From owner-freebsd-hackers@freebsd.org Fri Apr 6 15:18:04 2018 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3C713F8D90C for ; Fri, 6 Apr 2018 15:18:04 +0000 (UTC) (envelope-from mashtizadeh@gmail.com) Received: from mail-ot0-x242.google.com (mail-ot0-x242.google.com [IPv6:2607:f8b0:4003:c0f::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BECD380EEA for ; Fri, 6 Apr 2018 15:18:03 +0000 (UTC) (envelope-from mashtizadeh@gmail.com) Received: by mail-ot0-x242.google.com with SMTP id h26-v6so1530542otj.12 for ; Fri, 06 Apr 2018 08:18:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=y0vPg5QtNSsLmWCJqO5BdLFgnkZzs6P4mbUIArPgpVs=; b=rpVpAFtCM0QzxivML2/jAtVc3Jpga8BLr+7LROGUKVmFA5CBmd4Qg6F1B4toQkj6gK 5Bofh3OXLPiu5mHbZQfaO5yWT4lOxXMqnEMN7JAjsfwmuMZPCh6pV5qGO32qLymwNLpS 8kTfqaD51EIP0wYnRHcHJ+KAGPzu4Q1W7eQo31xWKg/4277UCeJNt80A4cJCukZvEsSI dTnMKjO+Gswjdei1qvK4tQwAM955R/BYxY8H+O3daTsNzZ7jQ89a9Bk1ouTs2ceU8H/4 OvfAcF1hrcMwyEuTWRx+aZltIytagT1QTMDHeslGUW1xrJt/l+IURFzmpG53syvXhz9R 0zPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=y0vPg5QtNSsLmWCJqO5BdLFgnkZzs6P4mbUIArPgpVs=; b=ly7VWqFbqxrHixmzr0gdHJCH0HrW7H2CyCuw/2Hy5oHRuXVr/AdrJ4ZW15qhlOUxn1 lDQZl0mR55CemfTb4OLjGPemkC3PrpxwegI+0srkHUOFtjlzoXEpzqx9q8FwRO58I/DU 2FQXubIguh+x7C5DnqhUp/oLQcf7ErH3vQ2W52STjibuDMyHqTCEIH0k/Plcfoduz+EG CGCRh/4wa1fooHFprtlw3cnoAokjbH42DWriwK6PjUiPqX/YXlZ3af+zk2JEE2buAh0X tl64u4w0Qr8KPanOyNGPZjZVYmh67QOjoEQ8y1cUtBzQDn99Me9xFnwdX8LImyhMe9ID zMVQ== X-Gm-Message-State: ALQs6tAUUiwCUAyAKoZ3A3m8/wDHBEW+MRvq08mDBjJkEnc8lFJpeOJG QW/IF4tBnC93pef+NER2pLzezN/rNsj+Yn9lT6vzvQ== X-Google-Smtp-Source: AIpwx4+Gg25i+FhxBUBC3h0BVpJUqD3ugf4bXgJjA6vC9HYtxfiRHEntOZNDSLKuYonYTPlDOb7Vd4qjg7MhNzkuSM4= X-Received: by 2002:a9d:2b54:: with SMTP id f20-v6mr15426148otd.277.1523027882945; Fri, 06 Apr 2018 08:18:02 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.208.19 with HTTP; Fri, 6 Apr 2018 08:18:02 -0700 (PDT) From: Ali Mashtizadeh Date: Fri, 6 Apr 2018 11:18:02 -0400 Message-ID: Subject: Broken exect() libc call To: FreeBSD Hackers Cc: Ali Mashtizadeh Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Apr 2018 15:18:04 -0000 Hello Everyone, I noticed exect() is an old BSD specific libc function that is supposed to enable tracing on the child process. In all modern platforms it has a faulty implementation dating back to the CSRG source code. FreeBSD lacks the code for several platforms and it appears that there are no users. Even gdb in the CSRG repository used the ptrace(PT_TRACE_ME, ...) function that is portable. Originally, on the VAX exect() sets the trap flag (PSL_T) which does not trigger a trap until the new executable image is loaded. This is because a trace fault is raised when the PSL_TP flag is set. exect() code would set PSL_T which during the execution of an instruction the processor copies the value of PSL_T to PSL_TP at the end of its cycle. The instruction that sets the trap flag does not set PSL_TP and the system call instruction copies PSL_T to PSL_TP. The the first instruction in the executable image will trigger a trace fault. See E.5.3 in [1] below and CSRG source [2]. Other platforms either called execve (when the processor does not allow user space to directly control tracing) or provided the same faulty implementation (present in the i386 version). If you search the CSRG repository this system call was only used by adb/sdb which at the time contained ptrace(PT_TRACE_ME,....) call as well. Older versions of Mac OS X contained the documentation for the call, but it has since been removed. NetBSD/OpenBSD contains a deprecated function that calls to execve written in C that warns you when you link against it. If there's no objects I've copied the NetBSD file, removed any MD assemblies still present, and amended the man page. Alternative solutions: 1) Provide C code to call ptrace(PT_TRACE_ME, ...) + execve. This more closely emulates exect(). 2) Remove the call entirely https://reviews.freebsd.org/D14989 [1] http://www.livingcomputers.org/Discover/Online-Systems/ User-Documentation/OpenVMS-7-3/5_VAX_Macro_Assembler_Reference.aspx [2] https://svnweb.freebsd.org/csrg/lib/libc/vax/sys/exect.s? revision=61222&view=markup [3] http://gnats.netbsd.org/51700 Best, Ali Mashtizadeh