git: 96f262dcacdb - main - tests/sys/arch/amd64: Add a basic ptrace syscall tampering test

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Ed Maste <emaste_at_FreeBSD.org>
Date: Wed, 13 May 2026 20:40:36 UTC
The branch main has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=96f262dcacdbfb56e94c60985b07f9f8ee2d046b

commit 96f262dcacdbfb56e94c60985b07f9f8ee2d046b
Author:     Alex S <iwtcex@gmail.com>
AuthorDate: 2026-05-11 23:52:20 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2026-05-13 20:40:16 +0000

    tests/sys/arch/amd64: Add a basic ptrace syscall tampering test
    
    Signed-off-by: Alex S <iwtcex@gmail.com>
    Reviewed-by: kib
    Pull-request: https://github.com/freebsd/freebsd-src/pull/2190
---
 tests/sys/arch/amd64/Makefile            |  1 +
 tests/sys/arch/amd64/ptrace-sce-tamper.c | 89 ++++++++++++++++++++++++++++++++
 2 files changed, 90 insertions(+)

diff --git a/tests/sys/arch/amd64/Makefile b/tests/sys/arch/amd64/Makefile
index 34f3c90c4082..d4cf00237f9b 100644
--- a/tests/sys/arch/amd64/Makefile
+++ b/tests/sys/arch/amd64/Makefile
@@ -1,6 +1,7 @@
 TESTSDIR=	${TESTSBASE}/sys/arch/amd64
 
 PLAIN_TESTS_C+=	int0x80
+PLAIN_TESTS_C+=	ptrace-sce-tamper
 
 BINDIR=		${TESTSDIR}
 
diff --git a/tests/sys/arch/amd64/ptrace-sce-tamper.c b/tests/sys/arch/amd64/ptrace-sce-tamper.c
new file mode 100644
index 000000000000..0645f62a7e9b
--- /dev/null
+++ b/tests/sys/arch/amd64/ptrace-sce-tamper.c
@@ -0,0 +1,89 @@
+/*
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Copyright (c) 2026 Alex S <iwtcex@gmail.com>
+ */
+
+#include <machine/reg.h>
+#include <sys/ptrace.h>
+#include <sys/syscall.h>
+#include <sys/wait.h>
+
+#include <assert.h>
+#include <err.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#ifndef __amd64__
+#error "amd64 only"
+#endif
+
+/*
+ * This test substitutes exit(42) instead of getpid() using ptrace.
+ */
+
+static const int EXPECTED_EXIT_CODE = 42;
+
+static void
+tamper(pid_t pid)
+{
+	struct ptrace_lwpinfo info;
+	struct reg regs;
+
+	if (ptrace(PT_LWPINFO, pid, (caddr_t)&info, sizeof(info)) == -1)
+		err(1, "ptrace(PT_LWPINFO)");
+
+	if ((info.pl_flags & PL_FLAG_SCE) != 0 &&
+	    info.pl_syscall_code == SYS_getpid) {
+		if (ptrace(PT_GETREGS, pid, (caddr_t)&regs, sizeof(regs)) == -1)
+			err(1, "ptrace(PT_GETREGS)");
+
+		regs.r_rax = SYS_exit;
+		regs.r_rdi = EXPECTED_EXIT_CODE;
+
+		if (ptrace(PT_SETREGS, pid, (caddr_t)&regs, sizeof(regs)) == -1)
+			err(1, "ptrace(PT_SETREGS)");
+	}
+}
+
+int
+main(void)
+{
+	pid_t pid;
+	int status;
+
+	pid = fork();
+	if (pid == -1)
+		err(1, "fork");
+
+	if (pid == 0) {
+		(void)ptrace(PT_TRACE_ME, 0, 0, 0);
+		(void)getpid();
+		exit(0);
+	} else {
+		if (ptrace(PT_ATTACH, pid, 0, 0) == -1)
+			err(1, "ptrace(PT_ATTACH)");
+
+		for (;;) {
+			if (wait(&status) == -1)
+				err(1, "wait");
+
+			if (WIFEXITED(status)) {
+				if (WEXITSTATUS(status) == EXPECTED_EXIT_CODE) {
+					printf("exit code changed\n");
+					exit(0);
+				} else {
+					printf("unable to change exit code\n");
+					exit(1);
+				}
+			}
+
+			assert(WIFSTOPPED(status));
+			tamper(pid);
+
+			if (ptrace(PT_TO_SCE, pid, (caddr_t)1, 0) == -1)
+				err(1, "ptrace(PT_TO_SCE)");
+		}
+	}
+}