1
/*
2
 * CDDL HEADER START
3
 *
4
 * The contents of this file are subject to the terms of the
5
 * Common Development and Distribution License (the "License").
6
 * You may not use this file except in compliance with the License.
7
 *
8
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9
 * or http://www.opensolaris.org/os/licensing.
10
 * See the License for the specific language governing permissions
11
 * and limitations under the License.
12
 *
13
 * When distributing Covered Code, include this CDDL HEADER in each
14
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15
 * If applicable, add the following below this CDDL HEADER, with the
16
 * fields enclosed by brackets "[]" replaced with your own identifying
17
 * information: Portions Copyright [yyyy] [name of copyright owner]
18
 *
19
 * CDDL HEADER END
20
 */
21

22
/*
23
 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
24
 * Use is subject to license terms.
25
 */
26

27
/*
28
 * Copyright (c) 2012 by Delphix. All rights reserved.
29
 */
30

31
#include <stdlib.h>
32
#include <assert.h>
33
#include <errno.h>
34
#include <string.h>
35
#include <libgen.h>
36

37
#include <dt_impl.h>
38
#include <dt_pid.h>
39

40
#include <dis_tables.h>
41

42
#ifdef __FreeBSD__
43
#include <libproc.h>
44
#include <libproc_compat.h>
45
#endif
46

47
#define	DT_POPL_EBP	0x5d
48
#define	DT_RET		0xc3
49
#define	DT_RET16	0xc2
50
#define	DT_LEAVE	0xc9
51
#define	DT_JMP32	0xe9
52
#define	DT_JMP8		0xeb
53
#define	DT_REP		0xf3
54

55
#define	DT_MOVL_EBP_ESP	0xe58b
56

57
#define	DT_ISJ32(op16)	(((op16) & 0xfff0) == 0x0f80)
58
#define	DT_ISJ8(op8)	(((op8) & 0xf0) == 0x70)
59

60
#define	DT_MODRM_REG(modrm)	(((modrm) >> 3) & 0x7)
61

62
static int dt_instr_size(uchar_t *, dtrace_hdl_t *, pid_t, uintptr_t, char);
63

64
/*ARGSUSED*/
65
int
66
dt_pid_create_entry_probe(struct ps_prochandle *P, dtrace_hdl_t *dtp,
67
    fasttrap_probe_spec_t *ftp, const GElf_Sym *symp)
68
{
69
	ftp->ftps_type = DTFTP_ENTRY;
70
	ftp->ftps_pc = (uintptr_t)symp->st_value;
71
	ftp->ftps_size = (size_t)symp->st_size;
72
	ftp->ftps_noffs = 1;
73
	ftp->ftps_offs[0] = 0;
74

75
	if (ioctl(dtp->dt_ftfd, FASTTRAPIOC_MAKEPROBE, ftp) != 0) {
76
		dt_dprintf("fasttrap probe creation ioctl failed: %s\n",
77
		    strerror(errno));
78
		return (dt_set_errno(dtp, errno));
79
	}
80

81
	return (1);
82
}
83

84
static int
85
dt_pid_has_jump_table(struct ps_prochandle *P, dtrace_hdl_t *dtp,
86
    uint8_t *text, fasttrap_probe_spec_t *ftp, const GElf_Sym *symp)
87
{
88
	ulong_t i;
89
	int size;
90
#ifdef illumos
91
	pid_t pid = Pstatus(P)->pr_pid;
92
	char dmodel = Pstatus(P)->pr_dmodel;
93
#else
94
	pid_t pid = proc_getpid(P);
95
	char dmodel = proc_getmodel(P);
96
#endif
97

98
	/*
99
	 * Take a pass through the function looking for a register-dependant
100
	 * jmp instruction. This could be a jump table so we have to be
101
	 * ultra conservative.
102
	 */
103
	for (i = 0; i < ftp->ftps_size; i += size) {
104
		size = dt_instr_size(&text[i], dtp, pid, symp->st_value + i,
105
		    dmodel);
106

107
		/*
108
		 * Assume the worst if we hit an illegal instruction.
109
		 */
110
		if (size <= 0) {
111
			dt_dprintf("error at %#lx (assuming jump table)\n", i);
112
			return (1);
113
		}
114

115
#ifdef notyet
116
		/*
117
		 * Register-dependant jmp instructions start with a 0xff byte
118
		 * and have the modrm.reg field set to 4. They can have an
119
		 * optional REX prefix on the 64-bit ISA.
120
		 */
121
		if ((text[i] == 0xff && DT_MODRM_REG(text[i + 1]) == 4) ||
122
		    (dmodel == PR_MODEL_LP64 && (text[i] & 0xf0) == 0x40 &&
123
		    text[i + 1] == 0xff && DT_MODRM_REG(text[i + 2]) == 4)) {
124
			dt_dprintf("found a suspected jump table at %s:%lx\n",
125
			    ftp->ftps_func, i);
126
			return (1);
127
		}
128
#endif
129
	}
130

131
	return (0);
132
}
133

134
/*ARGSUSED*/
135
int
136
dt_pid_create_return_probe(struct ps_prochandle *P, dtrace_hdl_t *dtp,
137
    fasttrap_probe_spec_t *ftp, const GElf_Sym *symp, uint64_t *stret)
138
{
139
	uint8_t *text;
140
	ulong_t i, end;
141
	int size;
142
#ifdef illumos
143
	pid_t pid = Pstatus(P)->pr_pid;
144
	char dmodel = Pstatus(P)->pr_dmodel;
145
#else
146
	pid_t pid = proc_getpid(P);
147
	char dmodel = proc_getmodel(P);
148
#endif
149

150
	/*
151
	 * We allocate a few extra bytes at the end so we don't have to check
152
	 * for overrunning the buffer.
153
	 */
154
	if ((text = calloc(1, symp->st_size + 4)) == NULL) {
155
		dt_dprintf("mr sparkle: malloc() failed\n");
156
		return (DT_PROC_ERR);
157
	}
158

159
	if (Pread(P, text, symp->st_size, symp->st_value) != symp->st_size) {
160
		dt_dprintf("mr sparkle: Pread() failed\n");
161
		free(text);
162
		return (DT_PROC_ERR);
163
	}
164

165
	ftp->ftps_type = DTFTP_RETURN;
166
	ftp->ftps_pc = (uintptr_t)symp->st_value;
167
	ftp->ftps_size = (size_t)symp->st_size;
168
	ftp->ftps_noffs = 0;
169

170
	/*
171
	 * If there's a jump table in the function we're only willing to
172
	 * instrument these specific (and equivalent) instruction sequences:
173
	 *	leave
174
	 *	[rep] ret
175
	 * and
176
	 *	movl	%ebp,%esp
177
	 *	popl	%ebp
178
	 *	[rep] ret
179
	 *
180
	 * We do this to avoid accidentally interpreting jump table
181
	 * offsets as actual instructions.
182
	 */
183
	if (dt_pid_has_jump_table(P, dtp, text, ftp, symp)) {
184
		for (i = 0, end = ftp->ftps_size; i < end; i += size) {
185
			size = dt_instr_size(&text[i], dtp, pid,
186
			    symp->st_value + i, dmodel);
187

188
			/* bail if we hit an invalid opcode */
189
			if (size <= 0)
190
				break;
191

192
			if (text[i] == DT_LEAVE && text[i + 1] == DT_RET) {
193
				dt_dprintf("leave/ret at %lx\n", i + 1);
194
				ftp->ftps_offs[ftp->ftps_noffs++] = i + 1;
195
				size = 2;
196
			} else if (text[i] == DT_LEAVE &&
197
			    text[i + 1] == DT_REP && text[i + 2] == DT_RET) {
198
				dt_dprintf("leave/rep ret at %lx\n", i + 1);
199
				ftp->ftps_offs[ftp->ftps_noffs++] = i + 1;
200
				size = 3;
201
			} else if (*(uint16_t *)&text[i] == DT_MOVL_EBP_ESP &&
202
			    text[i + 2] == DT_POPL_EBP &&
203
			    text[i + 3] == DT_RET) {
204
				dt_dprintf("movl/popl/ret at %lx\n", i + 3);
205
				ftp->ftps_offs[ftp->ftps_noffs++] = i + 3;
206
				size = 4;
207
			} else if (*(uint16_t *)&text[i] == DT_MOVL_EBP_ESP &&
208
			    text[i + 2] == DT_POPL_EBP &&
209
			    text[i + 3] == DT_REP &&
210
			    text[i + 4] == DT_RET) {
211
				dt_dprintf("movl/popl/rep ret at %lx\n", i + 3);
212
				ftp->ftps_offs[ftp->ftps_noffs++] = i + 3;
213
				size = 5;
214
			}
215
		}
216
	} else {
217
		for (i = 0, end = ftp->ftps_size; i < end; i += size) {
218
			size = dt_instr_size(&text[i], dtp, pid,
219
			    symp->st_value + i, dmodel);
220

221
			/* bail if we hit an invalid opcode */
222
			if (size <= 0)
223
				break;
224

225
			/* ordinary ret */
226
			if (size == 1 && text[i] == DT_RET)
227
				goto is_ret;
228

229
			/* two-byte ret */
230
			if (size == 2 && text[i] == DT_REP &&
231
			    text[i + 1] == DT_RET)
232
				goto is_ret;
233

234
			/* ret <imm16> */
235
			if (size == 3 && text[i] == DT_RET16)
236
				goto is_ret;
237

238
			/* two-byte ret <imm16> */
239
			if (size == 4 && text[i] == DT_REP &&
240
			    text[i + 1] == DT_RET16)
241
				goto is_ret;
242

243
			/* 32-bit displacement jmp outside of the function */
244
			if (size == 5 && text[i] == DT_JMP32 && symp->st_size <=
245
			    (uintptr_t)(i + size + *(int32_t *)&text[i + 1]))
246
				goto is_ret;
247

248
			/* 8-bit displacement jmp outside of the function */
249
			if (size == 2 && text[i] == DT_JMP8 && symp->st_size <=
250
			    (uintptr_t)(i + size + *(int8_t *)&text[i + 1]))
251
				goto is_ret;
252

253
			/* 32-bit disp. conditional jmp outside of the func. */
254
			if (size == 6 && DT_ISJ32(*(uint16_t *)&text[i]) &&
255
			    symp->st_size <=
256
			    (uintptr_t)(i + size + *(int32_t *)&text[i + 2]))
257
				goto is_ret;
258

259
			/* 8-bit disp. conditional jmp outside of the func. */
260
			if (size == 2 && DT_ISJ8(text[i]) && symp->st_size <=
261
			    (uintptr_t)(i + size + *(int8_t *)&text[i + 1]))
262
				goto is_ret;
263

264
			continue;
265
is_ret:
266
			dt_dprintf("return at offset %lx\n", i);
267
			ftp->ftps_offs[ftp->ftps_noffs++] = i;
268
		}
269
	}
270

271
	free(text);
272
	if (ftp->ftps_noffs > 0) {
273
		if (ioctl(dtp->dt_ftfd, FASTTRAPIOC_MAKEPROBE, ftp) != 0) {
274
			dt_dprintf("fasttrap probe creation ioctl failed: %s\n",
275
			    strerror(errno));
276
			return (dt_set_errno(dtp, errno));
277
		}
278
	}
279

280
	return (ftp->ftps_noffs);
281
}
282

283
/*ARGSUSED*/
284
int
285
dt_pid_create_offset_probe(struct ps_prochandle *P, dtrace_hdl_t *dtp,
286
    fasttrap_probe_spec_t *ftp, const GElf_Sym *symp, ulong_t off)
287
{
288
	ftp->ftps_type = DTFTP_OFFSETS;
289
	ftp->ftps_pc = (uintptr_t)symp->st_value;
290
	ftp->ftps_size = (size_t)symp->st_size;
291
	ftp->ftps_noffs = 1;
292

293
	if (strcmp("-", ftp->ftps_func) == 0) {
294
		ftp->ftps_offs[0] = off;
295
	} else {
296
		uint8_t *text;
297
		ulong_t i;
298
		int size;
299
#ifdef illumos
300
		pid_t pid = Pstatus(P)->pr_pid;
301
		char dmodel = Pstatus(P)->pr_dmodel;
302
#else
303
		pid_t pid = proc_getpid(P);
304
		char dmodel = proc_getmodel(P);
305
#endif
306

307
		if ((text = malloc(symp->st_size)) == NULL) {
308
			dt_dprintf("mr sparkle: malloc() failed\n");
309
			return (DT_PROC_ERR);
310
		}
311

312
		if (Pread(P, text, symp->st_size, symp->st_value) !=
313
		    symp->st_size) {
314
			dt_dprintf("mr sparkle: Pread() failed\n");
315
			free(text);
316
			return (DT_PROC_ERR);
317
		}
318

319
		/*
320
		 * We can't instrument offsets in functions with jump tables
321
		 * as we might interpret a jump table offset as an
322
		 * instruction.
323
		 */
324
		if (dt_pid_has_jump_table(P, dtp, text, ftp, symp)) {
325
			free(text);
326
			return (0);
327
		}
328

329
		for (i = 0; i < symp->st_size; i += size) {
330
			if (i == off) {
331
				ftp->ftps_offs[0] = i;
332
				break;
333
			}
334

335
			/*
336
			 * If we've passed the desired offset without a
337
			 * match, then the given offset must not lie on a
338
			 * instruction boundary.
339
			 */
340
			if (i > off) {
341
				free(text);
342
				return (DT_PROC_ALIGN);
343
			}
344

345
			size = dt_instr_size(&text[i], dtp, pid,
346
			    symp->st_value + i, dmodel);
347

348
			/*
349
			 * If we hit an invalid instruction, bail as if we
350
			 * couldn't find the offset.
351
			 */
352
			if (size <= 0) {
353
				free(text);
354
				return (DT_PROC_ALIGN);
355
			}
356
		}
357

358
		free(text);
359
	}
360

361
	if (ioctl(dtp->dt_ftfd, FASTTRAPIOC_MAKEPROBE, ftp) != 0) {
362
		dt_dprintf("fasttrap probe creation ioctl failed: %s\n",
363
		    strerror(errno));
364
		return (dt_set_errno(dtp, errno));
365
	}
366

367
	return (ftp->ftps_noffs);
368
}
369

370
/*ARGSUSED*/
371
int
372
dt_pid_create_glob_offset_probes(struct ps_prochandle *P, dtrace_hdl_t *dtp,
373
    fasttrap_probe_spec_t *ftp, const GElf_Sym *symp, const char *pattern)
374
{
375
	uint8_t *text;
376
	int size;
377
	ulong_t i, end = symp->st_size;
378
#ifdef illumos
379
	pid_t pid = Pstatus(P)->pr_pid;
380
	char dmodel = Pstatus(P)->pr_dmodel;
381
#else
382
	pid_t pid = proc_getpid(P);
383
	char dmodel = proc_getmodel(P);
384
#endif
385

386
	ftp->ftps_type = DTFTP_OFFSETS;
387
	ftp->ftps_pc = (uintptr_t)symp->st_value;
388
	ftp->ftps_size = (size_t)symp->st_size;
389
	ftp->ftps_noffs = 0;
390

391
	if ((text = malloc(symp->st_size)) == NULL) {
392
		dt_dprintf("mr sparkle: malloc() failed\n");
393
		return (DT_PROC_ERR);
394
	}
395

396
	if (Pread(P, text, symp->st_size, symp->st_value) != symp->st_size) {
397
		dt_dprintf("mr sparkle: Pread() failed\n");
398
		free(text);
399
		return (DT_PROC_ERR);
400
	}
401

402
	/*
403
	 * We can't instrument offsets in functions with jump tables as
404
	 * we might interpret a jump table offset as an instruction.
405
	 */
406
	if (dt_pid_has_jump_table(P, dtp, text, ftp, symp)) {
407
		free(text);
408
		return (0);
409
	}
410

411
	if (strcmp("*", pattern) == 0) {
412
		for (i = 0; i < end; i += size) {
413
			ftp->ftps_offs[ftp->ftps_noffs++] = i;
414

415
			size = dt_instr_size(&text[i], dtp, pid,
416
			    symp->st_value + i, dmodel);
417

418
			/* bail if we hit an invalid opcode */
419
			if (size <= 0)
420
				break;
421
		}
422
	} else {
423
		char name[sizeof (i) * 2 + 1];
424

425
		for (i = 0; i < end; i += size) {
426
			(void) snprintf(name, sizeof (name), "%lx", i);
427
			if (gmatch(name, pattern))
428
				ftp->ftps_offs[ftp->ftps_noffs++] = i;
429

430
			size = dt_instr_size(&text[i], dtp, pid,
431
			    symp->st_value + i, dmodel);
432

433
			/* bail if we hit an invalid opcode */
434
			if (size <= 0)
435
				break;
436
		}
437
	}
438

439
	free(text);
440
	if (ftp->ftps_noffs > 0) {
441
		if (ioctl(dtp->dt_ftfd, FASTTRAPIOC_MAKEPROBE, ftp) != 0) {
442
			dt_dprintf("fasttrap probe creation ioctl failed: %s\n",
443
			    strerror(errno));
444
			return (dt_set_errno(dtp, errno));
445
		}
446
	}
447

448
	return (ftp->ftps_noffs);
449
}
450

451
typedef struct dtrace_dis {
452
	uchar_t	*instr;
453
	dtrace_hdl_t *dtp;
454
	pid_t pid;
455
	uintptr_t addr;
456
} dtrace_dis_t;
457

458
static int
459
dt_getbyte(void *data)
460
{
461
	dtrace_dis_t	*dis = data;
462
	int ret = *dis->instr;
463

464
	if (ret == FASTTRAP_INSTR) {
465
		fasttrap_instr_query_t instr;
466

467
		instr.ftiq_pid = dis->pid;
468
		instr.ftiq_pc = dis->addr;
469

470
		/*
471
		 * If we hit a byte that looks like the fasttrap provider's
472
		 * trap instruction (which doubles as the breakpoint
473
		 * instruction for debuggers) we need to query the kernel
474
		 * for the real value. This may just be part of an immediate
475
		 * value so there's no need to return an error if the
476
		 * kernel doesn't know about this address.
477
		 */
478
		if (ioctl(dis->dtp->dt_ftfd, FASTTRAPIOC_GETINSTR, &instr) == 0)
479
			ret = instr.ftiq_instr;
480
	}
481

482
	dis->addr++;
483
	dis->instr++;
484

485
	return (ret);
486
}
487

488
static int
489
dt_instr_size(uchar_t *instr, dtrace_hdl_t *dtp, pid_t pid, uintptr_t addr,
490
    char dmodel)
491
{
492
	dtrace_dis_t data;
493
	dis86_t x86dis;
494
	uint_t cpu_mode;
495

496
	data.instr = instr;
497
	data.dtp = dtp;
498
	data.pid = pid;
499
	data.addr = addr;
500

501
	x86dis.d86_data = &data;
502
	x86dis.d86_get_byte = dt_getbyte;
503
	x86dis.d86_check_func = NULL;
504

505
	cpu_mode = (dmodel == PR_MODEL_ILP32) ? SIZE32 : SIZE64;
506

507
	if (dtrace_disx86(&x86dis, cpu_mode) != 0)
508
		return (-1);
509

510
	/*
511
	 * If the instruction was a single-byte breakpoint, there may be
512
	 * another debugger attached to this process. The original instruction
513
	 * can't be recovered so this must fail.
514
	 */
515
	if (x86dis.d86_len == 1 &&
516
	    (uchar_t)x86dis.d86_bytes[0] == FASTTRAP_INSTR)
517
		return (-1);
518

519
	return (x86dis.d86_len);
520
}
521

522