1 | /* |
2 | * Copyright (c) 2000-2004 Apple Computer, Inc. All rights reserved. |
3 | * |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ |
5 | * |
6 | * This file contains Original Code and/or Modifications of Original Code |
7 | * as defined in and that are subject to the Apple Public Source License |
8 | * Version 2.0 (the 'License'). You may not use this file except in |
9 | * compliance with the License. The rights granted to you under the License |
10 | * may not be used to create, or enable the creation or redistribution of, |
11 | * unlawful or unlicensed copies of an Apple operating system, or to |
12 | * circumvent, violate, or enable the circumvention or violation of, any |
13 | * terms of an Apple operating system software license agreement. |
14 | * |
15 | * Please obtain a copy of the License at |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. |
17 | * |
18 | * The Original Code and all software distributed under the License are |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
23 | * Please see the License for the specific language governing rights and |
24 | * limitations under the License. |
25 | * |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
27 | */ |
28 | /* |
29 | * @OSF_COPYRIGHT@ |
30 | */ |
31 | /* |
32 | * Mach Operating System |
33 | * Copyright (c) 1991,1990,1989,1988,1987 Carnegie Mellon University |
34 | * All Rights Reserved. |
35 | * |
36 | * Permission to use, copy, modify and distribute this software and its |
37 | * documentation is hereby granted, provided that both the copyright |
38 | * notice and this permission notice appear in all copies of the |
39 | * software, derivative works or modified versions, and any portions |
40 | * thereof, and that both notices appear in supporting documentation. |
41 | * |
42 | * CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS" |
43 | * CONDITION. CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR |
44 | * ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE. |
45 | * |
46 | * Carnegie Mellon requests users of this software to return to |
47 | * |
48 | * Software Distribution Coordinator or Software.Distribution@CS.CMU.EDU |
49 | * School of Computer Science |
50 | * Carnegie Mellon University |
51 | * Pittsburgh PA 15213-3890 |
52 | * |
53 | * any improvements or extensions that they make and grant Carnegie Mellon |
54 | * the rights to redistribute these changes. |
55 | */ |
56 | /* |
57 | */ |
58 | |
59 | #include <mach/mach_types.h> |
60 | #include <mach/boolean.h> |
61 | #include <mach/kern_return.h> |
62 | #include <mach/message.h> |
63 | #include <mach/port.h> |
64 | #include <mach/mig_errors.h> |
65 | #include <mach/task.h> |
66 | #include <mach/thread_status.h> |
67 | #include <mach/exception_types.h> |
68 | #include <mach/exc.h> |
69 | #include <mach/mach_exc.h> |
70 | |
71 | #include <ipc/port.h> |
72 | #include <ipc/ipc_entry.h> |
73 | #include <ipc/ipc_object.h> |
74 | #include <ipc/ipc_notify.h> |
75 | #include <ipc/ipc_space.h> |
76 | #include <ipc/ipc_pset.h> |
77 | #include <ipc/ipc_machdep.h> |
78 | |
79 | #include <kern/counters.h> |
80 | #include <kern/ipc_tt.h> |
81 | #include <kern/task.h> |
82 | #include <kern/thread.h> |
83 | #include <kern/processor.h> |
84 | #include <kern/sched.h> |
85 | #include <kern/sched_prim.h> |
86 | #include <kern/host.h> |
87 | #include <kern/misc_protos.h> |
88 | #include <kern/ux_handler.h> |
89 | |
90 | #include <security/mac_mach_internal.h> |
91 | #include <string.h> |
92 | |
93 | #include <pexpert/pexpert.h> |
94 | |
95 | extern int panic_on_exception_triage; |
96 | |
97 | unsigned long c_thr_exc_raise = 0; |
98 | unsigned long c_thr_exc_raise_state = 0; |
99 | unsigned long c_thr_exc_raise_state_id = 0; |
100 | unsigned long c_tsk_exc_raise = 0; |
101 | unsigned long c_tsk_exc_raise_state = 0; |
102 | unsigned long c_tsk_exc_raise_state_id = 0; |
103 | |
104 | /* forward declarations */ |
105 | kern_return_t exception_deliver( |
106 | thread_t thread, |
107 | exception_type_t exception, |
108 | mach_exception_data_t code, |
109 | mach_msg_type_number_t codeCnt, |
110 | struct exception_action *excp, |
111 | lck_mtx_t *mutex); |
112 | |
113 | static kern_return_t |
114 | check_exc_receiver_dependency( |
115 | exception_type_t exception, |
116 | struct exception_action *excp, |
117 | lck_mtx_t *mutex); |
118 | |
119 | #ifdef MACH_BSD |
120 | kern_return_t bsd_exception( |
121 | exception_type_t exception, |
122 | mach_exception_data_t code, |
123 | mach_msg_type_number_t codeCnt); |
124 | #endif /* MACH_BSD */ |
125 | |
126 | /* |
127 | * Routine: exception_deliver |
128 | * Purpose: |
129 | * Make an upcall to the exception server provided. |
130 | * Conditions: |
131 | * Nothing locked and no resources held. |
132 | * Called from an exception context, so |
133 | * thread_exception_return and thread_kdb_return |
134 | * are possible. |
135 | * Returns: |
136 | * KERN_SUCCESS if the exception was handled |
137 | */ |
138 | kern_return_t |
139 | exception_deliver( |
140 | thread_t thread, |
141 | exception_type_t exception, |
142 | mach_exception_data_t code, |
143 | mach_msg_type_number_t codeCnt, |
144 | struct exception_action *excp, |
145 | lck_mtx_t *mutex) |
146 | { |
147 | ipc_port_t exc_port = IPC_PORT_NULL; |
148 | exception_data_type_t small_code[EXCEPTION_CODE_MAX]; |
149 | int code64; |
150 | int behavior; |
151 | int flavor; |
152 | kern_return_t kr; |
153 | task_t task; |
154 | ipc_port_t thread_port = IPC_PORT_NULL, task_port = IPC_PORT_NULL; |
155 | |
156 | /* |
157 | * Save work if we are terminating. |
158 | * Just go back to our AST handler. |
159 | */ |
160 | if (!thread->active && !thread->inspection) |
161 | return KERN_SUCCESS; |
162 | |
163 | /* |
164 | * If there are no exception actions defined for this entity, |
165 | * we can't deliver here. |
166 | */ |
167 | if (excp == NULL) |
168 | return KERN_FAILURE; |
169 | |
170 | assert(exception < EXC_TYPES_COUNT); |
171 | if (exception >= EXC_TYPES_COUNT) |
172 | return KERN_FAILURE; |
173 | |
174 | excp = &excp[exception]; |
175 | |
176 | /* |
177 | * Snapshot the exception action data under lock for consistency. |
178 | * Hold a reference to the port over the exception_raise_* calls |
179 | * so it can't be destroyed. This seems like overkill, but keeps |
180 | * the port from disappearing between now and when |
181 | * ipc_object_copyin_from_kernel is finally called. |
182 | */ |
183 | lck_mtx_lock(mutex); |
184 | exc_port = excp->port; |
185 | if (!IP_VALID(exc_port)) { |
186 | lck_mtx_unlock(mutex); |
187 | return KERN_FAILURE; |
188 | } |
189 | ip_lock(exc_port); |
190 | if (!ip_active(exc_port)) { |
191 | ip_unlock(exc_port); |
192 | lck_mtx_unlock(mutex); |
193 | return KERN_FAILURE; |
194 | } |
195 | ip_reference(exc_port); |
196 | exc_port->ip_srights++; |
197 | ip_unlock(exc_port); |
198 | |
199 | flavor = excp->flavor; |
200 | behavior = excp->behavior; |
201 | lck_mtx_unlock(mutex); |
202 | |
203 | code64 = (behavior & MACH_EXCEPTION_CODES); |
204 | behavior &= ~MACH_EXCEPTION_CODES; |
205 | |
206 | if (!code64) { |
207 | small_code[0] = CAST_DOWN_EXPLICIT(exception_data_type_t, code[0]); |
208 | small_code[1] = CAST_DOWN_EXPLICIT(exception_data_type_t, code[1]); |
209 | } |
210 | |
211 | task = thread->task; |
212 | |
213 | #if CONFIG_MACF |
214 | /* Now is a reasonably good time to check if the exception action is |
215 | * permitted for this process, because after this point we will send |
216 | * the message out almost certainly. |
217 | * As with other failures, exception_triage_thread will go on |
218 | * to the next level. |
219 | */ |
220 | |
221 | /* The global exception-to-signal translation port is safe to be an exception handler. */ |
222 | if (is_ux_handler_port(exc_port) == FALSE && |
223 | mac_exc_action_check_exception_send(task, excp) != 0) { |
224 | kr = KERN_FAILURE; |
225 | goto out_release_right; |
226 | } |
227 | #endif |
228 | |
229 | if (behavior != EXCEPTION_STATE) { |
230 | if (thread != current_thread() || exception == EXC_CORPSE_NOTIFY) { |
231 | |
232 | task_reference(task); |
233 | task_port = convert_task_to_port(task); |
234 | /* task ref consumed */ |
235 | thread_reference(thread); |
236 | thread_port = convert_thread_to_port(thread); |
237 | /* thread ref consumed */ |
238 | } |
239 | else { |
240 | task_port = retrieve_task_self_fast(thread->task); |
241 | thread_port = retrieve_thread_self_fast(thread); |
242 | } |
243 | } |
244 | |
245 | switch (behavior) { |
246 | case EXCEPTION_STATE: { |
247 | mach_msg_type_number_t state_cnt; |
248 | thread_state_data_t state; |
249 | |
250 | c_thr_exc_raise_state++; |
251 | state_cnt = _MachineStateCount[flavor]; |
252 | kr = thread_getstatus_to_user(thread, flavor, |
253 | (thread_state_t)state, |
254 | &state_cnt); |
255 | if (kr == KERN_SUCCESS) { |
256 | if (code64) { |
257 | kr = mach_exception_raise_state(exc_port, |
258 | exception, |
259 | code, |
260 | codeCnt, |
261 | &flavor, |
262 | state, state_cnt, |
263 | state, &state_cnt); |
264 | } else { |
265 | kr = exception_raise_state(exc_port, exception, |
266 | small_code, |
267 | codeCnt, |
268 | &flavor, |
269 | state, state_cnt, |
270 | state, &state_cnt); |
271 | } |
272 | if (kr == KERN_SUCCESS) { |
273 | if (exception != EXC_CORPSE_NOTIFY) |
274 | kr = thread_setstatus_from_user(thread, flavor, |
275 | (thread_state_t)state, |
276 | state_cnt); |
277 | goto out_release_right; |
278 | } |
279 | |
280 | } |
281 | |
282 | goto out_release_right; |
283 | } |
284 | |
285 | case EXCEPTION_DEFAULT: |
286 | c_thr_exc_raise++; |
287 | if (code64) { |
288 | kr = mach_exception_raise(exc_port, |
289 | thread_port, |
290 | task_port, |
291 | exception, |
292 | code, |
293 | codeCnt); |
294 | } else { |
295 | kr = exception_raise(exc_port, |
296 | thread_port, |
297 | task_port, |
298 | exception, |
299 | small_code, |
300 | codeCnt); |
301 | } |
302 | |
303 | goto out_release_right; |
304 | |
305 | case EXCEPTION_STATE_IDENTITY: { |
306 | mach_msg_type_number_t state_cnt; |
307 | thread_state_data_t state; |
308 | |
309 | c_thr_exc_raise_state_id++; |
310 | state_cnt = _MachineStateCount[flavor]; |
311 | kr = thread_getstatus_to_user(thread, flavor, |
312 | (thread_state_t)state, |
313 | &state_cnt); |
314 | if (kr == KERN_SUCCESS) { |
315 | if (code64) { |
316 | kr = mach_exception_raise_state_identity( |
317 | exc_port, |
318 | thread_port, |
319 | task_port, |
320 | exception, |
321 | code, |
322 | codeCnt, |
323 | &flavor, |
324 | state, state_cnt, |
325 | state, &state_cnt); |
326 | } else { |
327 | kr = exception_raise_state_identity(exc_port, |
328 | thread_port, |
329 | task_port, |
330 | exception, |
331 | small_code, |
332 | codeCnt, |
333 | &flavor, |
334 | state, state_cnt, |
335 | state, &state_cnt); |
336 | } |
337 | |
338 | if (kr == KERN_SUCCESS) { |
339 | if (exception != EXC_CORPSE_NOTIFY) |
340 | kr = thread_setstatus_from_user(thread, flavor, |
341 | (thread_state_t)state, |
342 | state_cnt); |
343 | goto out_release_right; |
344 | } |
345 | |
346 | } |
347 | |
348 | goto out_release_right; |
349 | } |
350 | |
351 | default: |
352 | panic ("bad exception behavior!" ); |
353 | return KERN_FAILURE; |
354 | }/* switch */ |
355 | |
356 | out_release_right: |
357 | |
358 | if (task_port) { |
359 | ipc_port_release_send(task_port); |
360 | } |
361 | |
362 | if (thread_port) { |
363 | ipc_port_release_send(thread_port); |
364 | } |
365 | |
366 | if (exc_port) { |
367 | ipc_port_release_send(exc_port); |
368 | } |
369 | |
370 | return kr; |
371 | } |
372 | |
373 | /* |
374 | * Routine: check_exc_receiver_dependency |
375 | * Purpose: |
376 | * Verify that the port destined for receiving this exception is not |
377 | * on the current task. This would cause hang in kernel for |
378 | * EXC_CRASH primarily. Note: If port is transferred |
379 | * between check and delivery then deadlock may happen. |
380 | * |
381 | * Conditions: |
382 | * Nothing locked and no resources held. |
383 | * Called from an exception context. |
384 | * Returns: |
385 | * KERN_SUCCESS if its ok to send exception message. |
386 | */ |
387 | kern_return_t |
388 | check_exc_receiver_dependency( |
389 | exception_type_t exception, |
390 | struct exception_action *excp, |
391 | lck_mtx_t *mutex) |
392 | { |
393 | kern_return_t retval = KERN_SUCCESS; |
394 | |
395 | if (excp == NULL || exception != EXC_CRASH) |
396 | return retval; |
397 | |
398 | task_t task = current_task(); |
399 | lck_mtx_lock(mutex); |
400 | ipc_port_t xport = excp[exception].port; |
401 | if ( IP_VALID(xport) |
402 | && ip_active(xport) |
403 | && task->itk_space == xport->ip_receiver) |
404 | retval = KERN_FAILURE; |
405 | lck_mtx_unlock(mutex); |
406 | return retval; |
407 | } |
408 | |
409 | |
410 | /* |
411 | * Routine: exception_triage_thread |
412 | * Purpose: |
413 | * The thread caught an exception. |
414 | * We make an up-call to the thread's exception server. |
415 | * Conditions: |
416 | * Nothing locked and no resources held. |
417 | * Called from an exception context, so |
418 | * thread_exception_return and thread_kdb_return |
419 | * are possible. |
420 | * Returns: |
421 | * KERN_SUCCESS if exception is handled by any of the handlers. |
422 | */ |
423 | kern_return_t |
424 | exception_triage_thread( |
425 | exception_type_t exception, |
426 | mach_exception_data_t code, |
427 | mach_msg_type_number_t codeCnt, |
428 | thread_t thread) |
429 | { |
430 | task_t task; |
431 | host_priv_t host_priv; |
432 | lck_mtx_t *mutex; |
433 | kern_return_t kr = KERN_FAILURE; |
434 | |
435 | assert(exception != EXC_RPC_ALERT); |
436 | |
437 | /* |
438 | * If this behavior has been requested by the the kernel |
439 | * (due to the boot environment), we should panic if we |
440 | * enter this function. This is intended as a debugging |
441 | * aid; it should allow us to debug why we caught an |
442 | * exception in environments where debugging is especially |
443 | * difficult. |
444 | */ |
445 | if (panic_on_exception_triage) { |
446 | panic("called exception_triage when it was forbidden by the boot environment" ); |
447 | } |
448 | |
449 | /* |
450 | * Try to raise the exception at the activation level. |
451 | */ |
452 | mutex = &thread->mutex; |
453 | if (KERN_SUCCESS == check_exc_receiver_dependency(exception, thread->exc_actions, mutex)) |
454 | { |
455 | kr = exception_deliver(thread, exception, code, codeCnt, thread->exc_actions, mutex); |
456 | if (kr == KERN_SUCCESS || kr == MACH_RCV_PORT_DIED) |
457 | goto out; |
458 | } |
459 | |
460 | /* |
461 | * Maybe the task level will handle it. |
462 | */ |
463 | task = thread->task; |
464 | mutex = &task->itk_lock_data; |
465 | if (KERN_SUCCESS == check_exc_receiver_dependency(exception, task->exc_actions, mutex)) |
466 | { |
467 | kr = exception_deliver(thread, exception, code, codeCnt, task->exc_actions, mutex); |
468 | if (kr == KERN_SUCCESS || kr == MACH_RCV_PORT_DIED) |
469 | goto out; |
470 | } |
471 | |
472 | /* |
473 | * How about at the host level? |
474 | */ |
475 | host_priv = host_priv_self(); |
476 | mutex = &host_priv->lock; |
477 | |
478 | if (KERN_SUCCESS == check_exc_receiver_dependency(exception, host_priv->exc_actions, mutex)) |
479 | { |
480 | kr = exception_deliver(thread, exception, code, codeCnt, host_priv->exc_actions, mutex); |
481 | if (kr == KERN_SUCCESS || kr == MACH_RCV_PORT_DIED) |
482 | goto out; |
483 | } |
484 | |
485 | out: |
486 | if ((exception != EXC_CRASH) && (exception != EXC_RESOURCE) && |
487 | (exception != EXC_GUARD) && (exception != EXC_CORPSE_NOTIFY)) |
488 | thread_exception_return(); |
489 | return kr; |
490 | } |
491 | |
492 | /* |
493 | * Routine: exception_triage |
494 | * Purpose: |
495 | * The current thread caught an exception. |
496 | * We make an up-call to the thread's exception server. |
497 | * Conditions: |
498 | * Nothing locked and no resources held. |
499 | * Called from an exception context, so |
500 | * thread_exception_return and thread_kdb_return |
501 | * are possible. |
502 | * Returns: |
503 | * KERN_SUCCESS if exception is handled by any of the handlers. |
504 | */ |
505 | kern_return_t |
506 | exception_triage( |
507 | exception_type_t exception, |
508 | mach_exception_data_t code, |
509 | mach_msg_type_number_t codeCnt) |
510 | { |
511 | thread_t thread = current_thread(); |
512 | return exception_triage_thread(exception, code, codeCnt, thread); |
513 | } |
514 | |
515 | kern_return_t |
516 | bsd_exception( |
517 | exception_type_t exception, |
518 | mach_exception_data_t code, |
519 | mach_msg_type_number_t codeCnt) |
520 | { |
521 | task_t task; |
522 | lck_mtx_t *mutex; |
523 | thread_t self = current_thread(); |
524 | kern_return_t kr; |
525 | |
526 | /* |
527 | * Maybe the task level will handle it. |
528 | */ |
529 | task = current_task(); |
530 | mutex = &task->itk_lock_data; |
531 | |
532 | kr = exception_deliver(self, exception, code, codeCnt, task->exc_actions, mutex); |
533 | |
534 | if (kr == KERN_SUCCESS || kr == MACH_RCV_PORT_DIED) |
535 | return(KERN_SUCCESS); |
536 | return(KERN_FAILURE); |
537 | } |
538 | |
539 | |
540 | /* |
541 | * Raise an exception on a task. |
542 | * This should tell launchd to launch Crash Reporter for this task. |
543 | */ |
544 | kern_return_t task_exception_notify(exception_type_t exception, |
545 | mach_exception_data_type_t exccode, mach_exception_data_type_t excsubcode) |
546 | { |
547 | mach_exception_data_type_t code[EXCEPTION_CODE_MAX]; |
548 | wait_interrupt_t wsave; |
549 | kern_return_t kr = KERN_SUCCESS; |
550 | |
551 | code[0] = exccode; |
552 | code[1] = excsubcode; |
553 | |
554 | wsave = thread_interrupt_level(THREAD_UNINT); |
555 | kr = exception_triage(exception, code, EXCEPTION_CODE_MAX); |
556 | (void) thread_interrupt_level(wsave); |
557 | return kr; |
558 | } |
559 | |
560 | |
561 | /* |
562 | * Handle interface for special performance monitoring |
563 | * This is a special case of the host exception handler |
564 | */ |
565 | kern_return_t sys_perf_notify(thread_t thread, int pid) |
566 | { |
567 | host_priv_t hostp; |
568 | ipc_port_t xport; |
569 | wait_interrupt_t wsave; |
570 | kern_return_t ret; |
571 | |
572 | hostp = host_priv_self(); /* Get the host privileged ports */ |
573 | mach_exception_data_type_t code[EXCEPTION_CODE_MAX]; |
574 | code[0] = 0xFF000001; /* Set terminate code */ |
575 | code[1] = pid; /* Pass out the pid */ |
576 | |
577 | struct task *task = thread->task; |
578 | xport = hostp->exc_actions[EXC_RPC_ALERT].port; |
579 | |
580 | /* Make sure we're not catching our own exception */ |
581 | if (!IP_VALID(xport) || |
582 | !ip_active(xport) || |
583 | task->itk_space == xport->data.receiver) { |
584 | |
585 | return(KERN_FAILURE); |
586 | } |
587 | |
588 | wsave = thread_interrupt_level(THREAD_UNINT); |
589 | ret = exception_deliver( |
590 | thread, |
591 | EXC_RPC_ALERT, |
592 | code, |
593 | 2, |
594 | hostp->exc_actions, |
595 | &hostp->lock); |
596 | (void)thread_interrupt_level(wsave); |
597 | |
598 | return(ret); |
599 | } |
600 | |
601 | |