coregrind/vgdb-invoker-solaris.c

   1 /*--------------------------------------------------------------------*/
   2 /*--- Implementation of vgdb invoker subsystem on Solaris             */
   3 /*                      via /proc filesystem and control messages. ---*/
   4 /*--------------------------------------------------------------------*/
   5
   6 /*
   7    This file is part of Valgrind, a dynamic binary instrumentation
   8    framework.
   9
  10    Copyright (C) 2014-2017 Ivo Raisr <ivosh@ivosh.net>
  11
  12    This program is free software; you can redistribute it and/or
  13    modify it under the terms of the GNU General Public License as
  14    published by the Free Software Foundation; either version 2 of the
  15    License, or (at your option) any later version.
  16
  17    This program is distributed in the hope that it will be useful, but
  18    WITHOUT ANY WARRANTY; without even the implied warranty of
  19    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  20    General Public License for more details.
  21
  22    You should have received a copy of the GNU General Public License
  23    along with this program; if not, see <http://www.gnu.org/licenses/>.
  24
  25    The GNU General Public License is contained in the file COPYING.
  26 */
  27
  28 /* This module implements vgdb-invoker subsystem as per vgdb.h
  29    on Solaris. It differs significantly from the other ptrace-based
  30    implementation found in vgdb-invoker-ptrace.c. However the goal
  31    is the same - to work on the following scenario:
  32
  33    - A valgrind process (referred to also as an inferior process)
  34      is remotely debugged with gdb.
  35    - All threads of the inferior process are stuck in blocking
  36      syscalls.
  37    - Therefore no thread can process packets received from gdb.
  38
  39    When module vgdb.c detects this situation then it calls
  40    function invoker_invoke_gdbserver() within the context of
  41    invoke_gdbserver_in_valgrind_thread thread. The steps of
  42    interaction between vgdb and m_gdbserver module are as follows:
  43
  44    1. Function invoker_invoke_gdbserver() attaches to the inferior
  45       process and stops all threads.
  46    2. It gets registers of the first thread and modifies them
  47       and the stack so that a call to "invoke_gdbserver" function
  48       is arranged along with a function parameter.
  49    3. Then it creates an agent thread within the inferior process
  50       with these modified registers and waits until the agent thread
  51       exits.
  52    4. Meanwhile in the inferior process function
  53       VG_(invoke_gdbserver)() is invoked within the context of the
  54       agent thread; all other threads are still stopped.
  55    5. The agent thread processes packets from gdb relayed by vgdb.
  56    6. Eventually processing is finished and the agent thread exits
  57       in function give_control_back_to_vgdb().
  58    7. vgdb then detaches from the inferior process and thus resumes
  59       all the stopped threads.
  60  */
  61
  62 #include "vgdb.h"
  63
  64 #include <assert.h>
  65 #include <errno.h>
  66 #include <string.h>
  67
  68 typedef Addr CORE_ADDR;
  69
  70 typedef struct {
  71    long cmd;
  72    union {
  73        long flags;
  74        prgregset_t regs;
  75    } arg;
  76 } ctl_t;
  77
  78 /* Process control file /proc/<pid>/ctl.
  79    Once this file is closed, PR_RLC flag takes effect and
  80    inferior process resumes automatically. */
  81 static int ctl_fd = -1;
  82
  83 /* Copy LEN bytes of data from vgdb memory at MYADDR
  84    to valgrind memory at MEMADDR.
  85    On failure (cannot write the valgrind memory)
  86    returns the value of errno. */
  87 static int write_memory(pid_t pid, CORE_ADDR memaddr,
  88                         const void *myaddr, size_t len)
  89 {
  90    char procname[PATH_MAX];
  91    snprintf(procname, sizeof(procname), "/proc/%d/as", pid);
  92
  93    /* Open the process address-space file. */
  94    int as_fd = open(procname, O_WRONLY, 0);
  95    if (as_fd < 0) {
  96       int error = errno;
  97       ERROR(error, "Failed to open %s.\n", procname);
  98       return error;
  99    }
 100
 101    if (debuglevel >= 1) {
 102       DEBUG(1, "Writing bytes '");
 103       size_t i;
 104       for (i = 0; i < len; i++)
 105          PDEBUG(1, "%02x", ((const unsigned char *) myaddr)[i]);
 106       PDEBUG(1, "' to address %#lx.\n", memaddr);
 107    }
 108
 109    ssize_t written = pwrite(as_fd, myaddr, len, memaddr);
 110    if ((written < 0) || (written != len)) {
 111       int error = errno;
 112       ERROR(error, "Failed to write to file %s, memory block of %zu"
 113             " bytes at %#lx to %#lx.\n",
 114             procname, len, (Addr) myaddr, memaddr);
 115       close(as_fd);
 116       return error;
 117    }
 118
 119    DEBUG(1, "Written ok.\n");
 120    close(as_fd);
 121    return 0;
 122 }
 123
 124 /* Attaches to a process identified by pid and stops all threads. */
 125 static Bool attach(pid_t pid)
 126 {
 127    char procname[PATH_MAX];
 128    snprintf(procname, sizeof(procname), "/proc/%d/ctl", pid);
 129
 130    DEBUG(1, "Attaching to pid %d.\n", pid);
 131
 132    /* Open the process control file. */
 133    ctl_fd = open(procname, O_WRONLY, 0);
 134    if (ctl_fd < 0) {
 135       ERROR(errno, "Failed to open %s.\n", procname);
 136       return False;
 137    }
 138
 139    DEBUG(1, "Setting run-on-last-close-flag (PR_RLC) to pid %d.\n", pid);
 140
 141    /* Set run-on-last-close flag. */
 142    ctl_t ctl;
 143    ctl.cmd = PCSET;
 144    ctl.arg.flags = PR_RLC;
 145    size_t bytes = sizeof(ctl.cmd) + sizeof(ctl.arg.flags);
 146    ssize_t written = write(ctl_fd, (void *) &ctl, bytes);
 147    if ((written < 0) || (written != bytes)) {
 148       ERROR(errno, "Failed to write to ctl_fd: PCSET + PR_RLC.\n");
 149       return False;
 150    }
 151
 152    DEBUG(1, "Stopping process %d.\n", pid);
 153
 154    /* Stop the whole process - all threads. */
 155    ctl.cmd = PCSTOP;
 156    bytes = sizeof(ctl.cmd);
 157    written = write(ctl_fd, (void *) &ctl, bytes);
 158    if ((written < 0) || (written != bytes)) {
 159       ERROR(errno, "Failed to write to ctl_fd: PCSTOP.\n");
 160       return False;
 161    }
 162
 163    DEBUG(1, "Process %d stopped.\n", pid);
 164
 165    /* Now confirm it is actually the case. */
 166    snprintf(procname, sizeof(procname), "/proc/%d/status", pid);
 167    int status_fd = open(procname, O_RDONLY, 0);
 168    if (status_fd < 0) {
 169       ERROR(errno, "Failed to open %s.\n", procname);
 170       return False;
 171    }
 172
 173    pstatus_t pstatus;
 174    ssize_t nread = read(status_fd, &pstatus, sizeof(pstatus));
 175    if ((nread < 0) || (nread != sizeof(pstatus))) {
 176       ERROR(errno, "Failed to read from %s.\n", procname);
 177       close(status_fd);
 178       return False;
 179    }
 180
 181    if (pstatus.pr_flags & PR_RLC) {
 182       DEBUG(2, "Process %d has run-on-last-close flag set. Good.\n", pid);
 183    } else {
 184       ERROR(0, "Process %d does not have run-on-last-close flag set!\n", pid);
 185       close(status_fd);
 186       return False;
 187    }
 188
 189    if (pstatus.pr_lwp.pr_flags & PR_STOPPED) {
 190       DEBUG(3, "Process %d seems to be stopped. Good.\n", pid);
 191    } else {
 192       ERROR(0, "Process %d is not stopped!\n", pid);
 193       close(status_fd);
 194       return False;
 195    }
 196
 197    close(status_fd);
 198    return True;
 199 }
 200
 201 static void detach(pid_t pid)
 202 {
 203    if (ctl_fd != -1) {
 204       close(ctl_fd);
 205       ctl_fd = -1;
 206    }
 207
 208    DEBUG(1, "Detached from pid %d.\n", pid);
 209 }
 210
 211 /* Gets the registers of the first thread. */
 212 static Bool get_regs(pid_t pid, prgregset_t *regs)
 213 {
 214    char procname[PATH_MAX];
 215    snprintf(procname, sizeof(procname), "/proc/%d/lwp/1/lwpstatus", pid);
 216
 217    DEBUG(1, "Getting registers from the first thread of process %d.\n", pid);
 218
 219    /* Open the first thread's status file. */
 220    int status_fd = open(procname, O_RDONLY, 0);
 221    if (status_fd < 0) {
 222       ERROR(errno, "Failed to open file %s.\n", procname);
 223       return False;
 224    }
 225
 226    lwpstatus_t status;
 227    ssize_t bytes = read(status_fd, &status, sizeof(status));
 228    if ((bytes < 0) || (bytes != sizeof(status))) {
 229       ERROR(errno, "Failed to read from %s.\n", procname);
 230       close(status_fd);
 231       return False;
 232    }
 233
 234    DEBUG(3, "Registers of thread %d from process %d: ", status.pr_lwpid, pid);
 235    unsigned int i;
 236    for (i = 0; i < _NGREG; i++) {
 237       PDEBUG(3, "%u: %#lx, ", i, (unsigned long) status.pr_reg[i]);
 238    }
 239    PDEBUG(3, "\n");
 240
 241    memcpy(regs, &status.pr_reg, sizeof(prgregset_t));
 242    close(status_fd);
 243    return True;
 244 }
 245
 246 /* Modifies the register set so that a new stack frame is created
 247    for "invoke_gdbserver" function with an extra argument.
 248    The argument is written to the stack of the first thread.
 249  */
 250 static Bool setup_stack_frame(pid_t pid, prgregset_t *regs)
 251 {
 252    DEBUG(1, "Setting up new stack frame of process %d.\n", pid);
 253
 254    /* A specific int value is passed to invoke_gdbserver(), to check
 255       everything goes according to the plan. */
 256    const int check = 0x8BADF00D; // ate bad food.
 257
 258    /* A bad return address will be pushed on the stack.
 259       Function invoke_gdbserver() cannot return. If it ever returns,
 260       a NULL address pushed on the stack should ensure this is
 261       detected. */
 262    const Addr bad_return = 0;
 263
 264 #if defined(VGA_x86)
 265    Addr sp = (*regs)[UESP];
 266 #elif defined(VGA_amd64)
 267    Addr sp = (*regs)[REG_RSP];
 268 #else
 269    I_die_here : (sp) architecture missing in vgdb-invoker-solaris.c
 270 #endif
 271
 272    if (shared32 != NULL) {
 273       /* vgdb speaking with a 32bit executable. */
 274 #if   defined(VGA_x86) || defined(VGA_amd64)
 275       const size_t regsize = 4;
 276
 277       /* Push check argument on the stack - according to C/ia32 ABI. */
 278       sp = sp - regsize;
 279       DEBUG(1, "Pushing check argument to process %d memory.\n", pid);
 280       assert(regsize == sizeof(check));
 281       int error = write_memory(pid, sp, &check, regsize);
 282       if (error != 0) {
 283          ERROR(error, "Failed to push check argument to process %d memory.\n",
 284                       pid);
 285          detach(pid);
 286          return False;
 287       }
 288
 289       sp = sp - regsize;
 290       DEBUG(1, "Pushing bad_return return address to process %d memory.\n",
 291                pid);
 292       /* Note that even for a 64 bits vgdb, only 4 bytes
 293          of NULL bad_return are written. */
 294       error = write_memory(pid, sp, &bad_return, regsize);
 295       if (error != 0) {
 296          ERROR(error, "Failed to push bad_return return address to process %d "
 297                       "memory.\n", pid);
 298          detach(pid);
 299          return False;
 300       }
 301
 302 #if   defined(VGA_x86)
 303       /* Set EBP, ESP, EIP to invoke gdbserver.
 304          vgdb is 32bits, speaking with a 32bits process. */
 305       (*regs)[EBP] = sp; // bp set to sp
 306       (*regs)[UESP] = sp;
 307       (*regs)[EIP] = shared32->invoke_gdbserver;
 308 #elif defined(VGA_amd64)
 309       /* Set RBP, RSP, RIP to invoke gdbserver.
 310          vgdb is 64bits, speaking with a 32bits process. */
 311       (*regs)[REG_RBP] = sp; // bp set to sp
 312       (*regs)[REG_RSP] = sp;
 313       (*regs)[REG_RIP] = shared32->invoke_gdbserver;
 314 #else
 315       I_die_here : not x86 or amd64 in x86/amd64 section/
 316 #endif
 317
 318 #else
 319       I_die_here : architecture missing in vgdb-invoker-solaris.c
 320 #endif
 321
 322    } else if (shared64 != NULL) {
 323 #if defined(VGA_x86)
 324       assert(0); /* 64bits process with a 32bits vgdb - no way */
 325 #elif defined(VGA_amd64)
 326       /* 64bits vgdb speaking with a 64 bit process. */
 327       const int regsize = 8;
 328
 329       /* Give check argument in rdi - according to C/amd64 ABI. */
 330       (*regs)[REG_RDI] = check;
 331
 332       /* Push return address on stack: return to breakaddr. */
 333       sp = sp - regsize;
 334       DEBUG(1, "Pushing bad_return return address to process %d memory.\n",
 335                pid);
 336       int error = write_memory(pid, sp, &bad_return,
 337                                sizeof(bad_return));
 338       if (error != 0) {
 339          ERROR(error, "Failed to push bad_return return address to process %d "
 340                       "memory.\n", pid);
 341          detach(pid);
 342          return False;
 343       }
 344
 345       /* set RBP, RSP, RIP to invoke gdbserver */
 346       (*regs)[REG_RBP] = sp; // bp set to sp
 347       (*regs)[REG_RSP] = sp;
 348       (*regs)[REG_RIP] = shared64->invoke_gdbserver;
 349 #else
 350       I_die_here: architecture missing in vgdb-invoker-solaris.c
 351 #endif
 352    } else {
 353       assert(0);
 354    }
 355
 356    DEBUG(1, "New stack frame set up for process %d.\n", pid);
 357    return True;
 358 }
 359
 360 /* Creates and starts an agent thread within the inferior process.
 361    The agent thread is created stopped and with its held signal set
 362    (the signal mask) having all signals except SIGKILL and SIGSTOP
 363    blocked. All these signals need to remain blocked while the agent
 364    thread is running because valgrind syscall/signal machinery expects
 365    that (remember: all valgrind threads are blocked in VgTs_WaitSys
 366    - that is the reason why we are invoking the agent, after all).
 367    It is necessary to resume the agent thread afterwards.
 368  */
 369 static Bool invoke_agent(pid_t pid, prgregset_t *regs, id_t *agent_lwpid)
 370 {
 371    assert(ctl_fd != -1);
 372
 373    DEBUG(1, "Creating an agent thread within process %d.\n", pid);
 374
 375    /* Create the agent thread. */
 376    ctl_t ctl;
 377    ctl.cmd = PCAGENT;
 378    memcpy(&ctl.arg.regs, regs, sizeof(prgregset_t));
 379    size_t bytes = sizeof(ctl.cmd) + sizeof(ctl.arg.regs);
 380    ssize_t written = write(ctl_fd, (void *) &ctl, bytes);
 381    if ((written < 0) || (written != bytes)) {
 382       ERROR(errno, "Failed to write to ctl_fd: PCAGENT.\n");
 383       return False;
 384    }
 385
 386    DEBUG(1, "Obtaining agent thread lwpid for process %d.\n", pid);
 387
 388    char procname[PATH_MAX];
 389    snprintf(procname, sizeof(procname),
 390             "/proc/%d/lwp/agent/lwpstatus", pid);
 391
 392    int status_fd = open(procname, O_RDONLY, 0);
 393    if (status_fd < 0) {
 394       /* Operation failed but there is no way to get rid of the agent
 395          thread from outside. We are doomed... */
 396       ERROR(errno, "Failed to open file %s.\n", procname);
 397       return False;
 398    }
 399
 400    lwpstatus_t status;
 401    ssize_t nread = read(status_fd, &status, sizeof(status));
 402    if ((nread < 0) || (nread != sizeof(status))) {
 403       ERROR(errno, "Failed to read from %s.\n", procname);
 404       close(status_fd);
 405       return False;
 406    }
 407
 408    close(status_fd);
 409    *agent_lwpid = status.pr_lwpid;
 410
 411    snprintf(procname, sizeof(procname),
 412             "/proc/%d/lwp/agent/lwpctl", pid);
 413
 414    int agent_ctl_fd = open(procname, O_WRONLY, 0);
 415    if (agent_ctl_fd < 0) {
 416       /* Resuming failed but there is no way to get rid of the agent
 417          thread from outside. We are doomed... */
 418       ERROR(errno, "Failed to open file %s.\n", procname);
 419       return False;
 420    }
 421
 422    DEBUG(1, "Resuming the agent thread for process %d.\n", pid);
 423
 424    /* Resume the agent thread. */
 425    ctl.cmd = PCRUN;
 426    ctl.arg.flags = 0;
 427    bytes = sizeof(ctl.cmd) + sizeof(ctl.arg.flags);
 428    written = write(agent_ctl_fd, (void *) &ctl, bytes);
 429    if ((written < 0) || (written != bytes)) {
 430       /* Resuming failed but there is no way to get rid of the agent
 431          thread from outside. We are doomed... */
 432       ERROR(errno, "Failed to write to agent_ctl_fd: PCRUN 0.\n");
 433       close(agent_ctl_fd);
 434       return False;
 435    }
 436
 437    DEBUG(1, "Agent thread lwpid %d now running within process %d.\n",
 438          *agent_lwpid, pid);
 439    close(agent_ctl_fd);
 440    return True;
 441 }
 442
 443 /* Waits until the agent thread running inside the inferior
 444    process exits. */
 445 static Bool wait_for_agent_exit(pid_t pid, id_t agent_lwpid)
 446 {
 447    char procname[PATH_MAX];
 448    snprintf(procname, sizeof(procname), "/proc/%d/lwp/agent/lwpctl", pid);
 449
 450    int agent_ctl_fd = open(procname, O_WRONLY, 0);
 451    if (agent_ctl_fd < 0) {
 452       if (errno == ENOENT) {
 453          DEBUG(1, "Agent control file %s no longer exists. This means "
 454                "agent thread %d exited meanwhile.\n",
 455                procname, agent_lwpid);
 456          return True;
 457       }
 458       ERROR(errno, "Failed to open agent control file %s.\n", procname);
 459       return False;
 460    }
 461
 462    DEBUG(1, "Waiting for agent thread %d to exit.\n", agent_lwpid);
 463
 464    /* Wait until the agent thread stops. This covers also the case
 465       when the thread exited. */
 466    ctl_t ctl;
 467    ctl.cmd = PCWSTOP;
 468    size_t bytes = sizeof(ctl.cmd);
 469    ssize_t written = write(agent_ctl_fd, (void *) &ctl, bytes);
 470    if ((written < 0) || (written != bytes)) {
 471       if (errno == ENOENT) {
 472          DEBUG(1, "Agent thread lwpid %d has now exited in process %d.\n",
 473                   agent_lwpid, pid);
 474       } else {
 475          ERROR(errno, "Failed to write to agent_ctl_fd: PCWSTOP.\n");
 476          close(agent_ctl_fd);
 477          return False;
 478       }
 479    }
 480
 481    close(agent_ctl_fd);
 482    return True;
 483 }
 484
 485 Bool invoker_invoke_gdbserver(pid_t pid)
 486 {
 487    if (attach(pid) != True) {
 488       return False;
 489    }
 490
 491    prgregset_t regs;
 492    if (get_regs(pid, &regs) != True) {
 493       detach(pid);
 494       return False;
 495    }
 496
 497    if (setup_stack_frame(pid, &regs) != True) {
 498       detach(pid);
 499       return False;
 500    }
 501
 502    id_t agent_lwpid;
 503    if (invoke_agent(pid, &regs, &agent_lwpid) != True) {
 504       detach(pid);
 505       return False;
 506    }
 507
 508    if (wait_for_agent_exit(pid, agent_lwpid) != True) {
 509       detach(pid);
 510       return False;
 511    }
 512
 513    detach(pid);
 514    return True;
 515 }
 516
 517 void invoker_cleanup_restore_and_detach(void *v_pid)
 518 {
 519    detach(*(int *) v_pid);
 520 }
 521
 522 void invoker_restrictions_msg(void)
 523 {
 524 }
 525
 526 void invoker_valgrind_dying(void)
 527 {
 528 }