume the agent thread. */
427 ctl.cmd = PCRUN;
428 ctl.arg.flags = 0;
429 bytes = sizeof(ctl.cmd) + sizeof(ctl.arg.flags);
430 written = write(agent_ctl_fd, (void *) &ctl, bytes);
431 if ((written < 0) || (written != bytes)) {
432 /* Resuming failed but there is no way to get rid of the agent
433 thread from outside. We are doomed... */
434 ERROR(errno, "Failed to write to agent_ctl_fd: PCRUN 0.\n");
435 close(agent_ctl_fd);
436 return False;
437 }
438
439 DEBUG(1, "Agent thread lwpid %d now running within process %d.\n",
440 *agent_lwpid, pid);
441 close(agent_ctl_fd);
442 return True;
443 }
444
445 /* Waits until the agent thread running inside the inferior
446 process exits. */
wait_for_agent_exit(pid_t pid,id_t agent_lwpid)447 static Bool wait_for_agent_exit(pid_t pid, id_t agent_lwpid)
448 {
449 char procname[PATH_MAX];
450 snprintf(procname, sizeof(procname), "/proc/%d/lwp/agent/lwpctl", pid);
451
452 int agent_ctl_fd = open(procname, O_WRONLY, 0);
453 if (agent_ctl_fd < 0) {
454 if (errno == ENOENT) {
455 DEBUG(1, "Agent control file %s no longer exists. This means "
456 "agent thread %d exited meanwhile.\n",
457 procname, agent_lwpid);
458 return True;
459 }
460 ERROR(errno, "Failed to open agent control file %s.\n", procname);
461 return False;
462 }
463
464 DEBUG(1, "Waiting for agent thread %d to exit.\n", agent_lwpid);
465
466 /* Wait until the agent thread stops. This covers also the case
467 when the thread exited. */
468 ctl_t ctl;
469 ctl.cmd = PCWSTOP;
470 size_t bytes = sizeof(ctl.cmd);
471 ssize_t written = write(agent_ctl_fd, (void *) &ctl, bytes);
472 if ((written < 0) || (written != bytes)) {
473 if (errno == ENOENT) {
474 DEBUG(1, "Agent thread lwpid %d has now exited in process %d.\n",
475 agent_lwpid, pid);
476 } else {
477 ERROR(errno, "Failed to write to agent_ctl_fd: PCWSTOP.\n");
478 close(agent_ctl_fd);
479 return False;
480 }
481 }
482
483 close(agent_ctl_fd);
484 return True;
485 }
486
invoker_invoke_gdbserver(pid_t pid)487 Bool invoker_invoke_gdbserver(pid_t pid)
488 {
489 if (attach(pid) != True) {
490 return False;
491 }
492
493 prgregset_t regs;
494 if (get_regs(pid, ®s) != True) {
495 detach(pid);
496 return False;
497 }
498
499 if (setup_stack_frame(pid, ®s) != True) {
500 detach(pid);
501 return False;
502 }
503
504 id_t agent_lwpid;
505 if (invoke_agent(pid, ®s, &agent_lwpid) != True) {
506 detach(pid);
507 return False;
508 }
509
510 if (wait_for_agent_exit(pid, agent_lwpid) != True) {
511 detach(pid);
512 return False;
513 }
514
515 detach(pid);
516 return True;
517 }
518
invoker_cleanup_restore_and_detach(void * v_pid)519 void invoker_cleanup_restore_and_detach(void *v_pid)
520 {
521 detach(*(int *) v_pid);
522 }
523
invoker_restrictions_msg(void)524 void invoker_restrictions_msg(void)
525 {
526 }
527
invoker_valgrind_dying(void)528 void invoker_valgrind_dying(void)
529 {
530 }
531