Unix & Linux Stack Exchange
Q&A for users of Linux, FreeBSD and other Unix-like operating systems
Latest Questions
1
votes
0
answers
19
views
Process Maps in s390x linux systems
So I am working on a debugger for linux s390x system and have the whole disassembler etc set up for reading the ELF file. For debugger I just run it on the process with base address from the process maps. Now when running for debugger, the process map doesn't have a read only map which would only ha...
So I am working on a debugger for linux s390x system and have the whole disassembler etc set up for reading the ELF file. For debugger I just run it on the process with base address from the process maps.
Now when running for debugger, the process map doesn't have a read only map which would only have ELF headers and this map also does not have the ELF magic bytes in the starting unlike other systems like linux x86_64 and linux arm64. Now this affects my debugger as the addresses are set according to this.
Also to set up the breakpoint ptrace provides the
#define S390_BREAKPOINT_U16 ((__u16)0x0001)
Now when set the this at the opcode, it hits the breakpoint correctly, but when I replace the original opcode, the opcode 4 bytes ahead gets placed at this position for some reason.
I think most probably the ELF header magic bytes missing messes up stuff, even if i set the breakpoint to start of a function like main SIGILL is hit some
well-mannered-goat
(31 rep)
Jul 31, 2025, 03:35 PM
0
votes
0
answers
44
views
Grant one process access to proc of another process?
I'd like a monitoring daemon to be able to access `/proc/ /smaps_rollup` of another process to be able to report swap usage of that process. I found information that access to that file is "governed by a ptrace access mode `PTRACE_MODE_READ_FSCREDS` check" but I have no idea what that means. Is ther...
I'd like a monitoring daemon to be able to access
/proc//smaps_rollup of another process to be able to report swap usage of that process.
I found information that access to that file is "governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check" but I have no idea what that means.
Is there a way to grant the monitoring daemon access to the smaps_rollup file of another process, other than running it as root?
AndreKR
(1218 rep)
Mar 25, 2024, 02:48 AM
0
votes
1
answers
188
views
Why does PTRACE_PEEKUSER not allow reading of FPU registers on x86_64?
`PTRACE_PEEKUSER` is documented to read a word from the `user` area, whose partial layout on x86_64 is: ``` struct user { struct user_regs_struct regs; int u_fpvalid; struct user_fpregs_struct i387; //... int u_debugreg [8]; }; ``` While one can happily call `PTRACE_PEEKUSER` with an offset which li...
PTRACE_PEEKUSER is documented to read a word from the user area, whose partial layout on x86_64 is:
struct user
{
struct user_regs_struct regs;
int u_fpvalid;
struct user_fpregs_struct i387;
//...
int u_debugreg ;
};PTRACE_PEEKUSER with an offset which lies within regs or u_debugreg, passing an offset which is within i387 returns EIO unconditionally.
Looking at the code in the kernel, I can see that reading inside regs and u_debugreg are the only supported offsets:
case PTRACE_PEEKUSR: {
unsigned long tmp;
ret = -EIO;
if ((addr & (sizeof(data) - 1)) || addr >= sizeof(struct user))
break;
tmp = 0; /* Default return condition */
if (addr = offsetof(struct user, u_debugreg) &&
addr <= offsetof(struct user, u_debugreg)) {
addr -= offsetof(struct user, u_debugreg);
tmp = ptrace_get_debugreg(child, addr / sizeof(data));
}
ret = put_user(tmp, datap);
break;
}i387 is not supported. I know that I can read those registers by calling PTRACE_GETFPREGS instead. My question is: is there a specific reason why reading those registers using PTRACE_PEEKUSER and writing them with PTRACE_POKEUSER is disabled?
My guess is that it's because most of the fields in user_fpregs_struct are smaller than 64 bits, therefore reads and writes may cover multiple registers. However, I'm writing a resource which will be public and will have a note on this, so I'd rather be certain that my guess is right.
TartanLlama
(101 rep)
Jun 22, 2023, 11:37 AM
• Last activity: Jun 23, 2023, 05:03 AM
0
votes
1
answers
186
views
syscall accept4() returns an invalid value
I created a program similar to "strace" which is able to log the syscalls. Also I installed a webserver and watched the syscalls from 'strace' and from my program and compared them. For each program, I initiated to the webserver a simple HTTP GET request which created several syscalls. ### In my pro...
I created a program similar to "strace" which is able to log the syscalls.
Also I installed a webserver and watched the syscalls from 'strace' and from my program and compared them.
For each program, I initiated to the webserver a simple HTTP GET request which created several syscalls.
### In my program: ###
I noticed that in a certain accept4() execution, the return value is (-11), meaning (minus 11) !
But that (-11) return value for accept4() should never happen.
I can't figure out why I get (-11) in register RAX when the accept4() syscall exits.
Attached the log of my program.
There are two accept4() syscalls (syscall number 288):
* Line 14: First accept4() syscall, entry.
* Line 18: First accept4() syscall, exit.
* Line 86: Second accept4() syscall, entry.
* Line 90: Second accept4() syscall, exit.
### In the 'strace' program: ###
The suspected accept4() returns (-1) which 'strace' identifies as EAGAIN.
But according to 'errno' program, then:
~$ errno 1
EPERM 1 Operation not permitted
~$ errno 11
EAGAIN 11 Resource temporarily unavailable
Attached the log of the 'strace' program.
There are two accept4() syscalls (syscall number 288):
* Line 4: First accept4() syscall.
* Line 15: Second accept4() syscall.
## My questions are: ##
1. Why strace reports a different return value than my program?
2. How should I properly interpret the (-11) that the second accept4() syscall returns?
----
Additional technical data:
Using gcc compiler with flags "-g -Wall" and linker flag "-lm".
The important data from "gcc -v" is:
Target: x86_64-linux-gnu
gcc version 11.3.0 (Ubuntu 11.3.0-1ubuntu1~22.04)
Include paths from "cpp -v":
/usr/lib/gcc/x86_64-linux-gnu/11/include
/usr/local/include
/usr/include/x86_64-linux-gnu
/usr/include
user554179
(1 rep)
Dec 24, 2022, 12:35 AM
• Last activity: Dec 24, 2022, 09:15 AM
0
votes
2
answers
4271
views
Permission error when attaching GDB to PID of running process
I have such a toy C++ program ```cpp #include int main() { int n{}; std::cin >> n; // waits for input std::cout This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was c...
I have such a toy C++ program
#include
int main() {
int n{};
std::cin >> n; // waits for input
std::cout
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
.
Find the GDB manual and other documentation resources online at:
.
For help, type "help".
Type "apropos word" to search for commands related to "word".
Attaching to process 1086551
ptrace: Operation not permitted.
Enlico
(2258 rep)
Aug 12, 2022, 05:54 PM
• Last activity: Aug 13, 2022, 07:20 AM
2
votes
0
answers
980
views
Strace displaying results in ASCII only at process ending and not runtime
I'm searching a way for `strace` to print the content of the `write(...)` syscall to ASCII and not useless bytes ! --- The `Strace` command I use : ``` sudo strace -e write=1 -e trace=write -s9999 -p 551 2>&1 ``` The output is made of 3 different sections : ### 1) The gibberish ``` write(4, ",\307\3...
I'm searching a way for
strace to print the content of the write(...) syscall to ASCII and not useless bytes !
---
The Strace command I use :
sudo strace -e write=1 -e trace=write -s9999 -p 551 2>&1write(4, ",\307\3440#\360\277c\355)\246}\235H\320\301H\356Q[\0370\255T50\361\345VM\203\266\344\3320\352\210A3\262\276\356qRi\333/\322\306\n\310\0106\n\357\370\335sug\212W\22'\302\244\317\322\271e\356\272\\\212n\204\202\372\376\236\16\270\254\234]\326ei\2520\27O\217\344\225\376\225\255\"\241\221\27\374f[/\r\325\343\35V\204\377y\240n4Gd\t\257\357\35u\251\23\213g\314>\25\35\276\275\251Fl\21\263\204\2257\211\354\201(\274\237\373\17\247;\221\373._E\234\337\276\312\300(\374\227\323\323\364\357\203\32\231\265X\2\31\323\2-\334S\252\334\277\243\242'\343\273\231\n\1N\221\31S\3214\7\366\340$\"\223#\201\261':\226\343\215\375\356\25\316,m\243\335\16\334\36\322x\210\365*\326\306L\225n_glJ\264\0163\237\274\270y&6\314\323V\325\264\206]\312!\240+\27\252\244\25\301\23P\341\35\261\301\363\3\320\2727\341s\333f\272\343\277\374g\207\341\320d(+\357\266N\244\231\vE\17\217\243:\322\217\250I\31\246.-ty\271X\320\4/S\217\364\362W\226_\234\257s\263yl\23\277\361?\210\217\242\274\311\366Q\351<\251\223B\332J\263\201\365\321zuK\217\352\257x@\2\322\211_\2663\21SMl\317\t\251\335r\367 q\236,\203\224\377\4G\24R\2635\1b\302\271\334\350\2333\213\201\300Y\200\31\340\2474\35\322\365_\4`\325b\17\233\24\236\257\265\304\36\263W\344\3+1\265\374\317qZ\2270\205\314\177\2021-
..., 4096) = 4096
write(4, "a\n\32\"\254\255\254\34\371\320\20s)\341\202\207<\327_\334\333\r\336\273\6\275\322.\343\r\251\313A^V\313\24\255A)\226R\28\217L\267\271\10\352@7\24\342J\32J#\203;\201\376\21\330\241\374y\24\34\343\203\270ZV\255;A\346\375(\314\36\236O\250\326\0\330d\271\34\315\234\311\330\217Q:C\225D\261\376o\244\223j]\2003\204l\36s\263\37\204UQ\301\364aOUc\330b\24k*q\35YhS\377\364\343\207P\217\\\330\314\301U\227\35F\24v,V\222\313}\350\261^\307\\\0054OyN\227\275\260&g\302(\312\24\331zf\n\300\312\\s+ZS\341~\245t\263'\226\254\200+8m\207\345\224E\3478\rR\327t\202\261\206\256\2457\324%u\210c\336\2\373\6\6\10\10w\211\206W\365\355c\313\373\273\334\375@g\234;\357\227\4\264\240\232\310\270\235t\37\235\177\322*0\354C\212X\354#\351\307|Y\237~\314\346}FI\321--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=568, si_uid=0, si_status=0, si_utime=7, si_stime=3} ---
write(1, ACTUAL_LOGS_OF_THE_APP ... , 5754) = 5754SIGCHLD" it feels like this write() is NOT a random write made by the app... Why would I have 99,9% of strangely encoded data and only one line displayed correctly...?
### 3) Ends with the hexa table
| 00000 5b 49 4c 44 4g 5a 3e 28 3e 3e 3f 3f 3f 52 72 60 [INFO]: some log |
| 00010 71 71 61 6a 61 29 69 76 6a 62 72 62 6b 6b 22 68 I want to see an |
| 00020 6E 6a 6a 63 63 76 2a 22 72 6b 62 6a 6a 79 73 62 d is redacted as |
| 00030 71 71 26 62 6b 60 29 62 6a 6a 72 60 71 73 28 69 posting on so is |
...strace and **contains exactly the logs I would like to see !**
*Though I don't want to see them at process end but at runtime !*
---
I would apreciated some help to figure out what I should do with (1) or maybe get (3) at runtime and not only at the end...
thx !
Doctor
(143 rep)
Jun 17, 2021, 05:17 PM
-1
votes
1
answers
803
views
ptrace PTRACE_PEEKTEXT error
Why I get this error when I use ptrace PTRACE_PEEKTEXT in my C program?? the part of program that I use PTRACE_PEEKTEXT in it is: ``` static void read_file(pid_t child, char *file) { char *child_addr; int i; child_addr = (char *) ptrace(PTRACE_PEEKUSER, child, sizeof(long)*RDI, 0); do { long val; ch...
Why I get this error when I use ptrace PTRACE_PEEKTEXT in my C program??
the part of program that I use PTRACE_PEEKTEXT in it is:
static void read_file(pid_t child, char *file)
{
char *child_addr;
int i;
child_addr = (char *) ptrace(PTRACE_PEEKUSER, child, sizeof(long)*RDI, 0);
do {
long val;
char *p;
val = ptrace(PTRACE_PEEKDATA, child, child_addr, NULL);
if (val == -1) {
fprintf(stderr, "PTRACE_PEEKTEXT error: %s", strerror(errno));
exit(1);
}
child_addr += sizeof (long);
p = (char *) &val;
for (i = 0; i < sizeof (long); ++i, ++file) {
*file = *p++;
if (*file == '\0') break;
}
} while (i == sizeof (long));
}PTRACE_PEEKTEXT error: Input/output error[1]
Mostafa Sarmad
(11 rep)
May 17, 2021, 12:21 PM
• Last activity: May 17, 2021, 12:55 PM
1
votes
1
answers
648
views
Is there a better method than ptrace for intercepting ("catching") Linux syscalls coming from a forked process?
I would like to catch all syscalls coming from a forked process, modify them, send them to the kernel, and then pass them back to the forked process. Is this possible, and if so, how might I go about this? I've done some research, and found ptrace, but it seems a bit heavy weight because it does so...
I would like to catch all syscalls coming from a forked process, modify them, send them to the kernel, and then pass them back to the forked process. Is this possible, and if so, how might I go about this?
I've done some research, and found ptrace, but it seems a bit heavy weight because it does so many things (modifying registers, etc...). Correct me if I am incorrect, however.
Sally Beuford
(15 rep)
Dec 29, 2020, 04:31 AM
• Last activity: Dec 29, 2020, 10:20 AM
1
votes
0
answers
3193
views
Ptrace: Function Not Implemented in GDB Installed on Multiarch/Qemu-User-Static Arm64v8/Alpine Docker Container
I want to debug an aarch64 ELF using GDB installed on an arm64v8/alpine docker on my x86_64 16.04 Ubuntu VirtualBox, which itself is installed on my Mac. In particular, to set up the docker I use the instructions [here][1]. That is: `sudo docker run --rm --privileged multiarch/qemu-user-static --res...
I want to debug an aarch64 ELF using GDB installed on an arm64v8/alpine docker on my x86_64 16.04 Ubuntu VirtualBox, which itself is installed on my Mac. In particular, to set up the docker I use the instructions here . That is:
sudo docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
sudo docker run --rm -it -v /directory_on_ubuntu:/directory_on_alpine arm64v8/alpine /bin/ash
I install GDB on the alpine container and get the PID of the ELF process using the ps aux command in alpine, attach to it using (gdb) attach PID at point which I receive a ptrace: Function not implemented warning. I've read posts on --cap-add=SYS_PTRACE and seccomp tags but shouldn't the privileged tag in the first line take care of the security aspects of the docker? I also looked into the /proc/sys/kernel/yama/ptrace_scope file on both the container and my Ubuntu host and set the value to 0. It's also worth mentioning that I didn't find any /etc/sysctl.d/10-ptrace.conf file on the alpine container while on the Ubuntu host the variable kernel.yama.ptrace_scope=0. But I feel ptrace not being implemented means there is a bigger issue maybe with the way I set up the docker. Any help or workarounds for getting GDB to debug the binary is appreciated.
Newbie
(135 rep)
Dec 1, 2020, 04:32 PM
• Last activity: Dec 1, 2020, 08:22 PM
0
votes
1
answers
709
views
What can a debugger do with /proc that cannot be done with ptrace?
The [Wikipedia article on ptrace][1] says: > Communications between the controller and target take place using repeated calls of ptrace, passing a small fixed-size block of memory between the two (necessitating two context switches per call); this is acutely inefficient when accessing large amounts...
The Wikipedia article on ptrace says:
> Communications between the controller and target take place using repeated calls of ptrace, passing a small fixed-size block of memory between the two (necessitating two context switches per call); this is acutely inefficient when accessing large amounts of the target's memory, as this can only be done in word sized blocks (with a ptrace call for each word). For this reason the 8th edition of Unix introduced procfs, which allows permitted processes direct access to the memory of another process - 4.4BSD followed, and the use of /proc for debugger support was inherited by Solaris, BSD, and AIX, and mostly copied by Linux
Is faster memory access the only thing that a debugger would care about that
/proc allows but which is not possible with ptrace? For example, is there more debugger-relevant information about the running program available through /proc? What about additional debugger-relevant ways to manipulate programs? Would /proc be generally more efficient than ptrace, or is reading large blocks of memory the only noticeably less performant case?
Ryan1729
(641 rep)
Jul 4, 2020, 03:39 AM
• Last activity: Jul 4, 2020, 10:04 PM
5
votes
0
answers
2401
views
Change ptrace_scope temporarily for a specific user
[`ptrace_scope`][0] is a sysctl value (`/proc/sys/kernel/yama/ptrace_scope`) that prevents the use of `ptrace` on non-child processes when set to 1. This is generally considered good security practice. Unfortunately, being able to ptrace a process as a developer (and attach to a running process, so...
ptrace_scope is a sysctl value (/proc/sys/kernel/yama/ptrace_scope) that prevents the use of ptrace on non-child processes when set to 1. This is generally considered good security practice.
Unfortunately, being able to ptrace a process as a developer (and attach to a running process, so not a child process) is very useful. Using sudo with the CAP_SYS_PTRACE capability allows one to attach to *any* running process, not just processes owned by the user. On a shared dev box, it might not be desirable to allow ptrace via sudo for all processes, as that essentially allows arbitrary code to be run as any user.
What I would like to do is allow a user to sudo (or otherwise require authentication) to ptrace a non-child process, but not to allow them to ptrace arbitrary processes. Essentially allowing them to change ptrace_scope for themselves on a temporary, authentication guarded basis.
Is this possible?
Andrew Spott
(151 rep)
Jan 10, 2020, 05:16 PM
• Last activity: Jan 10, 2020, 06:24 PM
1
votes
1
answers
235
views
Do file writes as in-memory fake on Linux
I'd like to run a Linux process in a fake-write environment where all file writes (with the *write(2)* system call) are redirected to an in-memory cache, and subsequent reads (of the same region only) will be served from the cache. The cache can be discarded after the process finishes. The files the...
I'd like to run a Linux process in a fake-write environment where all file writes (with the *write(2)* system call) are redirected to an in-memory cache, and subsequent reads (of the same region only) will be served from the cache. The cache can be discarded after the process finishes.
The files the process will be modifying are huge (several terabytes), but the total amount of written data is small (a few megabytes). So overlayfs is not an option, because I don't have several terabytes of free space.
Please note that I don't care about fake device nodes or fake permissions, thus *fakeroot(1)* doesn't help me.
This should be possible to implement with LD_PRELOAD, *ptrace(2)*, *fuse(8)* or dm snapshot . Is there an existing tool which will do it for me, like this:
$ fakewrites ./myprog myfile.dat
pts
(1119 rep)
Nov 22, 2019, 01:07 PM
• Last activity: Nov 22, 2019, 01:19 PM
1
votes
0
answers
426
views
Which one to use Cross Memory Attach or ptrace?
I'm trying out ptrace system calls, I just discovered [Cross Memory Attach][1] from Christopher Yeoh. I wonder which one is better in term of performance between Cross Memory Attach and ptrace. Thanks in advance [1]: https://lwn.net/Articles/453053/
I'm trying out ptrace system calls, I just discovered Cross Memory Attach from Christopher Yeoh.
I wonder which one is better in term of performance between Cross Memory Attach and ptrace.
Thanks in advance
Pierre Le Guen
(103 rep)
Feb 25, 2019, 09:44 AM
3
votes
1
answers
1551
views
How can I make a specific process exec a given executable with ptrace()?
I am trying to force the init process of an embedded Linux system to `exec()` my own init program (systemd) so that I can test an external filesystem before writing it to the system's flash (and risk bricking the device). With GDB, I can run the command `gdb --pid=1`, then in that shell type `call e...
I am trying to force the init process of an embedded Linux system to
exec() my own init program (systemd) so that I can test an external filesystem before writing it to the system's flash (and risk bricking the device). With GDB, I can run the command gdb --pid=1, then in that shell type call execl("/lib/systemd/systemd", "systemd", 0) (which works exactly as I need it to), but I do not have enough room to put GDB on the system's flash.
I was wondering exactly what ptrace() calls GDB uses with its call command so that I can implement that in my own simple C program.
I tried using strace to figure out what ptrace() calls GDB used, but the resulting file was 172,031 lines long. I also tried looking through its source code, but there were too many files to find what I was looking for.
The device is running Linux kernel version 3.10.0, the configuration is available here: https://pastebin.com/rk0Zux62
Billy
(755 rep)
Aug 24, 2018, 01:42 AM
• Last activity: Sep 3, 2018, 07:12 PM
3
votes
1
answers
1156
views
Why do strace and ltrace cause EINTR to happen?
Consider this program: #include #include int main(void) { int epfd = epoll_create1(0); struct epoll_event event; event.events = EPOLLIN; event.data.fd = 0; epoll_ctl(epfd, EPOLL_CTL_ADD, 0, &event); epoll_wait(epfd, &event, 1, -1); perror("epoll_wait"); return 0; } When I run this program by itself,...
Consider this program:
#include
#include
int main(void) {
int epfd = epoll_create1(0);
struct epoll_event event;
event.events = EPOLLIN;
event.data.fd = 0;
epoll_ctl(epfd, EPOLL_CTL_ADD, 0, &event);
epoll_wait(epfd, &event, 1, -1);
perror("epoll_wait");
return 0;
}
When I run this program by itself, resizing the terminal (thus generating SIGWINCH) doesn't do anything to it, and it keeps waiting for input on stdin. When I run it inside strace or ltrace, the SIGWINCH results in epoll_wait erroring with EINTR. My understanding of EINTR is that it's only generated if a signal calls a signal handler in your code, but I don't have any of them registered. I thought that strace or ltrace may have been setting one for me, so I tried explicitly setting it to SIG_IGN, but this still didn't stop the EINTR. Why is this happening?
Joseph Sible-Reinstate Monica
(4220 rep)
Aug 27, 2018, 10:14 PM
• Last activity: Aug 27, 2018, 10:58 PM
1
votes
0
answers
101
views
Is there a way in which we can notify the tracer (parent process) when the tracee (child process) executes a branch instruction?
As we know, the ptrace system call is one of the most powerful system calls in unix-like systems. All debugging software use ptrace for monitoring and manipulating another process, i.e. tracee. Using ptrace, we can track read/write system call in the tracee process. I ask, can we use ptrace in order...
As we know, the ptrace system call is one of the most powerful system calls in unix-like systems. All debugging software use ptrace for monitoring and manipulating another process, i.e. tracee. Using ptrace, we can track read/write system call in the tracee process. I ask, can we use ptrace in order to monitor the tracee and notify the tracer only when the tracee executes a branch instruction? Is this possible? if not, can we notify the tracer when a specific instruction at a specific address is executed?
PTRACE_SINGLESTEP is not appropriate to be used in my case because it leads to performance degradation.
Thanks for any help.
husin alhaj ahmade
(307 rep)
Mar 6, 2018, 08:02 AM
3
votes
1
answers
730
views
Compile ptrace() program on OSX
I have this simple C program on MacOS: #include #include #include #include int main(int argc, char *argv[]) { pid_t pid = atoi(argv[1]); printf("pid = %jd\n", (intmax_t) pid); return ptrace(PT_ATTACHEXC, pid, 0, 0); } when I compile with gcc / cc, I get this error: > In file included from my-waiter....
I have this simple C program on MacOS:
#include
#include
#include
#include
int main(int argc, char *argv[]) {
pid_t pid = atoi(argv);
printf("pid = %jd\n", (intmax_t) pid);
return ptrace(PT_ATTACHEXC, pid, 0, 0);
}
when I compile with gcc / cc, I get this error:
> In file included from my-waiter.c:4:
> /usr/include/sys/ptrace.h:99:38: error: unknown type name 'caddr_t'
> int ptrace(int _request, pid_t _pid, caddr_t _addr, int _data);
> ^
> 1 error generated.
does anyone know how to use
ptrace() on OSX? I can't figure out how to get this to compile.
Alexander Mills
(10734 rep)
Feb 28, 2018, 08:46 PM
• Last activity: Feb 28, 2018, 10:15 PM
Showing page 1 of 17 total questions