Improve handling of unexpected tracees

When receiving a ptrace stop of an unexpected child, handle it in the most transparent way possible: - detach it instead of PTRACE_CONT'ing; - send it the signal with which it has been stopped. This should hopefully help to deal with processes that have been created with misused CLONE_PTRACE flag set. * strace.c (maybe_allocate_tcb) <WIFSTOPPED(status) && !followfork>: Calculate the signal similarly to the way next_event does, forward it to the unexpected tracee, and detach the tracee.
2017-08-04 11:33:04 +02:00 · 2017-08-04 11:33:04 +02:00 · 1b93f4032a
commit 1b93f4032a
parent 17f095a945
1 changed files with 12 additions and 4 deletions
--- a/strace.c
+++ b/strace.c
@ -2082,11 +2082,19 @@ maybe_allocate_tcb(const int pid, int status)
 			error_msg("Process %d attached", pid);
 		return tcp;
 	} else {
-		/* This can happen if a clone call used
-		 * CLONE_PTRACE itself.
+		/*
+		 * This can happen if a clone call misused CLONE_PTRACE itself.
 		 */
-		ptrace(PTRACE_CONT, pid, NULL, 0);
-		error_msg("Stop of unknown pid %u seen, PTRACE_CONTed it", pid);
+		unsigned int sig = WSTOPSIG(status);
+		unsigned int event = (unsigned int) status >> 16;
+
+		if (event == PTRACE_EVENT_STOP || sig == syscall_trap_sig)
+			sig = 0;
+
+		ptrace(PTRACE_DETACH, pid, NULL, (unsigned long) sig);
+		error_msg("Detached unknown pid %d%s%s", pid,
+			  sig ? " with signal " : "",
+			  sig ? signame(sig) : "");
 		return NULL;
 	}
 }