Re: ptrace PT_IO write bug

Jeremie Courreges-Anglas Sat, 28 May 2016 07:23:03 -0700

Mathieu - <naa...@poolp.org> writes:

> Martin Natano wrote:
>> The diff reads fine to me, however it is incomplete. There are some
>> callers of process_domem() in arch/. They will need to be changed too.
>> req seems to be in sync with uio_rw in all the cases, so just removing
>> the last argument should do it.
>>


Thanks, well spotted Martin.

> Thanks for the feedback. The missing callers where an overlook on my
> part, sorry for that.
>
> Here is a regenerated diff including all the call site. As a side note,
> obviously every one of them was using PT_WRITE_I, that's why it went
> unnoticed.

Looks even more correct. :)

ok / objections?

> Mathieu-
>
>
> diff --git a/sys/arch/alpha/alpha/process_machdep.c 
> b/sys/arch/alpha/alpha/process_machdep.c
> index 6fe711e..291e06e 100644
> --- a/sys/arch/alpha/alpha/process_machdep.c
> +++ b/sys/arch/alpha/alpha/process_machdep.c
> @@ -181,7 +181,7 @@ ptrace_read_int(struct proc *p, vaddr_t addr, u_int32_t 
> *v)
>       uio.uio_segflg = UIO_SYSSPACE;
>       uio.uio_rw = UIO_READ;
>       uio.uio_procp = p;
> -     return process_domem(curproc, p, &uio, PT_READ_I);
> +     return process_domem(curproc, p, &uio);
>  }
>  
>  int
> @@ -199,7 +199,7 @@ ptrace_write_int(struct proc *p, vaddr_t addr, u_int32_t 
> v)
>       uio.uio_segflg = UIO_SYSSPACE;
>       uio.uio_rw = UIO_WRITE;
>       uio.uio_procp = p;
> -     return process_domem(curproc, p, &uio, PT_WRITE_I);
> +     return process_domem(curproc, p, &uio);
>  }
>  
>  u_int64_t
> diff --git a/sys/arch/hppa/hppa/trap.c b/sys/arch/hppa/hppa/trap.c
> index e86e636..805a924 100644
> --- a/sys/arch/hppa/hppa/trap.c
> +++ b/sys/arch/hppa/hppa/trap.c
> @@ -690,7 +690,7 @@ ss_get_value(struct proc *p, vaddr_t addr, u_int *value)
>       uio.uio_segflg = UIO_SYSSPACE;
>       uio.uio_rw = UIO_READ;
>       uio.uio_procp = curproc;
> -     return (process_domem(curproc, p, &uio, PT_READ_I));
> +     return (process_domem(curproc, p, &uio));
>  }
>  
>  int
> @@ -708,7 +708,7 @@ ss_put_value(struct proc *p, vaddr_t addr, u_int value)
>       uio.uio_segflg = UIO_SYSSPACE;
>       uio.uio_rw = UIO_WRITE;
>       uio.uio_procp = curproc;
> -     return (process_domem(curproc, p, &uio, PT_WRITE_I));
> +     return (process_domem(curproc, p, &uio));
>  }
>  
>  void
> diff --git a/sys/arch/m88k/m88k/trap.c b/sys/arch/m88k/m88k/trap.c
> index d11f8ca..734743d 100644
> --- a/sys/arch/m88k/m88k/trap.c
> +++ b/sys/arch/m88k/m88k/trap.c
> @@ -1447,7 +1447,7 @@ ss_get_value(struct proc *p, vaddr_t addr, u_int *value)
>       uio.uio_segflg = UIO_SYSSPACE;
>       uio.uio_rw = UIO_READ;
>       uio.uio_procp = curproc;
> -     return (process_domem(curproc, p, &uio, PT_READ_I));
> +     return (process_domem(curproc, p, &uio));
>  }
>  
>  int
> @@ -1465,7 +1465,7 @@ ss_put_value(struct proc *p, vaddr_t addr, u_int value)
>       uio.uio_segflg = UIO_SYSSPACE;
>       uio.uio_rw = UIO_WRITE;
>       uio.uio_procp = curproc;
> -     return (process_domem(curproc, p, &uio, PT_WRITE_I));
> +     return (process_domem(curproc, p, &uio));
>  }
>  
>  /*
> diff --git a/sys/arch/mips64/mips64/trap.c b/sys/arch/mips64/mips64/trap.c
> index 0bd71e5..9e81952 100644
> --- a/sys/arch/mips64/mips64/trap.c
> +++ b/sys/arch/mips64/mips64/trap.c
> @@ -1021,7 +1021,7 @@ ptrace_read_insn(struct proc *p, vaddr_t va, uint32_t 
> *insn)
>       uio.uio_segflg = UIO_SYSSPACE;
>       uio.uio_rw = UIO_READ;
>       uio.uio_procp = p;
> -     return process_domem(p, p, &uio, PT_READ_I);
> +     return process_domem(p, p, &uio);
>  }
>  
>  int
> @@ -1039,7 +1039,7 @@ ptrace_write_insn(struct proc *p, vaddr_t va, uint32_t 
> insn)
>       uio.uio_segflg = UIO_SYSSPACE;
>       uio.uio_rw = UIO_WRITE;
>       uio.uio_procp = p;
> -     return process_domem(p, p, &uio, PT_WRITE_I);
> +     return process_domem(p, p, &uio);
>  }
>  
>  /*
> diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c
> index 60ec50e..4d589e7 100644
> --- a/sys/kern/sys_process.c
> +++ b/sys/kern/sys_process.c
> @@ -368,8 +368,7 @@ sys_ptrace(struct proc *p, void *v, register_t *retval)
>               uio.uio_segflg = UIO_SYSSPACE;
>               uio.uio_rw = write ? UIO_WRITE : UIO_READ;
>               uio.uio_procp = p;
> -             error = process_domem(p, t, &uio, write ? PT_WRITE_I :
> -                             PT_READ_I);
> +             error = process_domem(p, t, &uio);
>               if (write == 0)
>                       *retval = temp;
>               return (error);
> @@ -387,23 +386,14 @@ sys_ptrace(struct proc *p, void *v, register_t *retval)
>               uio.uio_procp = p;
>               switch (piod.piod_op) {
>               case PIOD_READ_I:
> -                     req = PT_READ_I;
> -                     uio.uio_rw = UIO_READ;
> -                     break;
>               case PIOD_READ_D:
> -                     req = PT_READ_D;
>                       uio.uio_rw = UIO_READ;
>                       break;
>               case PIOD_WRITE_I:
> -                     req = PT_WRITE_I;
> -                     uio.uio_rw = UIO_WRITE;
> -                     break;
>               case PIOD_WRITE_D:
> -                     req = PT_WRITE_D;
>                       uio.uio_rw = UIO_WRITE;
>                       break;
>               case PIOD_READ_AUXV:
> -                     req = PT_READ_D;
>                       uio.uio_rw = UIO_READ;
>                       temp = tr->ps_emul->e_arglen * sizeof(char *);
>                       if (uio.uio_offset > temp)
> @@ -418,7 +408,7 @@ sys_ptrace(struct proc *p, void *v, register_t *retval)
>               default:
>                       return (EINVAL);
>               }
> -             error = process_domem(p, t, &uio, req);
> +             error = process_domem(p, t, &uio);
>               piod.piod_len -= uio.uio_resid;
>               (void) copyout(&piod, SCARG(uap, addr), sizeof(piod));
>               return (error);
> @@ -711,7 +701,7 @@ process_checkioperm(struct proc *p, struct process *tr)
>  }
>  
>  int
> -process_domem(struct proc *curp, struct proc *p, struct uio *uio, int req)
> +process_domem(struct proc *curp, struct proc *p, struct uio *uio)
>  {
>       struct vmspace *vm;
>       int error;
> @@ -734,11 +724,11 @@ process_domem(struct proc *curp, struct proc *p, struct 
> uio *uio, int req)
>       vm->vm_refcnt++;
>  
>       error = uvm_io(&vm->vm_map, uio,
> -         (req == PT_WRITE_I) ? UVM_IO_FIXPROT : 0);
> +         (uio->uio_rw == UIO_WRITE) ? UVM_IO_FIXPROT : 0);
>  
>       uvmspace_free(vm);
>  
> -     if (error == 0 && req == PT_WRITE_I)
> +     if (error == 0 && uio->uio_rw == UIO_WRITE)
>               pmap_proc_iflush(p, addr, len);
>  
>       return (error);
> diff --git a/sys/sys/ptrace.h b/sys/sys/ptrace.h
> index 3c8fda3..b8b76a0 100644
> --- a/sys/sys/ptrace.h
> +++ b/sys/sys/ptrace.h
> @@ -116,7 +116,7 @@ int       process_write_fpregs(struct proc *p, struct 
> fpreg *regs);
>  #endif
>  int  process_write_regs(struct proc *p, struct reg *regs);
>  int  process_checkioperm(struct proc *, struct process *);
> -int  process_domem(struct proc *, struct proc *, struct uio *, int);
> +int  process_domem(struct proc *, struct proc *, struct uio *);
>  
>  #ifndef FIX_SSTEP
>  #define FIX_SSTEP(p)
>

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Re: ptrace PT_IO write bug

Reply via email to