1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2017-2018 John H. Baldwin <jhb@FreeBSD.org>
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 */
27
28 #include <sys/cdefs.h>
29 #include <sys/param.h>
30 #ifndef WITHOUT_CAPSICUM
31 #include <sys/capsicum.h>
32 #endif
33 #include <sys/endian.h>
34 #include <sys/ioctl.h>
35 #include <sys/mman.h>
36 #include <sys/queue.h>
37 #include <sys/socket.h>
38 #include <sys/stat.h>
39
40 #include <machine/atomic.h>
41 #include <machine/specialreg.h>
42 #include <machine/vmm.h>
43 #include <netinet/in.h>
44 #include <assert.h>
45 #ifndef WITHOUT_CAPSICUM
46 #include <capsicum_helpers.h>
47 #endif
48 #include <err.h>
49 #include <errno.h>
50 #include <fcntl.h>
51 #include <netdb.h>
52 #include <pthread.h>
53 #include <pthread_np.h>
54 #include <stdbool.h>
55 #include <stdio.h>
56 #include <stdlib.h>
57 #include <string.h>
58 #include <sysexits.h>
59 #include <unistd.h>
60 #include <vmmapi.h>
61
62 #include "bhyverun.h"
63 #include "config.h"
64 #include "debug.h"
65 #include "gdb.h"
66 #include "mem.h"
67 #include "mevent.h"
68
69 #define _PATH_GDB_XML "/usr/share/bhyve/gdb"
70
71 /*
72 * GDB_SIGNAL_* numbers are part of the GDB remote protocol. Most stops
73 * use SIGTRAP.
74 */
75 #define GDB_SIGNAL_TRAP 5
76
77 #define GDB_BP_SIZE 1
78 #define GDB_BP_INSTR (uint8_t []){0xcc}
79 #define GDB_PC_REGNAME VM_REG_GUEST_RIP
80
81 _Static_assert(sizeof(GDB_BP_INSTR) == GDB_BP_SIZE,
82 "GDB_BP_INSTR has wrong size");
83
84 static void gdb_resume_vcpus(void);
85 static void check_command(int fd);
86
87 static struct mevent *read_event, *write_event;
88
89 static cpuset_t vcpus_active, vcpus_suspended, vcpus_waiting;
90 static pthread_mutex_t gdb_lock;
91 static pthread_cond_t idle_vcpus;
92 static bool first_stop, report_next_stop, swbreak_enabled;
93 static int xml_dfd = -1;
94
95 /*
96 * An I/O buffer contains 'capacity' bytes of room at 'data'. For a
97 * read buffer, 'start' is unused and 'len' contains the number of
98 * valid bytes in the buffer. For a write buffer, 'start' is set to
99 * the index of the next byte in 'data' to send, and 'len' contains
100 * the remaining number of valid bytes to send.
101 */
102 struct io_buffer {
103 uint8_t *data;
104 size_t capacity;
105 size_t start;
106 size_t len;
107 };
108
109 struct breakpoint {
110 uint64_t gpa;
111 uint8_t shadow_inst[GDB_BP_SIZE];
112 TAILQ_ENTRY(breakpoint) link;
113 };
114
115 /*
116 * When a vCPU stops to due to an event that should be reported to the
117 * debugger, information about the event is stored in this structure.
118 * The vCPU thread then sets 'stopped_vcpu' if it is not already set
119 * and stops other vCPUs so the event can be reported. The
120 * report_stop() function reports the event for the 'stopped_vcpu'
121 * vCPU. When the debugger resumes execution via continue or step,
122 * the event for 'stopped_vcpu' is cleared. vCPUs will loop in their
123 * event handlers until the associated event is reported or disabled.
124 *
125 * An idle vCPU will have all of the boolean fields set to false.
126 *
127 * When a vCPU is stepped, 'stepping' is set to true when the vCPU is
128 * released to execute the stepped instruction. When the vCPU reports
129 * the stepping trap, 'stepped' is set.
130 *
131 * When a vCPU hits a breakpoint set by the debug server,
132 * 'hit_swbreak' is set to true.
133 */
134 struct vcpu_state {
135 bool stepping;
136 bool stepped;
137 bool hit_swbreak;
138 };
139
140 static struct io_buffer cur_comm, cur_resp;
141 static uint8_t cur_csum;
142 static struct vmctx *ctx;
143 static int cur_fd = -1;
144 static TAILQ_HEAD(, breakpoint) breakpoints;
145 static struct vcpu_state *vcpu_state;
146 static struct vcpu **vcpus;
147 static int cur_vcpu, stopped_vcpu;
148 static bool gdb_active = false;
149
150 static const struct gdb_reg {
151 enum vm_reg_name id;
152 int size;
153 } gdb_regset[] = {
154 { .id = VM_REG_GUEST_RAX, .size = 8 },
155 { .id = VM_REG_GUEST_RBX, .size = 8 },
156 { .id = VM_REG_GUEST_RCX, .size = 8 },
157 { .id = VM_REG_GUEST_RDX, .size = 8 },
158 { .id = VM_REG_GUEST_RSI, .size = 8 },
159 { .id = VM_REG_GUEST_RDI, .size = 8 },
160 { .id = VM_REG_GUEST_RBP, .size = 8 },
161 { .id = VM_REG_GUEST_RSP, .size = 8 },
162 { .id = VM_REG_GUEST_R8, .size = 8 },
163 { .id = VM_REG_GUEST_R9, .size = 8 },
164 { .id = VM_REG_GUEST_R10, .size = 8 },
165 { .id = VM_REG_GUEST_R11, .size = 8 },
166 { .id = VM_REG_GUEST_R12, .size = 8 },
167 { .id = VM_REG_GUEST_R13, .size = 8 },
168 { .id = VM_REG_GUEST_R14, .size = 8 },
169 { .id = VM_REG_GUEST_R15, .size = 8 },
170 { .id = VM_REG_GUEST_RIP, .size = 8 },
171 { .id = VM_REG_GUEST_RFLAGS, .size = 4 },
172 { .id = VM_REG_GUEST_CS, .size = 4 },
173 { .id = VM_REG_GUEST_SS, .size = 4 },
174 { .id = VM_REG_GUEST_DS, .size = 4 },
175 { .id = VM_REG_GUEST_ES, .size = 4 },
176 { .id = VM_REG_GUEST_FS, .size = 4 },
177 { .id = VM_REG_GUEST_GS, .size = 4 },
178 /*
179 * Registers past this point are not included in a reply to a 'g' query,
180 * to provide compatibility with debuggers that do not fetch a target
181 * description. The debugger can query them individually with 'p' if it
182 * knows about them.
183 */
184 #define GDB_REG_FIRST_EXT VM_REG_GUEST_FS_BASE
185 { .id = VM_REG_GUEST_FS_BASE, .size = 8 },
186 { .id = VM_REG_GUEST_GS_BASE, .size = 8 },
187 { .id = VM_REG_GUEST_KGS_BASE, .size = 8 },
188 { .id = VM_REG_GUEST_CR0, .size = 8 },
189 { .id = VM_REG_GUEST_CR2, .size = 8 },
190 { .id = VM_REG_GUEST_CR3, .size = 8 },
191 { .id = VM_REG_GUEST_CR4, .size = 8 },
192 { .id = VM_REG_GUEST_TPR, .size = 8 },
193 { .id = VM_REG_GUEST_EFER, .size = 8 },
194 };
195
196 #ifdef GDB_LOG
197 #include <stdarg.h>
198 #include <stdio.h>
199
200 static void __printflike(1, 2)
debug(const char * fmt,...)201 debug(const char *fmt, ...)
202 {
203 static FILE *logfile;
204 va_list ap;
205
206 if (logfile == NULL) {
207 logfile = fopen("/tmp/bhyve_gdb.log", "w");
208 if (logfile == NULL)
209 return;
210 #ifndef WITHOUT_CAPSICUM
211 if (caph_limit_stream(fileno(logfile), CAPH_WRITE) == -1) {
212 fclose(logfile);
213 logfile = NULL;
214 return;
215 }
216 #endif
217 setlinebuf(logfile);
218 }
219 va_start(ap, fmt);
220 vfprintf(logfile, fmt, ap);
221 va_end(ap);
222 }
223 #else
224 #define debug(...)
225 #endif
226
227 static void remove_all_sw_breakpoints(void);
228
229 static int
guest_paging_info(struct vcpu * vcpu,struct vm_guest_paging * paging)230 guest_paging_info(struct vcpu *vcpu, struct vm_guest_paging *paging)
231 {
232 uint64_t regs[4];
233 const int regset[4] = {
234 VM_REG_GUEST_CR0,
235 VM_REG_GUEST_CR3,
236 VM_REG_GUEST_CR4,
237 VM_REG_GUEST_EFER
238 };
239
240 if (vm_get_register_set(vcpu, nitems(regset), regset, regs) == -1)
241 return (-1);
242
243 /*
244 * For the debugger, always pretend to be the kernel (CPL 0),
245 * and if long-mode is enabled, always parse addresses as if
246 * in 64-bit mode.
247 */
248 paging->cr3 = regs[1];
249 paging->cpl = 0;
250 if (regs[3] & EFER_LMA)
251 paging->cpu_mode = CPU_MODE_64BIT;
252 else if (regs[0] & CR0_PE)
253 paging->cpu_mode = CPU_MODE_PROTECTED;
254 else
255 paging->cpu_mode = CPU_MODE_REAL;
256 if (!(regs[0] & CR0_PG))
257 paging->paging_mode = PAGING_MODE_FLAT;
258 else if (!(regs[2] & CR4_PAE))
259 paging->paging_mode = PAGING_MODE_32;
260 else if (regs[3] & EFER_LME)
261 paging->paging_mode = (regs[2] & CR4_LA57) ?
262 PAGING_MODE_64_LA57 : PAGING_MODE_64;
263 else
264 paging->paging_mode = PAGING_MODE_PAE;
265 return (0);
266 }
267
268 /*
269 * Map a guest virtual address to a physical address (for a given vcpu).
270 * If a guest virtual address is valid, return 1. If the address is
271 * not valid, return 0. If an error occurs obtaining the mapping,
272 * return -1.
273 */
274 static int
guest_vaddr2paddr(struct vcpu * vcpu,uint64_t vaddr,uint64_t * paddr)275 guest_vaddr2paddr(struct vcpu *vcpu, uint64_t vaddr, uint64_t *paddr)
276 {
277 struct vm_guest_paging paging;
278 int fault;
279
280 if (guest_paging_info(vcpu, &paging) == -1)
281 return (-1);
282
283 /*
284 * Always use PROT_READ. We really care if the VA is
285 * accessible, not if the current vCPU can write.
286 */
287 if (vm_gla2gpa_nofault(vcpu, &paging, vaddr, PROT_READ, paddr,
288 &fault) == -1)
289 return (-1);
290 if (fault)
291 return (0);
292 return (1);
293 }
294
295 static uint64_t
guest_pc(struct vm_exit * vme)296 guest_pc(struct vm_exit *vme)
297 {
298 return (vme->rip);
299 }
300
301 static void
io_buffer_reset(struct io_buffer * io)302 io_buffer_reset(struct io_buffer *io)
303 {
304
305 io->start = 0;
306 io->len = 0;
307 }
308
309 /* Available room for adding data. */
310 static size_t
io_buffer_avail(struct io_buffer * io)311 io_buffer_avail(struct io_buffer *io)
312 {
313
314 return (io->capacity - (io->start + io->len));
315 }
316
317 static uint8_t *
io_buffer_head(struct io_buffer * io)318 io_buffer_head(struct io_buffer *io)
319 {
320
321 return (io->data + io->start);
322 }
323
324 static uint8_t *
io_buffer_tail(struct io_buffer * io)325 io_buffer_tail(struct io_buffer *io)
326 {
327
328 return (io->data + io->start + io->len);
329 }
330
331 static void
io_buffer_advance(struct io_buffer * io,size_t amount)332 io_buffer_advance(struct io_buffer *io, size_t amount)
333 {
334
335 assert(amount <= io->len);
336 io->start += amount;
337 io->len -= amount;
338 }
339
340 static void
io_buffer_consume(struct io_buffer * io,size_t amount)341 io_buffer_consume(struct io_buffer *io, size_t amount)
342 {
343
344 io_buffer_advance(io, amount);
345 if (io->len == 0) {
346 io->start = 0;
347 return;
348 }
349
350 /*
351 * XXX: Consider making this move optional and compacting on a
352 * future read() before realloc().
353 */
354 memmove(io->data, io_buffer_head(io), io->len);
355 io->start = 0;
356 }
357
358 static void
io_buffer_grow(struct io_buffer * io,size_t newsize)359 io_buffer_grow(struct io_buffer *io, size_t newsize)
360 {
361 uint8_t *new_data;
362 size_t avail, new_cap;
363
364 avail = io_buffer_avail(io);
365 if (newsize <= avail)
366 return;
367
368 new_cap = io->capacity + (newsize - avail);
369 new_data = realloc(io->data, new_cap);
370 if (new_data == NULL)
371 err(1, "Failed to grow GDB I/O buffer");
372 io->data = new_data;
373 io->capacity = new_cap;
374 }
375
376 static bool
response_pending(void)377 response_pending(void)
378 {
379
380 if (cur_resp.start == 0 && cur_resp.len == 0)
381 return (false);
382 if (cur_resp.start + cur_resp.len == 1 && cur_resp.data[0] == '+')
383 return (false);
384 return (true);
385 }
386
387 static void
close_connection(void)388 close_connection(void)
389 {
390
391 /*
392 * XXX: This triggers a warning because mevent does the close
393 * before the EV_DELETE.
394 */
395 pthread_mutex_lock(&gdb_lock);
396 mevent_delete(write_event);
397 mevent_delete_close(read_event);
398 write_event = NULL;
399 read_event = NULL;
400 io_buffer_reset(&cur_comm);
401 io_buffer_reset(&cur_resp);
402 cur_fd = -1;
403
404 remove_all_sw_breakpoints();
405
406 /* Clear any pending events. */
407 memset(vcpu_state, 0, guest_ncpus * sizeof(*vcpu_state));
408
409 /* Resume any stopped vCPUs. */
410 gdb_resume_vcpus();
411 pthread_mutex_unlock(&gdb_lock);
412 }
413
414 static uint8_t
hex_digit(uint8_t nibble)415 hex_digit(uint8_t nibble)
416 {
417
418 if (nibble <= 9)
419 return (nibble + '0');
420 else
421 return (nibble + 'a' - 10);
422 }
423
424 static uint8_t
parse_digit(uint8_t v)425 parse_digit(uint8_t v)
426 {
427
428 if (v >= '0' && v <= '9')
429 return (v - '0');
430 if (v >= 'a' && v <= 'f')
431 return (v - 'a' + 10);
432 if (v >= 'A' && v <= 'F')
433 return (v - 'A' + 10);
434 return (0xF);
435 }
436
437 /* Parses big-endian hexadecimal. */
438 static uintmax_t
parse_integer(const uint8_t * p,size_t len)439 parse_integer(const uint8_t *p, size_t len)
440 {
441 uintmax_t v;
442
443 v = 0;
444 while (len > 0) {
445 v <<= 4;
446 v |= parse_digit(*p);
447 p++;
448 len--;
449 }
450 return (v);
451 }
452
453 static uint8_t
parse_byte(const uint8_t * p)454 parse_byte(const uint8_t *p)
455 {
456
457 return (parse_digit(p[0]) << 4 | parse_digit(p[1]));
458 }
459
460 static void
send_pending_data(int fd)461 send_pending_data(int fd)
462 {
463 ssize_t nwritten;
464
465 if (cur_resp.len == 0) {
466 mevent_disable(write_event);
467 return;
468 }
469 nwritten = write(fd, io_buffer_head(&cur_resp), cur_resp.len);
470 if (nwritten == -1) {
471 warn("Write to GDB socket failed");
472 close_connection();
473 } else {
474 io_buffer_advance(&cur_resp, nwritten);
475 if (cur_resp.len == 0)
476 mevent_disable(write_event);
477 else
478 mevent_enable(write_event);
479 }
480 }
481
482 /* Append a single character to the output buffer. */
483 static void
send_char(uint8_t data)484 send_char(uint8_t data)
485 {
486 io_buffer_grow(&cur_resp, 1);
487 *io_buffer_tail(&cur_resp) = data;
488 cur_resp.len++;
489 }
490
491 /* Append an array of bytes to the output buffer. */
492 static void
send_data(const uint8_t * data,size_t len)493 send_data(const uint8_t *data, size_t len)
494 {
495
496 io_buffer_grow(&cur_resp, len);
497 memcpy(io_buffer_tail(&cur_resp), data, len);
498 cur_resp.len += len;
499 }
500
501 static void
format_byte(uint8_t v,uint8_t * buf)502 format_byte(uint8_t v, uint8_t *buf)
503 {
504
505 buf[0] = hex_digit(v >> 4);
506 buf[1] = hex_digit(v & 0xf);
507 }
508
509 /*
510 * Append a single byte (formatted as two hex characters) to the
511 * output buffer.
512 */
513 static void
send_byte(uint8_t v)514 send_byte(uint8_t v)
515 {
516 uint8_t buf[2];
517
518 format_byte(v, buf);
519 send_data(buf, sizeof(buf));
520 }
521
522 static void
start_packet(void)523 start_packet(void)
524 {
525
526 send_char('$');
527 cur_csum = 0;
528 }
529
530 static void
finish_packet(void)531 finish_packet(void)
532 {
533
534 send_char('#');
535 send_byte(cur_csum);
536 debug("-> %.*s\n", (int)cur_resp.len, io_buffer_head(&cur_resp));
537 }
538
539 /*
540 * Append a single character (for the packet payload) and update the
541 * checksum.
542 */
543 static void
append_char(uint8_t v)544 append_char(uint8_t v)
545 {
546
547 send_char(v);
548 cur_csum += v;
549 }
550
551 /*
552 * Append an array of bytes (for the packet payload) and update the
553 * checksum.
554 */
555 static void
append_packet_data(const uint8_t * data,size_t len)556 append_packet_data(const uint8_t *data, size_t len)
557 {
558
559 send_data(data, len);
560 while (len > 0) {
561 cur_csum += *data;
562 data++;
563 len--;
564 }
565 }
566
567 static void
append_binary_data(const uint8_t * data,size_t len)568 append_binary_data(const uint8_t *data, size_t len)
569 {
570 uint8_t buf[2];
571
572 for (; len > 0; data++, len--) {
573 switch (*data) {
574 case '}':
575 case '#':
576 case '$':
577 case '*':
578 buf[0] = 0x7d;
579 buf[1] = *data ^ 0x20;
580 append_packet_data(buf, 2);
581 break;
582 default:
583 append_packet_data(data, 1);
584 break;
585 }
586 }
587 }
588
589 static void
append_string(const char * str)590 append_string(const char *str)
591 {
592
593 append_packet_data(str, strlen(str));
594 }
595
596 static void
append_byte(uint8_t v)597 append_byte(uint8_t v)
598 {
599 uint8_t buf[2];
600
601 format_byte(v, buf);
602 append_packet_data(buf, sizeof(buf));
603 }
604
605 static void
append_unsigned_native(uintmax_t value,size_t len)606 append_unsigned_native(uintmax_t value, size_t len)
607 {
608 size_t i;
609
610 for (i = 0; i < len; i++) {
611 append_byte(value);
612 value >>= 8;
613 }
614 }
615
616 static void
append_unsigned_be(uintmax_t value,size_t len)617 append_unsigned_be(uintmax_t value, size_t len)
618 {
619 char buf[len * 2];
620 size_t i;
621
622 for (i = 0; i < len; i++) {
623 format_byte(value, buf + (len - i - 1) * 2);
624 value >>= 8;
625 }
626 append_packet_data(buf, sizeof(buf));
627 }
628
629 static void
append_integer(unsigned int value)630 append_integer(unsigned int value)
631 {
632
633 if (value == 0)
634 append_char('0');
635 else
636 append_unsigned_be(value, (fls(value) + 7) / 8);
637 }
638
639 static void
append_asciihex(const char * str)640 append_asciihex(const char *str)
641 {
642
643 while (*str != '\0') {
644 append_byte(*str);
645 str++;
646 }
647 }
648
649 static void
send_empty_response(void)650 send_empty_response(void)
651 {
652
653 start_packet();
654 finish_packet();
655 }
656
657 static void
send_error(int error)658 send_error(int error)
659 {
660
661 start_packet();
662 append_char('E');
663 append_byte(error);
664 finish_packet();
665 }
666
667 static void
send_ok(void)668 send_ok(void)
669 {
670
671 start_packet();
672 append_string("OK");
673 finish_packet();
674 }
675
676 static int
parse_threadid(const uint8_t * data,size_t len)677 parse_threadid(const uint8_t *data, size_t len)
678 {
679
680 if (len == 1 && *data == '0')
681 return (0);
682 if (len == 2 && memcmp(data, "-1", 2) == 0)
683 return (-1);
684 if (len == 0)
685 return (-2);
686 return (parse_integer(data, len));
687 }
688
689 /*
690 * Report the current stop event to the debugger. If the stop is due
691 * to an event triggered on a specific vCPU such as a breakpoint or
692 * stepping trap, stopped_vcpu will be set to the vCPU triggering the
693 * stop. If 'set_cur_vcpu' is true, then cur_vcpu will be updated to
694 * the reporting vCPU for vCPU events.
695 */
696 static void
report_stop(bool set_cur_vcpu)697 report_stop(bool set_cur_vcpu)
698 {
699 struct vcpu_state *vs;
700
701 start_packet();
702 if (stopped_vcpu == -1) {
703 append_char('S');
704 append_byte(GDB_SIGNAL_TRAP);
705 } else {
706 vs = &vcpu_state[stopped_vcpu];
707 if (set_cur_vcpu)
708 cur_vcpu = stopped_vcpu;
709 append_char('T');
710 append_byte(GDB_SIGNAL_TRAP);
711 append_string("thread:");
712 append_integer(stopped_vcpu + 1);
713 append_char(';');
714 if (vs->hit_swbreak) {
715 debug("$vCPU %d reporting swbreak\n", stopped_vcpu);
716 if (swbreak_enabled)
717 append_string("swbreak:;");
718 } else if (vs->stepped)
719 debug("$vCPU %d reporting step\n", stopped_vcpu);
720 else
721 debug("$vCPU %d reporting ???\n", stopped_vcpu);
722 }
723 finish_packet();
724 report_next_stop = false;
725 }
726
727 /*
728 * If this stop is due to a vCPU event, clear that event to mark it as
729 * acknowledged.
730 */
731 static void
discard_stop(void)732 discard_stop(void)
733 {
734 struct vcpu_state *vs;
735
736 if (stopped_vcpu != -1) {
737 vs = &vcpu_state[stopped_vcpu];
738 vs->hit_swbreak = false;
739 vs->stepped = false;
740 stopped_vcpu = -1;
741 }
742 report_next_stop = true;
743 }
744
745 static void
gdb_finish_suspend_vcpus(void)746 gdb_finish_suspend_vcpus(void)
747 {
748
749 if (first_stop) {
750 first_stop = false;
751 stopped_vcpu = -1;
752 } else if (report_next_stop) {
753 assert(!response_pending());
754 report_stop(true);
755 send_pending_data(cur_fd);
756 }
757 }
758
759 /*
760 * vCPU threads invoke this function whenever the vCPU enters the
761 * debug server to pause or report an event. vCPU threads wait here
762 * as long as the debug server keeps them suspended.
763 */
764 static void
_gdb_cpu_suspend(struct vcpu * vcpu,bool report_stop)765 _gdb_cpu_suspend(struct vcpu *vcpu, bool report_stop)
766 {
767 int vcpuid = vcpu_id(vcpu);
768
769 debug("$vCPU %d suspending\n", vcpuid);
770 CPU_SET(vcpuid, &vcpus_waiting);
771 if (report_stop && CPU_CMP(&vcpus_waiting, &vcpus_suspended) == 0)
772 gdb_finish_suspend_vcpus();
773 while (CPU_ISSET(vcpuid, &vcpus_suspended))
774 pthread_cond_wait(&idle_vcpus, &gdb_lock);
775 CPU_CLR(vcpuid, &vcpus_waiting);
776 debug("$vCPU %d resuming\n", vcpuid);
777 }
778
779 /*
780 * Requests vCPU single-stepping using a
781 * VMEXIT suitable for the host platform.
782 */
783 static int
_gdb_set_step(struct vcpu * vcpu,int val)784 _gdb_set_step(struct vcpu *vcpu, int val)
785 {
786 int error;
787
788 /*
789 * If the MTRAP cap fails, we are running on an AMD host.
790 * In that case, we request DB exits caused by RFLAGS.TF.
791 */
792 error = vm_set_capability(vcpu, VM_CAP_MTRAP_EXIT, val);
793 if (error != 0)
794 error = vm_set_capability(vcpu, VM_CAP_RFLAGS_TF, val);
795 if (error == 0)
796 (void)vm_set_capability(vcpu, VM_CAP_MASK_HWINTR, val);
797
798 return (error);
799 }
800
801 /*
802 * Checks whether single-stepping is enabled for a given vCPU.
803 */
804 static int
_gdb_check_step(struct vcpu * vcpu)805 _gdb_check_step(struct vcpu *vcpu)
806 {
807 int val;
808
809 if (vm_get_capability(vcpu, VM_CAP_MTRAP_EXIT, &val) != 0) {
810 if (vm_get_capability(vcpu, VM_CAP_RFLAGS_TF, &val) != 0)
811 return -1;
812 }
813 return 0;
814 }
815
816 /*
817 * Invoked at the start of a vCPU thread's execution to inform the
818 * debug server about the new thread.
819 */
820 void
gdb_cpu_add(struct vcpu * vcpu)821 gdb_cpu_add(struct vcpu *vcpu)
822 {
823 int vcpuid;
824
825 if (!gdb_active)
826 return;
827 vcpuid = vcpu_id(vcpu);
828 debug("$vCPU %d starting\n", vcpuid);
829 pthread_mutex_lock(&gdb_lock);
830 assert(vcpuid < guest_ncpus);
831 assert(vcpus[vcpuid] == NULL);
832 vcpus[vcpuid] = vcpu;
833 CPU_SET(vcpuid, &vcpus_active);
834 if (!TAILQ_EMPTY(&breakpoints)) {
835 vm_set_capability(vcpu, VM_CAP_BPT_EXIT, 1);
836 debug("$vCPU %d enabled breakpoint exits\n", vcpuid);
837 }
838
839 /*
840 * If a vcpu is added while vcpus are stopped, suspend the new
841 * vcpu so that it will pop back out with a debug exit before
842 * executing the first instruction.
843 */
844 if (!CPU_EMPTY(&vcpus_suspended)) {
845 CPU_SET(vcpuid, &vcpus_suspended);
846 _gdb_cpu_suspend(vcpu, false);
847 }
848 pthread_mutex_unlock(&gdb_lock);
849 }
850
851 /*
852 * Invoked by vCPU before resuming execution. This enables stepping
853 * if the vCPU is marked as stepping.
854 */
855 static void
gdb_cpu_resume(struct vcpu * vcpu)856 gdb_cpu_resume(struct vcpu *vcpu)
857 {
858 struct vcpu_state *vs;
859 int error;
860
861 vs = &vcpu_state[vcpu_id(vcpu)];
862
863 /*
864 * Any pending event should already be reported before
865 * resuming.
866 */
867 assert(vs->hit_swbreak == false);
868 assert(vs->stepped == false);
869 if (vs->stepping) {
870 error = _gdb_set_step(vcpu, 1);
871 assert(error == 0);
872 }
873 }
874
875 /*
876 * Handler for VM_EXITCODE_DEBUG used to suspend a vCPU when the guest
877 * has been suspended due to an event on different vCPU or in response
878 * to a guest-wide suspend such as Ctrl-C or the stop on attach.
879 */
880 void
gdb_cpu_suspend(struct vcpu * vcpu)881 gdb_cpu_suspend(struct vcpu *vcpu)
882 {
883
884 if (!gdb_active)
885 return;
886 pthread_mutex_lock(&gdb_lock);
887 _gdb_cpu_suspend(vcpu, true);
888 gdb_cpu_resume(vcpu);
889 pthread_mutex_unlock(&gdb_lock);
890 }
891
892 static void
gdb_suspend_vcpus(void)893 gdb_suspend_vcpus(void)
894 {
895
896 assert(pthread_mutex_isowned_np(&gdb_lock));
897 debug("suspending all CPUs\n");
898 vcpus_suspended = vcpus_active;
899 vm_suspend_all_cpus(ctx);
900 if (CPU_CMP(&vcpus_waiting, &vcpus_suspended) == 0)
901 gdb_finish_suspend_vcpus();
902 }
903
904 /*
905 * Invoked each time a vmexit handler needs to step a vCPU.
906 * Handles MTRAP and RFLAGS.TF vmexits.
907 */
908 static void
gdb_cpu_step(struct vcpu * vcpu)909 gdb_cpu_step(struct vcpu *vcpu)
910 {
911 struct vcpu_state *vs;
912 int vcpuid = vcpu_id(vcpu);
913 int error;
914
915 debug("$vCPU %d stepped\n", vcpuid);
916 pthread_mutex_lock(&gdb_lock);
917 vs = &vcpu_state[vcpuid];
918 if (vs->stepping) {
919 vs->stepping = false;
920 vs->stepped = true;
921 error = _gdb_set_step(vcpu, 0);
922 assert(error == 0);
923
924 while (vs->stepped) {
925 if (stopped_vcpu == -1) {
926 debug("$vCPU %d reporting step\n", vcpuid);
927 stopped_vcpu = vcpuid;
928 gdb_suspend_vcpus();
929 }
930 _gdb_cpu_suspend(vcpu, true);
931 }
932 gdb_cpu_resume(vcpu);
933 }
934 pthread_mutex_unlock(&gdb_lock);
935 }
936
937 /*
938 * A general handler for VM_EXITCODE_DB.
939 * Handles RFLAGS.TF exits on AMD SVM.
940 */
941 void
gdb_cpu_debug(struct vcpu * vcpu,struct vm_exit * vmexit)942 gdb_cpu_debug(struct vcpu *vcpu, struct vm_exit *vmexit)
943 {
944 if (!gdb_active)
945 return;
946
947 /* RFLAGS.TF exit? */
948 if (vmexit->u.dbg.trace_trap) {
949 gdb_cpu_step(vcpu);
950 }
951 }
952
953 /*
954 * Handler for VM_EXITCODE_MTRAP reported when a vCPU single-steps via
955 * the VT-x-specific MTRAP exit.
956 */
957 void
gdb_cpu_mtrap(struct vcpu * vcpu)958 gdb_cpu_mtrap(struct vcpu *vcpu)
959 {
960 if (!gdb_active)
961 return;
962 gdb_cpu_step(vcpu);
963 }
964
965 static struct breakpoint *
find_breakpoint(uint64_t gpa)966 find_breakpoint(uint64_t gpa)
967 {
968 struct breakpoint *bp;
969
970 TAILQ_FOREACH(bp, &breakpoints, link) {
971 if (bp->gpa == gpa)
972 return (bp);
973 }
974 return (NULL);
975 }
976
977 void
gdb_cpu_breakpoint(struct vcpu * vcpu,struct vm_exit * vmexit)978 gdb_cpu_breakpoint(struct vcpu *vcpu, struct vm_exit *vmexit)
979 {
980 struct breakpoint *bp;
981 struct vcpu_state *vs;
982 uint64_t gpa;
983 int error, vcpuid;
984
985 if (!gdb_active) {
986 EPRINTLN("vm_loop: unexpected VMEXIT_DEBUG");
987 exit(4);
988 }
989 vcpuid = vcpu_id(vcpu);
990 pthread_mutex_lock(&gdb_lock);
991 error = guest_vaddr2paddr(vcpu, guest_pc(vmexit), &gpa);
992 assert(error == 1);
993 bp = find_breakpoint(gpa);
994 if (bp != NULL) {
995 vs = &vcpu_state[vcpuid];
996 assert(vs->stepping == false);
997 assert(vs->stepped == false);
998 assert(vs->hit_swbreak == false);
999 vs->hit_swbreak = true;
1000 vm_set_register(vcpu, GDB_PC_REGNAME, guest_pc(vmexit));
1001 for (;;) {
1002 if (stopped_vcpu == -1) {
1003 debug("$vCPU %d reporting breakpoint at rip %#lx\n",
1004 vcpuid, guest_pc(vmexit));
1005 stopped_vcpu = vcpuid;
1006 gdb_suspend_vcpus();
1007 }
1008 _gdb_cpu_suspend(vcpu, true);
1009 if (!vs->hit_swbreak) {
1010 /* Breakpoint reported. */
1011 break;
1012 }
1013 bp = find_breakpoint(gpa);
1014 if (bp == NULL) {
1015 /* Breakpoint was removed. */
1016 vs->hit_swbreak = false;
1017 break;
1018 }
1019 }
1020 gdb_cpu_resume(vcpu);
1021 } else {
1022 debug("$vCPU %d injecting breakpoint at rip %#lx\n", vcpuid,
1023 guest_pc(vmexit));
1024 error = vm_set_register(vcpu, VM_REG_GUEST_ENTRY_INST_LENGTH,
1025 vmexit->u.bpt.inst_length);
1026 assert(error == 0);
1027 error = vm_inject_exception(vcpu, IDT_BP, 0, 0, 0);
1028 assert(error == 0);
1029 }
1030 pthread_mutex_unlock(&gdb_lock);
1031 }
1032
1033 static bool
gdb_step_vcpu(struct vcpu * vcpu)1034 gdb_step_vcpu(struct vcpu *vcpu)
1035 {
1036 int error, vcpuid;
1037
1038 vcpuid = vcpu_id(vcpu);
1039 debug("$vCPU %d step\n", vcpuid);
1040 error = _gdb_check_step(vcpu);
1041 if (error < 0)
1042 return (false);
1043
1044 discard_stop();
1045 vcpu_state[vcpuid].stepping = true;
1046 vm_resume_cpu(vcpu);
1047 CPU_CLR(vcpuid, &vcpus_suspended);
1048 pthread_cond_broadcast(&idle_vcpus);
1049 return (true);
1050 }
1051
1052 static void
gdb_resume_vcpus(void)1053 gdb_resume_vcpus(void)
1054 {
1055
1056 assert(pthread_mutex_isowned_np(&gdb_lock));
1057 vm_resume_all_cpus(ctx);
1058 debug("resuming all CPUs\n");
1059 CPU_ZERO(&vcpus_suspended);
1060 pthread_cond_broadcast(&idle_vcpus);
1061 }
1062
1063 static void
gdb_read_regs(void)1064 gdb_read_regs(void)
1065 {
1066 uint64_t regvals[nitems(gdb_regset)];
1067 int regnums[nitems(gdb_regset)];
1068
1069 for (size_t i = 0; i < nitems(gdb_regset); i++)
1070 regnums[i] = gdb_regset[i].id;
1071 if (vm_get_register_set(vcpus[cur_vcpu], nitems(gdb_regset),
1072 regnums, regvals) == -1) {
1073 send_error(errno);
1074 return;
1075 }
1076
1077 start_packet();
1078 for (size_t i = 0; i < nitems(gdb_regset); i++) {
1079 if (gdb_regset[i].id == GDB_REG_FIRST_EXT)
1080 break;
1081 append_unsigned_native(regvals[i], gdb_regset[i].size);
1082 }
1083 finish_packet();
1084 }
1085
1086 static void
gdb_read_one_reg(const uint8_t * data,size_t len)1087 gdb_read_one_reg(const uint8_t *data, size_t len)
1088 {
1089 uint64_t regval;
1090 uintmax_t reg;
1091
1092 reg = parse_integer(data, len);
1093 if (reg >= nitems(gdb_regset)) {
1094 send_error(EINVAL);
1095 return;
1096 }
1097
1098 if (vm_get_register(vcpus[cur_vcpu], gdb_regset[reg].id, ®val) ==
1099 -1) {
1100 send_error(errno);
1101 return;
1102 }
1103
1104 start_packet();
1105 append_unsigned_native(regval, gdb_regset[reg].size);
1106 finish_packet();
1107 }
1108
1109 static void
gdb_read_mem(const uint8_t * data,size_t len)1110 gdb_read_mem(const uint8_t *data, size_t len)
1111 {
1112 uint64_t gpa, gva, val;
1113 uint8_t *cp;
1114 size_t resid, todo, bytes;
1115 bool started;
1116 int error;
1117
1118 assert(len >= 1);
1119
1120 /* Skip 'm' */
1121 data += 1;
1122 len -= 1;
1123
1124 /* Parse and consume address. */
1125 cp = memchr(data, ',', len);
1126 if (cp == NULL || cp == data) {
1127 send_error(EINVAL);
1128 return;
1129 }
1130 gva = parse_integer(data, cp - data);
1131 len -= (cp - data) + 1;
1132 data += (cp - data) + 1;
1133
1134 /* Parse length. */
1135 resid = parse_integer(data, len);
1136
1137 started = false;
1138 while (resid > 0) {
1139 error = guest_vaddr2paddr(vcpus[cur_vcpu], gva, &gpa);
1140 if (error == -1) {
1141 if (started)
1142 finish_packet();
1143 else
1144 send_error(errno);
1145 return;
1146 }
1147 if (error == 0) {
1148 if (started)
1149 finish_packet();
1150 else
1151 send_error(EFAULT);
1152 return;
1153 }
1154
1155 /* Read bytes from current page. */
1156 todo = getpagesize() - gpa % getpagesize();
1157 if (todo > resid)
1158 todo = resid;
1159
1160 cp = paddr_guest2host(ctx, gpa, todo);
1161 if (cp != NULL) {
1162 /*
1163 * If this page is guest RAM, read it a byte
1164 * at a time.
1165 */
1166 if (!started) {
1167 start_packet();
1168 started = true;
1169 }
1170 while (todo > 0) {
1171 append_byte(*cp);
1172 cp++;
1173 gpa++;
1174 gva++;
1175 resid--;
1176 todo--;
1177 }
1178 } else {
1179 /*
1180 * If this page isn't guest RAM, try to handle
1181 * it via MMIO. For MMIO requests, use
1182 * aligned reads of words when possible.
1183 */
1184 while (todo > 0) {
1185 if (gpa & 1 || todo == 1)
1186 bytes = 1;
1187 else if (gpa & 2 || todo == 2)
1188 bytes = 2;
1189 else
1190 bytes = 4;
1191 error = read_mem(vcpus[cur_vcpu], gpa, &val,
1192 bytes);
1193 if (error == 0) {
1194 if (!started) {
1195 start_packet();
1196 started = true;
1197 }
1198 gpa += bytes;
1199 gva += bytes;
1200 resid -= bytes;
1201 todo -= bytes;
1202 while (bytes > 0) {
1203 append_byte(val);
1204 val >>= 8;
1205 bytes--;
1206 }
1207 } else {
1208 if (started)
1209 finish_packet();
1210 else
1211 send_error(EFAULT);
1212 return;
1213 }
1214 }
1215 }
1216 assert(resid == 0 || gpa % getpagesize() == 0);
1217 }
1218 if (!started)
1219 start_packet();
1220 finish_packet();
1221 }
1222
1223 static void
gdb_write_mem(const uint8_t * data,size_t len)1224 gdb_write_mem(const uint8_t *data, size_t len)
1225 {
1226 uint64_t gpa, gva, val;
1227 uint8_t *cp;
1228 size_t resid, todo, bytes;
1229 int error;
1230
1231 assert(len >= 1);
1232
1233 /* Skip 'M' */
1234 data += 1;
1235 len -= 1;
1236
1237 /* Parse and consume address. */
1238 cp = memchr(data, ',', len);
1239 if (cp == NULL || cp == data) {
1240 send_error(EINVAL);
1241 return;
1242 }
1243 gva = parse_integer(data, cp - data);
1244 len -= (cp - data) + 1;
1245 data += (cp - data) + 1;
1246
1247 /* Parse and consume length. */
1248 cp = memchr(data, ':', len);
1249 if (cp == NULL || cp == data) {
1250 send_error(EINVAL);
1251 return;
1252 }
1253 resid = parse_integer(data, cp - data);
1254 len -= (cp - data) + 1;
1255 data += (cp - data) + 1;
1256
1257 /* Verify the available bytes match the length. */
1258 if (len != resid * 2) {
1259 send_error(EINVAL);
1260 return;
1261 }
1262
1263 while (resid > 0) {
1264 error = guest_vaddr2paddr(vcpus[cur_vcpu], gva, &gpa);
1265 if (error == -1) {
1266 send_error(errno);
1267 return;
1268 }
1269 if (error == 0) {
1270 send_error(EFAULT);
1271 return;
1272 }
1273
1274 /* Write bytes to current page. */
1275 todo = getpagesize() - gpa % getpagesize();
1276 if (todo > resid)
1277 todo = resid;
1278
1279 cp = paddr_guest2host(ctx, gpa, todo);
1280 if (cp != NULL) {
1281 /*
1282 * If this page is guest RAM, write it a byte
1283 * at a time.
1284 */
1285 while (todo > 0) {
1286 assert(len >= 2);
1287 *cp = parse_byte(data);
1288 data += 2;
1289 len -= 2;
1290 cp++;
1291 gpa++;
1292 gva++;
1293 resid--;
1294 todo--;
1295 }
1296 } else {
1297 /*
1298 * If this page isn't guest RAM, try to handle
1299 * it via MMIO. For MMIO requests, use
1300 * aligned writes of words when possible.
1301 */
1302 while (todo > 0) {
1303 if (gpa & 1 || todo == 1) {
1304 bytes = 1;
1305 val = parse_byte(data);
1306 } else if (gpa & 2 || todo == 2) {
1307 bytes = 2;
1308 val = be16toh(parse_integer(data, 4));
1309 } else {
1310 bytes = 4;
1311 val = be32toh(parse_integer(data, 8));
1312 }
1313 error = write_mem(vcpus[cur_vcpu], gpa, val,
1314 bytes);
1315 if (error == 0) {
1316 gpa += bytes;
1317 gva += bytes;
1318 resid -= bytes;
1319 todo -= bytes;
1320 data += 2 * bytes;
1321 len -= 2 * bytes;
1322 } else {
1323 send_error(EFAULT);
1324 return;
1325 }
1326 }
1327 }
1328 assert(resid == 0 || gpa % getpagesize() == 0);
1329 }
1330 assert(len == 0);
1331 send_ok();
1332 }
1333
1334 static bool
set_breakpoint_caps(bool enable)1335 set_breakpoint_caps(bool enable)
1336 {
1337 cpuset_t mask;
1338 int vcpu;
1339
1340 mask = vcpus_active;
1341 while (!CPU_EMPTY(&mask)) {
1342 vcpu = CPU_FFS(&mask) - 1;
1343 CPU_CLR(vcpu, &mask);
1344 if (vm_set_capability(vcpus[vcpu], VM_CAP_BPT_EXIT,
1345 enable ? 1 : 0) < 0)
1346 return (false);
1347 debug("$vCPU %d %sabled breakpoint exits\n", vcpu,
1348 enable ? "en" : "dis");
1349 }
1350 return (true);
1351 }
1352
1353 static void
remove_all_sw_breakpoints(void)1354 remove_all_sw_breakpoints(void)
1355 {
1356 struct breakpoint *bp, *nbp;
1357 uint8_t *cp;
1358
1359 if (TAILQ_EMPTY(&breakpoints))
1360 return;
1361
1362 TAILQ_FOREACH_SAFE(bp, &breakpoints, link, nbp) {
1363 debug("remove breakpoint at %#lx\n", bp->gpa);
1364 cp = paddr_guest2host(ctx, bp->gpa, sizeof(bp->shadow_inst));
1365 memcpy(cp, bp->shadow_inst, sizeof(bp->shadow_inst));
1366 TAILQ_REMOVE(&breakpoints, bp, link);
1367 free(bp);
1368 }
1369 TAILQ_INIT(&breakpoints);
1370 set_breakpoint_caps(false);
1371 }
1372
1373 static void
update_sw_breakpoint(uint64_t gva,int kind,bool insert)1374 update_sw_breakpoint(uint64_t gva, int kind, bool insert)
1375 {
1376 struct breakpoint *bp;
1377 uint64_t gpa;
1378 uint8_t *cp;
1379 int error;
1380
1381 if (kind != GDB_BP_SIZE) {
1382 send_error(EINVAL);
1383 return;
1384 }
1385
1386 error = guest_vaddr2paddr(vcpus[cur_vcpu], gva, &gpa);
1387 if (error == -1) {
1388 send_error(errno);
1389 return;
1390 }
1391 if (error == 0) {
1392 send_error(EFAULT);
1393 return;
1394 }
1395
1396 cp = paddr_guest2host(ctx, gpa, sizeof(bp->shadow_inst));
1397
1398 /* Only permit breakpoints in guest RAM. */
1399 if (cp == NULL) {
1400 send_error(EFAULT);
1401 return;
1402 }
1403
1404 /* Find any existing breakpoint. */
1405 bp = find_breakpoint(gpa);
1406
1407 /*
1408 * Silently ignore duplicate commands since the protocol
1409 * requires these packets to be idempotent.
1410 */
1411 if (insert) {
1412 if (bp == NULL) {
1413 if (TAILQ_EMPTY(&breakpoints) &&
1414 !set_breakpoint_caps(true)) {
1415 send_empty_response();
1416 return;
1417 }
1418 bp = malloc(sizeof(*bp));
1419 bp->gpa = gpa;
1420 memcpy(bp->shadow_inst, cp, sizeof(bp->shadow_inst));
1421 memcpy(cp, GDB_BP_INSTR, sizeof(bp->shadow_inst));
1422 TAILQ_INSERT_TAIL(&breakpoints, bp, link);
1423 debug("new breakpoint at %#lx\n", gpa);
1424 }
1425 } else {
1426 if (bp != NULL) {
1427 debug("remove breakpoint at %#lx\n", gpa);
1428 memcpy(cp, bp->shadow_inst, sizeof(bp->shadow_inst));
1429 TAILQ_REMOVE(&breakpoints, bp, link);
1430 free(bp);
1431 if (TAILQ_EMPTY(&breakpoints))
1432 set_breakpoint_caps(false);
1433 }
1434 }
1435 send_ok();
1436 }
1437
1438 static void
parse_breakpoint(const uint8_t * data,size_t len)1439 parse_breakpoint(const uint8_t *data, size_t len)
1440 {
1441 uint64_t gva;
1442 uint8_t *cp;
1443 bool insert;
1444 int kind, type;
1445
1446 insert = data[0] == 'Z';
1447
1448 /* Skip 'Z/z' */
1449 data += 1;
1450 len -= 1;
1451
1452 /* Parse and consume type. */
1453 cp = memchr(data, ',', len);
1454 if (cp == NULL || cp == data) {
1455 send_error(EINVAL);
1456 return;
1457 }
1458 type = parse_integer(data, cp - data);
1459 len -= (cp - data) + 1;
1460 data += (cp - data) + 1;
1461
1462 /* Parse and consume address. */
1463 cp = memchr(data, ',', len);
1464 if (cp == NULL || cp == data) {
1465 send_error(EINVAL);
1466 return;
1467 }
1468 gva = parse_integer(data, cp - data);
1469 len -= (cp - data) + 1;
1470 data += (cp - data) + 1;
1471
1472 /* Parse and consume kind. */
1473 cp = memchr(data, ';', len);
1474 if (cp == data) {
1475 send_error(EINVAL);
1476 return;
1477 }
1478 if (cp != NULL) {
1479 /*
1480 * We do not advertise support for either the
1481 * ConditionalBreakpoints or BreakpointCommands
1482 * features, so we should not be getting conditions or
1483 * commands from the remote end.
1484 */
1485 send_empty_response();
1486 return;
1487 }
1488 kind = parse_integer(data, len);
1489 data += len;
1490 len = 0;
1491
1492 switch (type) {
1493 case 0:
1494 update_sw_breakpoint(gva, kind, insert);
1495 break;
1496 default:
1497 send_empty_response();
1498 break;
1499 }
1500 }
1501
1502 static bool
command_equals(const uint8_t * data,size_t len,const char * cmd)1503 command_equals(const uint8_t *data, size_t len, const char *cmd)
1504 {
1505
1506 if (strlen(cmd) > len)
1507 return (false);
1508 return (memcmp(data, cmd, strlen(cmd)) == 0);
1509 }
1510
1511 static void
check_features(const uint8_t * data,size_t len)1512 check_features(const uint8_t *data, size_t len)
1513 {
1514 char *feature, *next_feature, *str, *value;
1515 bool supported;
1516
1517 str = malloc(len + 1);
1518 memcpy(str, data, len);
1519 str[len] = '\0';
1520 next_feature = str;
1521
1522 while ((feature = strsep(&next_feature, ";")) != NULL) {
1523 /*
1524 * Null features shouldn't exist, but skip if they
1525 * do.
1526 */
1527 if (strcmp(feature, "") == 0)
1528 continue;
1529
1530 /*
1531 * Look for the value or supported / not supported
1532 * flag.
1533 */
1534 value = strchr(feature, '=');
1535 if (value != NULL) {
1536 *value = '\0';
1537 value++;
1538 supported = true;
1539 } else {
1540 value = feature + strlen(feature) - 1;
1541 switch (*value) {
1542 case '+':
1543 supported = true;
1544 break;
1545 case '-':
1546 supported = false;
1547 break;
1548 default:
1549 /*
1550 * This is really a protocol error,
1551 * but we just ignore malformed
1552 * features for ease of
1553 * implementation.
1554 */
1555 continue;
1556 }
1557 value = NULL;
1558 }
1559
1560 if (strcmp(feature, "swbreak") == 0)
1561 swbreak_enabled = supported;
1562 }
1563 free(str);
1564
1565 start_packet();
1566
1567 /* This is an arbitrary limit. */
1568 append_string("PacketSize=4096");
1569 append_string(";swbreak+");
1570 append_string(";qXfer:features:read+");
1571 finish_packet();
1572 }
1573
1574 static void
gdb_query(const uint8_t * data,size_t len)1575 gdb_query(const uint8_t *data, size_t len)
1576 {
1577
1578 /*
1579 * TODO:
1580 * - qSearch
1581 */
1582 if (command_equals(data, len, "qAttached")) {
1583 start_packet();
1584 append_char('1');
1585 finish_packet();
1586 } else if (command_equals(data, len, "qC")) {
1587 start_packet();
1588 append_string("QC");
1589 append_integer(cur_vcpu + 1);
1590 finish_packet();
1591 } else if (command_equals(data, len, "qfThreadInfo")) {
1592 cpuset_t mask;
1593 bool first;
1594 int vcpu;
1595
1596 if (CPU_EMPTY(&vcpus_active)) {
1597 send_error(EINVAL);
1598 return;
1599 }
1600 mask = vcpus_active;
1601 start_packet();
1602 append_char('m');
1603 first = true;
1604 while (!CPU_EMPTY(&mask)) {
1605 vcpu = CPU_FFS(&mask) - 1;
1606 CPU_CLR(vcpu, &mask);
1607 if (first)
1608 first = false;
1609 else
1610 append_char(',');
1611 append_integer(vcpu + 1);
1612 }
1613 finish_packet();
1614 } else if (command_equals(data, len, "qsThreadInfo")) {
1615 start_packet();
1616 append_char('l');
1617 finish_packet();
1618 } else if (command_equals(data, len, "qSupported")) {
1619 data += strlen("qSupported");
1620 len -= strlen("qSupported");
1621 check_features(data, len);
1622 } else if (command_equals(data, len, "qThreadExtraInfo")) {
1623 char buf[16];
1624 int tid;
1625
1626 data += strlen("qThreadExtraInfo");
1627 len -= strlen("qThreadExtraInfo");
1628 if (len == 0 || *data != ',') {
1629 send_error(EINVAL);
1630 return;
1631 }
1632 tid = parse_threadid(data + 1, len - 1);
1633 if (tid <= 0 || !CPU_ISSET(tid - 1, &vcpus_active)) {
1634 send_error(EINVAL);
1635 return;
1636 }
1637
1638 snprintf(buf, sizeof(buf), "vCPU %d", tid - 1);
1639 start_packet();
1640 append_asciihex(buf);
1641 finish_packet();
1642 } else if (command_equals(data, len, "qXfer:features:read:")) {
1643 struct stat sb;
1644 const char *xml;
1645 const uint8_t *pathend;
1646 char buf[64], path[PATH_MAX];
1647 size_t xmllen;
1648 unsigned int doff, dlen;
1649 int fd;
1650
1651 data += strlen("qXfer:features:read:");
1652 len -= strlen("qXfer:features:read:");
1653
1654 pathend = memchr(data, ':', len);
1655 if (pathend == NULL ||
1656 (size_t)(pathend - data) >= sizeof(path) - 1) {
1657 send_error(EINVAL);
1658 return;
1659 }
1660 memcpy(path, data, pathend - data);
1661 path[pathend - data] = '\0';
1662 data += (pathend - data) + 1;
1663 len -= (pathend - data) + 1;
1664
1665 if (len > sizeof(buf) - 1) {
1666 send_error(EINVAL);
1667 return;
1668 }
1669 memcpy(buf, data, len);
1670 buf[len] = '\0';
1671 if (sscanf(buf, "%x,%x", &doff, &dlen) != 2) {
1672 send_error(EINVAL);
1673 return;
1674 }
1675
1676 fd = openat(xml_dfd, path, O_RDONLY | O_RESOLVE_BENEATH);
1677 if (fd < 0) {
1678 send_error(errno);
1679 return;
1680 }
1681 if (fstat(fd, &sb) < 0) {
1682 send_error(errno);
1683 close(fd);
1684 return;
1685 }
1686 xml = mmap(NULL, sb.st_size, PROT_READ, MAP_SHARED, fd, 0);
1687 if (xml == MAP_FAILED) {
1688 send_error(errno);
1689 close(fd);
1690 return;
1691 }
1692 close(fd);
1693 xmllen = sb.st_size;
1694
1695 start_packet();
1696 if (doff >= xmllen) {
1697 append_char('l');
1698 } else if (doff + dlen >= xmllen) {
1699 append_char('l');
1700 append_binary_data(xml + doff, xmllen - doff);
1701 } else {
1702 append_char('m');
1703 append_binary_data(xml + doff, dlen);
1704 }
1705 finish_packet();
1706 (void)munmap(__DECONST(void *, xml), xmllen);
1707 } else
1708 send_empty_response();
1709 }
1710
1711 static void
handle_command(const uint8_t * data,size_t len)1712 handle_command(const uint8_t *data, size_t len)
1713 {
1714
1715 /* Reject packets with a sequence-id. */
1716 if (len >= 3 && data[0] >= '0' && data[0] <= '9' &&
1717 data[0] >= '0' && data[0] <= '9' && data[2] == ':') {
1718 send_empty_response();
1719 return;
1720 }
1721
1722 switch (*data) {
1723 case 'c':
1724 if (len != 1) {
1725 send_error(EINVAL);
1726 break;
1727 }
1728
1729 discard_stop();
1730 gdb_resume_vcpus();
1731 break;
1732 case 'D':
1733 send_ok();
1734
1735 /* TODO: Resume any stopped CPUs. */
1736 break;
1737 case 'g':
1738 gdb_read_regs();
1739 break;
1740 case 'p':
1741 gdb_read_one_reg(data + 1, len - 1);
1742 break;
1743 case 'H': {
1744 int tid;
1745
1746 if (len < 2 || (data[1] != 'g' && data[1] != 'c')) {
1747 send_error(EINVAL);
1748 break;
1749 }
1750 tid = parse_threadid(data + 2, len - 2);
1751 if (tid == -2) {
1752 send_error(EINVAL);
1753 break;
1754 }
1755
1756 if (CPU_EMPTY(&vcpus_active)) {
1757 send_error(EINVAL);
1758 break;
1759 }
1760 if (tid == -1 || tid == 0)
1761 cur_vcpu = CPU_FFS(&vcpus_active) - 1;
1762 else if (CPU_ISSET(tid - 1, &vcpus_active))
1763 cur_vcpu = tid - 1;
1764 else {
1765 send_error(EINVAL);
1766 break;
1767 }
1768 send_ok();
1769 break;
1770 }
1771 case 'm':
1772 gdb_read_mem(data, len);
1773 break;
1774 case 'M':
1775 gdb_write_mem(data, len);
1776 break;
1777 case 'T': {
1778 int tid;
1779
1780 tid = parse_threadid(data + 1, len - 1);
1781 if (tid <= 0 || !CPU_ISSET(tid - 1, &vcpus_active)) {
1782 send_error(EINVAL);
1783 return;
1784 }
1785 send_ok();
1786 break;
1787 }
1788 case 'q':
1789 gdb_query(data, len);
1790 break;
1791 case 's':
1792 if (len != 1) {
1793 send_error(EINVAL);
1794 break;
1795 }
1796
1797 /* Don't send a reply until a stop occurs. */
1798 if (!gdb_step_vcpu(vcpus[cur_vcpu])) {
1799 send_error(EOPNOTSUPP);
1800 break;
1801 }
1802 break;
1803 case 'z':
1804 case 'Z':
1805 parse_breakpoint(data, len);
1806 break;
1807 case '?':
1808 report_stop(false);
1809 break;
1810 case 'G': /* TODO */
1811 case 'v':
1812 /* Handle 'vCont' */
1813 /* 'vCtrlC' */
1814 case 'P': /* TODO */
1815 case 'Q': /* TODO */
1816 case 't': /* TODO */
1817 case 'X': /* TODO */
1818 default:
1819 send_empty_response();
1820 }
1821 }
1822
1823 /* Check for a valid packet in the command buffer. */
1824 static void
check_command(int fd)1825 check_command(int fd)
1826 {
1827 uint8_t *head, *hash, *p, sum;
1828 size_t avail, plen;
1829
1830 for (;;) {
1831 avail = cur_comm.len;
1832 if (avail == 0)
1833 return;
1834 head = io_buffer_head(&cur_comm);
1835 switch (*head) {
1836 case 0x03:
1837 debug("<- Ctrl-C\n");
1838 io_buffer_consume(&cur_comm, 1);
1839
1840 gdb_suspend_vcpus();
1841 break;
1842 case '+':
1843 /* ACK of previous response. */
1844 debug("<- +\n");
1845 if (response_pending())
1846 io_buffer_reset(&cur_resp);
1847 io_buffer_consume(&cur_comm, 1);
1848 if (stopped_vcpu != -1 && report_next_stop) {
1849 report_stop(true);
1850 send_pending_data(fd);
1851 }
1852 break;
1853 case '-':
1854 /* NACK of previous response. */
1855 debug("<- -\n");
1856 if (response_pending()) {
1857 cur_resp.len += cur_resp.start;
1858 cur_resp.start = 0;
1859 if (cur_resp.data[0] == '+')
1860 io_buffer_advance(&cur_resp, 1);
1861 debug("-> %.*s\n", (int)cur_resp.len,
1862 io_buffer_head(&cur_resp));
1863 }
1864 io_buffer_consume(&cur_comm, 1);
1865 send_pending_data(fd);
1866 break;
1867 case '$':
1868 /* Packet. */
1869
1870 if (response_pending()) {
1871 warnx("New GDB command while response in "
1872 "progress");
1873 io_buffer_reset(&cur_resp);
1874 }
1875
1876 /* Is packet complete? */
1877 hash = memchr(head, '#', avail);
1878 if (hash == NULL)
1879 return;
1880 plen = (hash - head + 1) + 2;
1881 if (avail < plen)
1882 return;
1883 debug("<- %.*s\n", (int)plen, head);
1884
1885 /* Verify checksum. */
1886 for (sum = 0, p = head + 1; p < hash; p++)
1887 sum += *p;
1888 if (sum != parse_byte(hash + 1)) {
1889 io_buffer_consume(&cur_comm, plen);
1890 debug("-> -\n");
1891 send_char('-');
1892 send_pending_data(fd);
1893 break;
1894 }
1895 send_char('+');
1896
1897 handle_command(head + 1, hash - (head + 1));
1898 io_buffer_consume(&cur_comm, plen);
1899 if (!response_pending())
1900 debug("-> +\n");
1901 send_pending_data(fd);
1902 break;
1903 default:
1904 /* XXX: Possibly drop connection instead. */
1905 debug("-> %02x\n", *head);
1906 io_buffer_consume(&cur_comm, 1);
1907 break;
1908 }
1909 }
1910 }
1911
1912 static void
gdb_readable(int fd,enum ev_type event __unused,void * arg __unused)1913 gdb_readable(int fd, enum ev_type event __unused, void *arg __unused)
1914 {
1915 size_t pending;
1916 ssize_t nread;
1917 int n;
1918
1919 if (ioctl(fd, FIONREAD, &n) == -1) {
1920 warn("FIONREAD on GDB socket");
1921 return;
1922 }
1923 assert(n >= 0);
1924 pending = n;
1925
1926 /*
1927 * 'pending' might be zero due to EOF. We need to call read
1928 * with a non-zero length to detect EOF.
1929 */
1930 if (pending == 0)
1931 pending = 1;
1932
1933 /* Ensure there is room in the command buffer. */
1934 io_buffer_grow(&cur_comm, pending);
1935 assert(io_buffer_avail(&cur_comm) >= pending);
1936
1937 nread = read(fd, io_buffer_tail(&cur_comm), io_buffer_avail(&cur_comm));
1938 if (nread == 0) {
1939 close_connection();
1940 } else if (nread == -1) {
1941 if (errno == EAGAIN)
1942 return;
1943
1944 warn("Read from GDB socket");
1945 close_connection();
1946 } else {
1947 cur_comm.len += nread;
1948 pthread_mutex_lock(&gdb_lock);
1949 check_command(fd);
1950 pthread_mutex_unlock(&gdb_lock);
1951 }
1952 }
1953
1954 static void
gdb_writable(int fd,enum ev_type event __unused,void * arg __unused)1955 gdb_writable(int fd, enum ev_type event __unused, void *arg __unused)
1956 {
1957
1958 send_pending_data(fd);
1959 }
1960
1961 static void
new_connection(int fd,enum ev_type event __unused,void * arg)1962 new_connection(int fd, enum ev_type event __unused, void *arg)
1963 {
1964 int optval, s;
1965
1966 s = accept4(fd, NULL, NULL, SOCK_NONBLOCK);
1967 if (s == -1) {
1968 if (arg != NULL)
1969 err(1, "Failed accepting initial GDB connection");
1970
1971 /* Silently ignore errors post-startup. */
1972 return;
1973 }
1974
1975 optval = 1;
1976 if (setsockopt(s, SOL_SOCKET, SO_NOSIGPIPE, &optval, sizeof(optval)) ==
1977 -1) {
1978 warn("Failed to disable SIGPIPE for GDB connection");
1979 close(s);
1980 return;
1981 }
1982
1983 pthread_mutex_lock(&gdb_lock);
1984 if (cur_fd != -1) {
1985 close(s);
1986 warnx("Ignoring additional GDB connection.");
1987 }
1988
1989 read_event = mevent_add(s, EVF_READ, gdb_readable, NULL);
1990 if (read_event == NULL) {
1991 if (arg != NULL)
1992 err(1, "Failed to setup initial GDB connection");
1993 pthread_mutex_unlock(&gdb_lock);
1994 return;
1995 }
1996 write_event = mevent_add(s, EVF_WRITE, gdb_writable, NULL);
1997 if (write_event == NULL) {
1998 if (arg != NULL)
1999 err(1, "Failed to setup initial GDB connection");
2000 mevent_delete_close(read_event);
2001 read_event = NULL;
2002 }
2003
2004 cur_fd = s;
2005 cur_vcpu = 0;
2006 stopped_vcpu = -1;
2007
2008 /* Break on attach. */
2009 first_stop = true;
2010 report_next_stop = false;
2011 gdb_suspend_vcpus();
2012 pthread_mutex_unlock(&gdb_lock);
2013 }
2014
2015 #ifndef WITHOUT_CAPSICUM
2016 static void
limit_gdb_socket(int s)2017 limit_gdb_socket(int s)
2018 {
2019 cap_rights_t rights;
2020 unsigned long ioctls[] = { FIONREAD };
2021
2022 cap_rights_init(&rights, CAP_ACCEPT, CAP_EVENT, CAP_READ, CAP_WRITE,
2023 CAP_SETSOCKOPT, CAP_IOCTL);
2024 if (caph_rights_limit(s, &rights) == -1)
2025 errx(EX_OSERR, "Unable to apply rights for sandbox");
2026 if (caph_ioctls_limit(s, ioctls, nitems(ioctls)) == -1)
2027 errx(EX_OSERR, "Unable to apply rights for sandbox");
2028 }
2029 #endif
2030
2031 void
init_gdb(struct vmctx * _ctx)2032 init_gdb(struct vmctx *_ctx)
2033 {
2034 #ifndef WITHOUT_CAPSICUM
2035 cap_rights_t rights;
2036 #endif
2037 int error, flags, optval, s;
2038 struct addrinfo hints;
2039 struct addrinfo *gdbaddr;
2040 const char *saddr, *value;
2041 char *sport;
2042 bool wait;
2043
2044 value = get_config_value("gdb.port");
2045 if (value == NULL)
2046 return;
2047 sport = strdup(value);
2048 if (sport == NULL)
2049 errx(4, "Failed to allocate memory");
2050
2051 wait = get_config_bool_default("gdb.wait", false);
2052
2053 saddr = get_config_value("gdb.address");
2054 if (saddr == NULL) {
2055 saddr = "localhost";
2056 }
2057
2058 debug("==> starting on %s:%s, %swaiting\n",
2059 saddr, sport, wait ? "" : "not ");
2060
2061 error = pthread_mutex_init(&gdb_lock, NULL);
2062 if (error != 0)
2063 errc(1, error, "gdb mutex init");
2064 error = pthread_cond_init(&idle_vcpus, NULL);
2065 if (error != 0)
2066 errc(1, error, "gdb cv init");
2067
2068 memset(&hints, 0, sizeof(hints));
2069 hints.ai_family = AF_UNSPEC;
2070 hints.ai_socktype = SOCK_STREAM;
2071 hints.ai_flags = AI_NUMERICSERV | AI_PASSIVE;
2072
2073 error = getaddrinfo(saddr, sport, &hints, &gdbaddr);
2074 if (error != 0)
2075 errx(1, "gdb address resolution: %s", gai_strerror(error));
2076
2077 ctx = _ctx;
2078 s = socket(gdbaddr->ai_family, gdbaddr->ai_socktype, 0);
2079 if (s < 0)
2080 err(1, "gdb socket create");
2081
2082 optval = 1;
2083 (void)setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval));
2084
2085 if (bind(s, gdbaddr->ai_addr, gdbaddr->ai_addrlen) < 0)
2086 err(1, "gdb socket bind");
2087
2088 if (listen(s, 1) < 0)
2089 err(1, "gdb socket listen");
2090
2091 stopped_vcpu = -1;
2092 TAILQ_INIT(&breakpoints);
2093 vcpus = calloc(guest_ncpus, sizeof(*vcpus));
2094 vcpu_state = calloc(guest_ncpus, sizeof(*vcpu_state));
2095 if (wait) {
2096 /*
2097 * Set vcpu 0 in vcpus_suspended. This will trigger the
2098 * logic in gdb_cpu_add() to suspend the first vcpu before
2099 * it starts execution. The vcpu will remain suspended
2100 * until a debugger connects.
2101 */
2102 CPU_SET(0, &vcpus_suspended);
2103 stopped_vcpu = 0;
2104 }
2105
2106 flags = fcntl(s, F_GETFL);
2107 if (fcntl(s, F_SETFL, flags | O_NONBLOCK) == -1)
2108 err(1, "Failed to mark gdb socket non-blocking");
2109
2110 #ifndef WITHOUT_CAPSICUM
2111 limit_gdb_socket(s);
2112 #endif
2113 mevent_add(s, EVF_READ, new_connection, NULL);
2114 gdb_active = true;
2115 freeaddrinfo(gdbaddr);
2116 free(sport);
2117
2118 xml_dfd = open(_PATH_GDB_XML, O_DIRECTORY);
2119 if (xml_dfd == -1)
2120 err(1, "Failed to open gdb xml directory");
2121 #ifndef WITHOUT_CAPSICUM
2122 cap_rights_init(&rights, CAP_FSTAT, CAP_LOOKUP, CAP_MMAP_R, CAP_PREAD);
2123 if (caph_rights_limit(xml_dfd, &rights) == -1)
2124 err(1, "cap_rights_init");
2125 #endif
2126 }
2127