From owner-freebsd-hackers@FreeBSD.ORG  Sun Jan 17 17:43:00 2010
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DCA9310656C6
	for <freebsd-hackers@freebsd.org>; Sun, 17 Jan 2010 17:43:00 +0000 (UTC)
	(envelope-from kostikbel@gmail.com)
Received: from mail.zoral.com.ua (skuns.zoral.com.ua [91.193.166.194])
	by mx1.freebsd.org (Postfix) with ESMTP id D849C8FC19
	for <freebsd-hackers@freebsd.org>; Sun, 17 Jan 2010 17:42:58 +0000 (UTC)
Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua
	[10.1.1.148])
	by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id o0HHgqTM097482
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Sun, 17 Jan 2010 19:42:52 +0200 (EET)
	(envelope-from kostikbel@gmail.com)
Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1])
	by deviant.kiev.zoral.com.ua (8.14.3/8.14.3) with ESMTP id
	o0HHgqa5042633; Sun, 17 Jan 2010 19:42:52 +0200 (EET)
	(envelope-from kostikbel@gmail.com)
Received: (from kostik@localhost)
	by deviant.kiev.zoral.com.ua (8.14.3/8.14.3/Submit) id o0HHgpm2042632; 
	Sun, 17 Jan 2010 19:42:51 +0200 (EET)
	(envelope-from kostikbel@gmail.com)
X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to
	kostikbel@gmail.com using -f
Date: Sun, 17 Jan 2010 19:42:51 +0200
From: Kostik Belousov <kostikbel@gmail.com>
To: Ali Polatel <alip@exherbo.org>
Message-ID: <20100117174251.GG62907@deviant.kiev.zoral.com.ua>
References: <20100116190137.GA11414@harikalardiyari>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="YCGSkTKVt49j0xAo"
Content-Disposition: inline
In-Reply-To: <20100116190137.GA11414@harikalardiyari>
User-Agent: Mutt/1.4.2.3i
X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua
X-Virus-Status: Clean
X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00
	autolearn=ham version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	skuns.kiev.zoral.com.ua
Cc: freebsd-hackers@freebsd.org
Subject: Re: ptrace bug or feature?
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Jan 2010 17:43:00 -0000


--YCGSkTKVt49j0xAo
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Jan 16, 2010 at 09:01:37PM +0200, Ali Polatel wrote:
> Hey everyone,
>=20
> Problem: ptrace's PT_SETREGS request can't alter system calls.
> Code: http://alip.github.com/code/ptrace-freebsd-deny.c
> Expected: The file foo.bar shouldn't be created.
> Got: The file is created. Other efforts like replacing
> PT_GETREGS/PT_SETREGS calls with PT_KILL doesn't help, the file is
> created nevertheless.
>=20
> I'm inclined to call this a bug but I can't be sure.
> Any comments appreciated.
> TIA

It may be a missed feature, not a bug. There is obvious hack value
in ability to modify syscall arguments from the debugger.

Do you know whether other operating systems allow this ?

I was around this code today, and wrote the patch for i386, amd64
and ia32 on amd64. Other architectures need to be handled.

diff --git a/sys/amd64/amd64/trap.c b/sys/amd64/amd64/trap.c
index df301d1..bd7ee63 100644
--- a/sys/amd64/amd64/trap.c
+++ b/sys/amd64/amd64/trap.c
@@ -885,95 +885,131 @@ dblfault_handler(struct trapframe *frame)
 	panic("double fault");
 }
=20
-/*
- *	syscall -	system call request C handler
- *
- *	A system call is essentially treated as a trap.
- */
-void
-syscall(struct trapframe *frame)
-{
-	caddr_t params;
+struct syscall_args {
+	u_int code;
 	struct sysent *callp;
-	struct thread *td =3D curthread;
-	struct proc *p =3D td->td_proc;
-	register_t orig_tf_rflags;
-	int error;
-	int narg;
 	register_t args[8];
 	register_t *argp;
-	u_int code;
-	int reg, regcnt;
-	ksiginfo_t ksi;
-
-	PCPU_INC(cnt.v_syscall);
+	int narg;
+};
=20
-#ifdef DIAGNOSTIC
-	if (ISPL(frame->tf_cs) !=3D SEL_UPL) {
-		panic("syscall");
-		/* NOT REACHED */
-	}
-#endif
+static int
+fetch_syscall_args(struct thread *td, struct syscall_args *sa)
+{
+	struct proc *p;
+	struct trapframe *frame;
+	caddr_t params;
+	int reg, regcnt, error;
=20
+	p =3D td->td_proc;
+	frame =3D td->td_frame;
 	reg =3D 0;
 	regcnt =3D 6;
-	td->td_pticks =3D 0;
-	td->td_frame =3D frame;
-	if (td->td_ucred !=3D p->p_ucred)=20
-		cred_update_thread(td);
+
 	params =3D (caddr_t)frame->tf_rsp + sizeof(register_t);
-	code =3D frame->tf_rax;
-	orig_tf_rflags =3D frame->tf_rflags;
+	sa->code =3D frame->tf_rax;
=20
 	if (p->p_sysent->sv_prepsyscall) {
-		(*p->p_sysent->sv_prepsyscall)(frame, (int *)args, &code, &params);
+		(*p->p_sysent->sv_prepsyscall)(frame, (int *)sa->args,
+		    &sa->code, &params);
 	} else {
-		if (code =3D=3D SYS_syscall || code =3D=3D SYS___syscall) {
-			code =3D frame->tf_rdi;
+		if (sa->code =3D=3D SYS_syscall || sa->code =3D=3D SYS___syscall) {
+			sa->code =3D frame->tf_rdi;
 			reg++;
 			regcnt--;
 		}
 	}
-
  	if (p->p_sysent->sv_mask)
- 		code &=3D p->p_sysent->sv_mask;
+ 		sa->code &=3D p->p_sysent->sv_mask;
=20
- 	if (code >=3D p->p_sysent->sv_size)
- 		callp =3D &p->p_sysent->sv_table[0];
+ 	if (sa->code >=3D p->p_sysent->sv_size)
+ 		sa->callp =3D &p->p_sysent->sv_table[0];
   	else
- 		callp =3D &p->p_sysent->sv_table[code];
+ 		sa->callp =3D &p->p_sysent->sv_table[sa->code];
=20
-	narg =3D callp->sy_narg;
-	KASSERT(narg <=3D sizeof(args) / sizeof(args[0]),
+	sa->narg =3D sa->callp->sy_narg;
+	KASSERT(sa->narg <=3D sizeof(sa->args) / sizeof(sa->args[0]),
 	    ("Too many syscall arguments!"));
 	error =3D 0;
-	argp =3D &frame->tf_rdi;
-	argp +=3D reg;
-	bcopy(argp, args, sizeof(args[0]) * regcnt);
-	if (narg > regcnt) {
+	sa->argp =3D &frame->tf_rdi;
+	sa->argp +=3D reg;
+	bcopy(sa->argp, sa->args, sizeof(sa->args[0]) * regcnt);
+	if (sa->narg > regcnt) {
 		KASSERT(params !=3D NULL, ("copyin args with no params!"));
-		error =3D copyin(params, &args[regcnt],
-	    		(narg - regcnt) * sizeof(args[0]));
+		error =3D copyin(params, &sa->args[regcnt],
+	    	    (sa->narg - regcnt) * sizeof(sa->args[0]));
 	}
-	argp =3D &args[0];
+	sa->argp =3D &sa->args[0];
=20
+	/*
+	 * This may result in two records if debugger modified
+	 * registers or memory during sleep at stop/ptrace point.
+	 */
 #ifdef KTRACE
 	if (KTRPOINT(td, KTR_SYSCALL))
-		ktrsyscall(code, narg, argp);
+		ktrsyscall(sa->code, sa->narg, sa->argp);
 #endif
+	return (error);
+}
=20
-	CTR4(KTR_SYSC, "syscall enter thread %p pid %d proc %s code %d", td,
-	    td->td_proc->p_pid, td->td_name, code);
+/*
+ *	syscall -	system call request C handler
+ *
+ *	A system call is essentially treated as a trap.
+ */
+void
+syscall(struct trapframe *frame)
+{
+	struct thread *td;
+	struct proc *p;
+	struct syscall_args sa;
+	register_t orig_tf_rflags;
+	int error;
+	ksiginfo_t ksi;
=20
+	PCPU_INC(cnt.v_syscall);
+	td =3D curthread;
+	p =3D td->td_proc;
 	td->td_syscalls++;
=20
+#ifdef DIAGNOSTIC
+	if (ISPL(frame->tf_cs) !=3D SEL_UPL) {
+		panic("syscall");
+		/* NOT REACHED */
+	}
+#endif
+
+	td->td_pticks =3D 0;
+	td->td_frame =3D frame;
+	if (td->td_ucred !=3D p->p_ucred)=20
+		cred_update_thread(td);
+	orig_tf_rflags =3D frame->tf_rflags;
+	if (p->p_flag & P_TRACED) {
+		PROC_LOCK(p);
+		td->td_dbgflags &=3D ~TDB_USERWR;
+		PROC_UNLOCK(p);
+	}
+	error =3D fetch_syscall_args(td, &sa);
+
+	CTR4(KTR_SYSC, "syscall enter thread %p pid %d proc %s code %d", td,
+	    td->td_proc->p_pid, td->td_name, sa.code);
+
 	if (error =3D=3D 0) {
 		td->td_retval[0] =3D 0;
 		td->td_retval[1] =3D frame->tf_rdx;
=20
-		STOPEVENT(p, S_SCE, narg);
-
+		STOPEVENT(p, S_SCE, sa.narg);
 		PTRACESTOP_SC(p, td, S_PT_SCE);
+		if (td->td_dbgflags & TDB_USERWR) {
+			/*
+			 * Reread syscall number and arguments if
+			 * debugger modified registers or memory.
+			 */
+			error =3D fetch_syscall_args(td, &sa);
+			if (error !=3D 0)
+				goto retval;
+			td->td_retval[1] =3D frame->tf_rdx;
+		}
=20
 #ifdef KDTRACE_HOOKS
 		/*
@@ -981,13 +1017,13 @@ syscall(struct trapframe *frame)
 		 * callback and if there is a probe active for the
 		 * syscall 'entry', process the probe.
 		 */
-		if (systrace_probe_func !=3D NULL && callp->sy_entry !=3D 0)
-			(*systrace_probe_func)(callp->sy_entry, code, callp,
-			    args);
+		if (systrace_probe_func !=3D NULL && sa.callp->sy_entry !=3D 0)
+			(*systrace_probe_func)(sa.callp->sy_entry, sa.code,
+			    sa.callp, sa.args);
 #endif
=20
-		AUDIT_SYSCALL_ENTER(code, td);
-		error =3D (*callp->sy_call)(td, argp);
+		AUDIT_SYSCALL_ENTER(sa.code, td);
+		error =3D (*sa.callp->sy_call)(td, sa.argp);
 		AUDIT_SYSCALL_EXIT(error, td);
=20
 		/* Save the latest error return value. */
@@ -999,12 +1035,12 @@ syscall(struct trapframe *frame)
 		 * callback and if there is a probe active for the
 		 * syscall 'return', process the probe.
 		 */
-		if (systrace_probe_func !=3D NULL && callp->sy_return !=3D 0)
-			(*systrace_probe_func)(callp->sy_return, code, callp,
-			    args);
+		if (systrace_probe_func !=3D NULL && sa.callp->sy_return !=3D 0)
+			(*systrace_probe_func)(sa.callp->sy_return, sa.code,
+			    sa.callp, sa.args);
 #endif
 	}
-
+ retval:
 	cpu_set_syscall_retval(td, error);
=20
 	/*
@@ -1023,14 +1059,16 @@ syscall(struct trapframe *frame)
 	 * Check for misbehavior.
 	 */
 	WITNESS_WARN(WARN_PANIC, NULL, "System call %s returning",
-	    (code >=3D 0 && code < SYS_MAXSYSCALL) ? syscallnames[code] : "???");
+	    (sa.code >=3D 0 && sa.code < SYS_MAXSYSCALL) ?
+	     syscallnames[sa.code] : "???");
 	KASSERT(td->td_critnest =3D=3D 0,
 	    ("System call %s returning in a critical section",
-	    (code >=3D 0 && code < SYS_MAXSYSCALL) ? syscallnames[code] : "???"));
+	    (sa.code >=3D 0 && sa.code < SYS_MAXSYSCALL) ?
+	     syscallnames[sa.code] : "???"));
 	KASSERT(td->td_locks =3D=3D 0,
 	    ("System call %s returning with %d locks held",
-	    (code >=3D 0 && code < SYS_MAXSYSCALL) ? syscallnames[code] : "???",
-	    td->td_locks));
+	    (sa.code >=3D 0 && sa.code < SYS_MAXSYSCALL) ?
+	     syscallnames[sa.code] : "???", td->td_locks));
=20
 	/*
 	 * Handle reschedule and other end-of-syscall issues
@@ -1038,11 +1076,11 @@ syscall(struct trapframe *frame)
 	userret(td, frame);
=20
 	CTR4(KTR_SYSC, "syscall exit thread %p pid %d proc %s code %d", td,
-	    td->td_proc->p_pid, td->td_name, code);
+	    td->td_proc->p_pid, td->td_name, sa.code);
=20
 #ifdef KTRACE
 	if (KTRPOINT(td, KTR_SYSRET))
-		ktrsysret(code, error, td->td_retval[0]);
+		ktrsysret(sa.code, error, td->td_retval[0]);
 #endif
=20
 	/*
@@ -1050,7 +1088,7 @@ syscall(struct trapframe *frame)
 	 * register set.  If we ever support an emulation where this
 	 * is not the case, this code will need to be revisited.
 	 */
-	STOPEVENT(p, S_SCX, code);
+	STOPEVENT(p, S_SCX, sa.code);
=20
 	PTRACESTOP_SC(p, td, S_PT_SCX);
 }
diff --git a/sys/amd64/ia32/ia32_syscall.c b/sys/amd64/ia32/ia32_syscall.c
index 5e20876..aa1ae6c 100644
--- a/sys/amd64/ia32/ia32_syscall.c
+++ b/sys/amd64/ia32/ia32_syscall.c
@@ -88,101 +88,136 @@ extern const char *freebsd32_syscallnames[];
=20
 void ia32_syscall(struct trapframe *frame);	/* Called from asm code */
=20
-void
-ia32_syscall(struct trapframe *frame)
-{
+struct ia32_syscall_args {
+	u_int code;
 	caddr_t params;
-	int i;
 	struct sysent *callp;
-	struct thread *td =3D curthread;
-	struct proc *p =3D td->td_proc;
-	register_t orig_tf_rflags;
-	int error;
+	u_int64_t args64[8];
 	int narg;
+};
+
+static int
+fetch_ia32_syscall_args(struct thread *td, struct ia32_syscall_args *sa)
+{
+	struct proc *p;
+	struct trapframe *frame;
 	u_int32_t args[8];
-	u_int64_t args64[8];
-	u_int code;
-	ksiginfo_t ksi;
+	int error, i;
=20
-	PCPU_INC(cnt.v_syscall);
-	td->td_pticks =3D 0;
-	td->td_frame =3D frame;
-	if (td->td_ucred !=3D p->p_ucred)=20
-		cred_update_thread(td);
-	params =3D (caddr_t)frame->tf_rsp + sizeof(u_int32_t);
-	code =3D frame->tf_rax;
-	orig_tf_rflags =3D frame->tf_rflags;
+	p =3D td->td_proc;
+	frame =3D td->td_frame;
+
+	sa->params =3D (caddr_t)frame->tf_rsp + sizeof(u_int32_t);
+	sa->code =3D frame->tf_rax;
=20
 	if (p->p_sysent->sv_prepsyscall) {
 		/*
 		 * The prep code is MP aware.
 		 */
-		(*p->p_sysent->sv_prepsyscall)(frame, args, &code, &params);
+		(*p->p_sysent->sv_prepsyscall)(frame, args, &sa->code,
+		    &sa->params);
 	} else {
 		/*
 		 * Need to check if this is a 32 bit or 64 bit syscall.
 		 * fuword is MP aware.
 		 */
-		if (code =3D=3D SYS_syscall) {
+		if (sa->code =3D=3D SYS_syscall) {
 			/*
 			 * Code is first argument, followed by actual args.
 			 */
-			code =3D fuword32(params);
-			params +=3D sizeof(int);
-		} else if (code =3D=3D SYS___syscall) {
+			sa->code =3D fuword32(sa->params);
+			sa->params +=3D sizeof(int);
+		} else if (sa->code =3D=3D SYS___syscall) {
 			/*
 			 * Like syscall, but code is a quad, so as to maintain
 			 * quad alignment for the rest of the arguments.
 			 * We use a 32-bit fetch in case params is not
 			 * aligned.
 			 */
-			code =3D fuword32(params);
-			params +=3D sizeof(quad_t);
+			sa->code =3D fuword32(sa->params);
+			sa->params +=3D sizeof(quad_t);
 		}
 	}
-
  	if (p->p_sysent->sv_mask)
- 		code &=3D p->p_sysent->sv_mask;
-
- 	if (code >=3D p->p_sysent->sv_size)
- 		callp =3D &p->p_sysent->sv_table[0];
+ 		sa->code &=3D p->p_sysent->sv_mask;
+ 	if (sa->code >=3D p->p_sysent->sv_size)
+ 		sa->callp =3D &p->p_sysent->sv_table[0];
   	else
- 		callp =3D &p->p_sysent->sv_table[code];
-
-	narg =3D callp->sy_narg;
+ 		sa->callp =3D &p->p_sysent->sv_table[sa->code];
+	sa->narg =3D sa->callp->sy_narg;
=20
-	/*
-	 * copyin and the ktrsyscall()/ktrsysret() code is MP-aware
-	 */
-	if (params !=3D NULL && narg !=3D 0)
-		error =3D copyin(params, (caddr_t)args,
-		    (u_int)(narg * sizeof(int)));
+	if (sa->params !=3D NULL && sa->narg !=3D 0)
+		error =3D copyin(sa->params, (caddr_t)args,
+		    (u_int)(sa->narg * sizeof(int)));
 	else
 		error =3D 0;
=20
-	for (i =3D 0; i < narg; i++)
-		args64[i] =3D args[i];
+	for (i =3D 0; i < sa->narg; i++)
+		sa->args64[i] =3D args[i];
=20
 #ifdef KTRACE
 	if (KTRPOINT(td, KTR_SYSCALL))
-		ktrsyscall(code, narg, args64);
+		ktrsyscall(sa->code, sa->narg, sa->args64);
 #endif
+
+	return (error);
+}
+
+void
+ia32_syscall(struct trapframe *frame)
+{
+	struct thread *td;
+	struct proc *p;
+	struct ia32_syscall_args sa;
+	register_t orig_tf_rflags;
+	int error;
+	ksiginfo_t ksi;
+
+	PCPU_INC(cnt.v_syscall);
+	td =3D curthread;
+	p =3D td->td_proc;
+	td->td_syscalls++;
+
+	td->td_pticks =3D 0;
+	td->td_frame =3D frame;
+	if (td->td_ucred !=3D p->p_ucred)=20
+		cred_update_thread(td);
+	orig_tf_rflags =3D frame->tf_rflags;
+	if (p->p_flag & P_TRACED) {
+		PROC_LOCK(p);
+		td->td_dbgflags &=3D ~TDB_USERWR;
+		PROC_UNLOCK(p);
+	}
+	error =3D fetch_ia32_syscall_args(td, &sa);
+
 	CTR4(KTR_SYSC, "syscall enter thread %p pid %d proc %s code %d", td,
-	    td->td_proc->p_pid, td->td_proc->p_comm, code);
+	    td->td_proc->p_pid, td->td_name, sa.code);
=20
 	if (error =3D=3D 0) {
 		td->td_retval[0] =3D 0;
 		td->td_retval[1] =3D frame->tf_rdx;
=20
-		STOPEVENT(p, S_SCE, narg);
-
+		STOPEVENT(p, S_SCE, sa.narg);
 		PTRACESTOP_SC(p, td, S_PT_SCE);
+		if (td->td_dbgflags & TDB_USERWR) {
+			/*
+			 * Reread syscall number and arguments if
+			 * debugger modified registers or memory.
+			 */
+			error =3D fetch_ia32_syscall_args(td, &sa);
+			if (error !=3D 0)
+				goto retval;
+			td->td_retval[1] =3D frame->tf_rdx;
+		}
=20
-		AUDIT_SYSCALL_ENTER(code, td);
-		error =3D (*callp->sy_call)(td, args64);
+		AUDIT_SYSCALL_ENTER(sa.code, td);
+		error =3D (*sa.callp->sy_call)(td, sa.args64);
 		AUDIT_SYSCALL_EXIT(error, td);
-	}
=20
+		/* Save the latest error return value. */
+		td->td_errno =3D error;
+	}
+ retval:
 	cpu_set_syscall_retval(td, error);
=20
 	/*
@@ -201,14 +236,16 @@ ia32_syscall(struct trapframe *frame)
 	 * Check for misbehavior.
 	 */
 	WITNESS_WARN(WARN_PANIC, NULL, "System call %s returning",
-	    (code >=3D 0 && code < SYS_MAXSYSCALL) ? freebsd32_syscallnames[code]=
 : "???");
+	    (sa.code >=3D 0 && sa.code < SYS_MAXSYSCALL) ?
+	     freebsd32_syscallnames[sa.code] : "???");
 	KASSERT(td->td_critnest =3D=3D 0,
 	    ("System call %s returning in a critical section",
-	    (code >=3D 0 && code < SYS_MAXSYSCALL) ? freebsd32_syscallnames[code]=
 : "???"));
+	    (sa.code >=3D 0 && sa.code < SYS_MAXSYSCALL) ?
+	     freebsd32_syscallnames[sa.code] : "???"));
 	KASSERT(td->td_locks =3D=3D 0,
 	    ("System call %s returning with %d locks held",
-	    (code >=3D 0 && code < SYS_MAXSYSCALL) ? freebsd32_syscallnames[code]=
 : "???",
-	    td->td_locks));
+	    (sa.code >=3D 0 && sa.code < SYS_MAXSYSCALL) ?
+	     freebsd32_syscallnames[sa.code] : "???", td->td_locks));
=20
 	/*
 	 * Handle reschedule and other end-of-syscall issues
@@ -216,10 +253,10 @@ ia32_syscall(struct trapframe *frame)
 	userret(td, frame);
=20
 	CTR4(KTR_SYSC, "syscall exit thread %p pid %d proc %s code %d", td,
-	    td->td_proc->p_pid, td->td_proc->p_comm, code);
+	    td->td_proc->p_pid, td->td_proc->p_comm, sa.code);
 #ifdef KTRACE
 	if (KTRPOINT(td, KTR_SYSRET))
-		ktrsysret(code, error, td->td_retval[0]);
+		ktrsysret(sa.code, error, td->td_retval[0]);
 #endif
=20
 	/*
@@ -227,7 +264,7 @@ ia32_syscall(struct trapframe *frame)
 	 * register set.  If we ever support an emulation where this
 	 * is not the case, this code will need to be revisited.
 	 */
-	STOPEVENT(p, S_SCX, code);
+	STOPEVENT(p, S_SCX, sa.code);
 =20
 	PTRACESTOP_SC(p, td, S_PT_SCX);
 }
diff --git a/sys/i386/i386/trap.c b/sys/i386/i386/trap.c
index 1d3dc3b..305cfd2 100644
--- a/sys/i386/i386/trap.c
+++ b/sys/i386/i386/trap.c
@@ -969,97 +969,130 @@ dblfault_handler()
 	panic("double fault");
 }
=20
-/*
- *	syscall -	system call request C handler
- *
- *	A system call is essentially treated as a trap.
- */
-void
-syscall(struct trapframe *frame)
-{
-	caddr_t params;
+struct syscall_args {
+	u_int code;
 	struct sysent *callp;
-	struct thread *td =3D curthread;
-	struct proc *p =3D td->td_proc;
-	register_t orig_tf_eflags;
-	int error;
-	int narg;
 	int args[8];
-	u_int code;
-	ksiginfo_t ksi;
+	register_t *argp;
+	int narg;
+};
=20
-	PCPU_INC(cnt.v_syscall);
+static int
+fetch_syscall_args(struct thread *td, struct syscall_args *sa)
+{
+	struct proc *p;
+	struct trapframe *frame;
+	caddr_t params;
+	int error;
=20
-#ifdef DIAGNOSTIC
-	if (ISPL(frame->tf_cs) !=3D SEL_UPL) {
-		panic("syscall");
-		/* NOT REACHED */
-	}
-#endif
+	p =3D td->td_proc;
+	frame =3D td->td_frame;
=20
-	td->td_pticks =3D 0;
-	td->td_frame =3D frame;
-	if (td->td_ucred !=3D p->p_ucred)=20
-		cred_update_thread(td);
 	params =3D (caddr_t)frame->tf_esp + sizeof(int);
-	code =3D frame->tf_eax;
-	orig_tf_eflags =3D frame->tf_eflags;
+	sa->code =3D frame->tf_eax;
=20
 	if (p->p_sysent->sv_prepsyscall) {
-		(*p->p_sysent->sv_prepsyscall)(frame, args, &code, &params);
+		(*p->p_sysent->sv_prepsyscall)(frame, sa->args, &sa->code,
+		    &params);
 	} else {
 		/*
 		 * Need to check if this is a 32 bit or 64 bit syscall.
 		 */
-		if (code =3D=3D SYS_syscall) {
+		if (sa->code =3D=3D SYS_syscall) {
 			/*
 			 * Code is first argument, followed by actual args.
 			 */
-			code =3D fuword(params);
+			sa->code =3D fuword(params);
 			params +=3D sizeof(int);
-		} else if (code =3D=3D SYS___syscall) {
+		} else if (sa->code =3D=3D SYS___syscall) {
 			/*
 			 * Like syscall, but code is a quad, so as to maintain
 			 * quad alignment for the rest of the arguments.
 			 */
-			code =3D fuword(params);
+			sa->code =3D fuword(params);
 			params +=3D sizeof(quad_t);
 		}
 	}
=20
  	if (p->p_sysent->sv_mask)
- 		code &=3D p->p_sysent->sv_mask;
-
- 	if (code >=3D p->p_sysent->sv_size)
- 		callp =3D &p->p_sysent->sv_table[0];
+ 		sa->code &=3D p->p_sysent->sv_mask;
+ 	if (sa->code >=3D p->p_sysent->sv_size)
+ 		sa->callp =3D &p->p_sysent->sv_table[0];
   	else
- 		callp =3D &p->p_sysent->sv_table[code];
-
-	narg =3D callp->sy_narg;
+ 		sa->callp =3D &p->p_sysent->sv_table[sa->code];
+	sa->narg =3D sa->callp->sy_narg;
=20
-	if (params !=3D NULL && narg !=3D 0)
-		error =3D copyin(params, (caddr_t)args,
-		    (u_int)(narg * sizeof(int)));
+	if (params !=3D NULL && sa->narg !=3D 0)
+		error =3D copyin(params, (caddr_t)sa->args,
+		    (u_int)(sa->narg * sizeof(int)));
 	else
 		error =3D 0;
 	=09
 #ifdef KTRACE
 	if (KTRPOINT(td, KTR_SYSCALL))
-		ktrsyscall(code, narg, args);
+		ktrsyscall(sa->code, sa->narg, sa->args);
 #endif
+	return (error);
+}
=20
-	CTR4(KTR_SYSC, "syscall enter thread %p pid %d proc %s code %d", td,
-	    td->td_proc->p_pid, td->td_name, code);
+/*
+ *	syscall -	system call request C handler
+ *
+ *	A system call is essentially treated as a trap.
+ */
+void
+syscall(struct trapframe *frame)
+{
+	struct thread *td;
+	struct proc *p;
+	struct syscall_args sa;
+	register_t orig_tf_eflags;
+	int error;
+	ksiginfo_t ksi;
=20
+	PCPU_INC(cnt.v_syscall);
+	td =3D curthread;
+	p =3D td->td_proc;
 	td->td_syscalls++;
=20
+#ifdef DIAGNOSTIC
+	if (ISPL(frame->tf_cs) !=3D SEL_UPL) {
+		panic("syscall");
+		/* NOT REACHED */
+	}
+#endif
+
+	td->td_pticks =3D 0;
+	td->td_frame =3D frame;
+	if (td->td_ucred !=3D p->p_ucred)=20
+		cred_update_thread(td);
+	orig_tf_eflags =3D frame->tf_eflags;
+	if (p->p_flag & P_TRACED) {
+		PROC_LOCK(p);
+		td->td_dbgflags &=3D ~TDB_USERWR;
+		PROC_UNLOCK(p);
+	}
+	error =3D fetch_syscall_args(td, &sa);
+
+	CTR4(KTR_SYSC, "syscall enter thread %p pid %d proc %s code %d", td,
+	    td->td_proc->p_pid, td->td_name, sa.code);
+
 	if (error =3D=3D 0) {
 		td->td_retval[0] =3D 0;
 		td->td_retval[1] =3D frame->tf_edx;
=20
-		STOPEVENT(p, S_SCE, narg);
-
+		STOPEVENT(p, S_SCE, sa.narg);
 		PTRACESTOP_SC(p, td, S_PT_SCE);
+		if (td->td_dbgflags & TDB_USERWR) {
+			/*
+			 * Reread syscall number and arguments if
+			 * debugger modified registers or memory.
+			 */
+			error =3D fetch_syscall_args(td, &sa);
+			if (error !=3D 0)
+				goto retval;
+			td->td_retval[1] =3D frame->tf_edx;
+		}
=20
 #ifdef KDTRACE_HOOKS
 		/*
@@ -1067,13 +1100,13 @@ syscall(struct trapframe *frame)
 		 * callback and if there is a probe active for the
 		 * syscall 'entry', process the probe.
 		 */
-		if (systrace_probe_func !=3D NULL && callp->sy_entry !=3D 0)
-			(*systrace_probe_func)(callp->sy_entry, code, callp,
-			    args);
+		if (systrace_probe_func !=3D NULL && sa.callp->sy_entry !=3D 0)
+			(*systrace_probe_func)(sa.callp->sy_entry, sa.code,
+			    sa.callp, sa.args);
 #endif
=20
-		AUDIT_SYSCALL_ENTER(code, td);
-		error =3D (*callp->sy_call)(td, args);
+		AUDIT_SYSCALL_ENTER(sa.code, td);
+		error =3D (*sa.callp->sy_call)(td, sa.args);
 		AUDIT_SYSCALL_EXIT(error, td);
=20
 		/* Save the latest error return value. */
@@ -1085,12 +1118,12 @@ syscall(struct trapframe *frame)
 		 * callback and if there is a probe active for the
 		 * syscall 'return', process the probe.
 		 */
-		if (systrace_probe_func !=3D NULL && callp->sy_return !=3D 0)
-			(*systrace_probe_func)(callp->sy_return, code, callp,
-			    args);
+		if (systrace_probe_func !=3D NULL && sa.callp->sy_return !=3D 0)
+			(*systrace_probe_func)(sa.callp->sy_return, sa.code,
+			    sa.callp, sa.args);
 #endif
 	}
-
+ retval:
 	cpu_set_syscall_retval(td, error);
=20
 	/*
@@ -1109,14 +1142,16 @@ syscall(struct trapframe *frame)
 	 * Check for misbehavior.
 	 */
 	WITNESS_WARN(WARN_PANIC, NULL, "System call %s returning",
-	    (code >=3D 0 && code < SYS_MAXSYSCALL) ? syscallnames[code] : "???");
+	    (sa.code >=3D 0 && sa.code < SYS_MAXSYSCALL) ?
+	     syscallnames[sa.code] : "???");
 	KASSERT(td->td_critnest =3D=3D 0,
 	    ("System call %s returning in a critical section",
-	    (code >=3D 0 && code < SYS_MAXSYSCALL) ? syscallnames[code] : "???"));
+	    (sa.code >=3D 0 && sa.code < SYS_MAXSYSCALL) ?
+	     syscallnames[sa.code] : "???"));
 	KASSERT(td->td_locks =3D=3D 0,
 	    ("System call %s returning with %d locks held",
-	    (code >=3D 0 && code < SYS_MAXSYSCALL) ? syscallnames[code] : "???",
-	    td->td_locks));
+	    (sa.code >=3D 0 && sa.code < SYS_MAXSYSCALL) ?
+	     syscallnames[sa.code] : "???", td->td_locks));
=20
 	/*
 	 * Handle reschedule and other end-of-syscall issues
@@ -1124,11 +1159,11 @@ syscall(struct trapframe *frame)
 	userret(td, frame);
=20
 	CTR4(KTR_SYSC, "syscall exit thread %p pid %d proc %s code %d", td,
-	    td->td_proc->p_pid, td->td_name, code);
+	    td->td_proc->p_pid, td->td_name, sa.code);
=20
 #ifdef KTRACE
 	if (KTRPOINT(td, KTR_SYSRET))
-		ktrsysret(code, error, td->td_retval[0]);
+		ktrsysret(sa.code, error, td->td_retval[0]);
 #endif
=20
 	/*
@@ -1136,7 +1171,7 @@ syscall(struct trapframe *frame)
 	 * register set.  If we ever support an emulation where this
 	 * is not the case, this code will need to be revisited.
 	 */
-	STOPEVENT(p, S_SCX, code);
+	STOPEVENT(p, S_SCX, sa.code);
=20
 	PTRACESTOP_SC(p, td, S_PT_SCX);
 }
diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c
index dfc36ba..3c6394c 100644
--- a/sys/kern/sys_process.c
+++ b/sys/kern/sys_process.c
@@ -816,6 +816,7 @@ kern_ptrace(struct thread *td, int req, pid_t pid, void=
 *addr, int data)
=20
 	case PT_WRITE_I:
 	case PT_WRITE_D:
+		td2->td_dbgflags |=3D TDB_USERWR;
 		write =3D 1;
 		/* FALLTHROUGH */
 	case PT_READ_I:
@@ -884,6 +885,7 @@ kern_ptrace(struct thread *td, int req, pid_t pid, void=
 *addr, int data)
 			break;
 		case PIOD_WRITE_D:
 		case PIOD_WRITE_I:
+			td2->td_dbgflags |=3D TDB_USERWR;
 			uio.uio_rw =3D UIO_WRITE;
 			break;
 		default:
@@ -906,6 +908,7 @@ kern_ptrace(struct thread *td, int req, pid_t pid, void=
 *addr, int data)
 		goto sendsig;	/* in PT_CONTINUE above */
=20
 	case PT_SETREGS:
+		td2->td_dbgflags |=3D TDB_USERWR;
 		error =3D PROC_WRITE(regs, td2, addr);
 		break;
=20
@@ -914,6 +917,7 @@ kern_ptrace(struct thread *td, int req, pid_t pid, void=
 *addr, int data)
 		break;
=20
 	case PT_SETFPREGS:
+		td2->td_dbgflags |=3D TDB_USERWR;
 		error =3D PROC_WRITE(fpregs, td2, addr);
 		break;
=20
@@ -922,6 +926,7 @@ kern_ptrace(struct thread *td, int req, pid_t pid, void=
 *addr, int data)
 		break;
=20
 	case PT_SETDBREGS:
+		td2->td_dbgflags |=3D TDB_USERWR;
 		error =3D PROC_WRITE(dbregs, td2, addr);
 		break;
=20
diff --git a/sys/sys/proc.h b/sys/sys/proc.h
index 0ae36af..dd9efae 100644
--- a/sys/sys/proc.h
+++ b/sys/sys/proc.h
@@ -341,6 +341,7 @@ do {									\
 /* Userland debug flags */
 #define	TDB_SUSPEND	0x00000001 /* Thread is suspended by debugger */
 #define	TDB_XSIG	0x00000002 /* Thread is exchanging signal under trace */
+#define	TDB_USERWR	0x00000004 /* Debugger modified memory or registers */
=20
 /*
  * "Private" flags kept in td_pflags:

--YCGSkTKVt49j0xAo
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (FreeBSD)

iEYEARECAAYFAktTTBsACgkQC3+MBN1Mb4gimACgqDy33BQLby/qcFeTv2+r2Pgu
B0gAoNUuL+1fMTJqb4by4GjKLtUmF8Lx
=waFa
-----END PGP SIGNATURE-----

--YCGSkTKVt49j0xAo--