From 1b93f4032a246e0aa43c2f424921e0aace57b994 Mon Sep 17 00:00:00 2001
From: Eugene Syromyatnikov <evgsyr@gmail.com>
Date: Fri, 4 Aug 2017 11:33:04 +0200
Subject: [PATCH] Improve handling of unexpected tracees

When receiving a ptrace stop of an unexpected child, handle it
in the most transparent way possible:
- detach it instead of PTRACE_CONT'ing;
- send it the signal with which it has been stopped.
This should hopefully help to deal with processes that have been created
with misused CLONE_PTRACE flag set.

* strace.c (maybe_allocate_tcb) <WIFSTOPPED(status) && !followfork>:
Calculate the signal similarly to the way next_event does,
forward it to the unexpected tracee, and detach the tracee.
---
 strace.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/strace.c b/strace.c
index 0015ad50..b0d9b88a 100644
--- a/strace.c
+++ b/strace.c
@@ -2082,11 +2082,19 @@ maybe_allocate_tcb(const int pid, int status)
 			error_msg("Process %d attached", pid);
 		return tcp;
 	} else {
-		/* This can happen if a clone call used
-		 * CLONE_PTRACE itself.
+		/*
+		 * This can happen if a clone call misused CLONE_PTRACE itself.
 		 */
-		ptrace(PTRACE_CONT, pid, NULL, 0);
-		error_msg("Stop of unknown pid %u seen, PTRACE_CONTed it", pid);
+		unsigned int sig = WSTOPSIG(status);
+		unsigned int event = (unsigned int) status >> 16;
+
+		if (event == PTRACE_EVENT_STOP || sig == syscall_trap_sig)
+			sig = 0;
+
+		ptrace(PTRACE_DETACH, pid, NULL, (unsigned long) sig);
+		error_msg("Detached unknown pid %d%s%s", pid,
+			  sig ? " with signal " : "",
+			  sig ? signame(sig) : "");
 		return NULL;
 	}
 }
-- 
2.40.0