1 /*
2  * Copyright 2008, The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #define LOG_TAG "DEBUG"
18 
19 #include "libdebuggerd/utility.h"
20 
21 #include <errno.h>
22 #include <signal.h>
23 #include <string.h>
24 #include <sys/capability.h>
25 #include <sys/prctl.h>
26 #include <sys/ptrace.h>
27 #include <sys/uio.h>
28 #include <sys/wait.h>
29 #include <unistd.h>
30 
31 #include <set>
32 #include <string>
33 
34 #include <android-base/properties.h>
35 #include <android-base/stringprintf.h>
36 #include <android-base/strings.h>
37 #include <android-base/unique_fd.h>
38 #include <async_safe/log.h>
39 #include <bionic/reserved_signals.h>
40 #include <debuggerd/handler.h>
41 #include <log/log.h>
42 #include <unwindstack/AndroidUnwinder.h>
43 #include <unwindstack/Memory.h>
44 #include <unwindstack/Unwinder.h>
45 
46 using android::base::StringPrintf;
47 using android::base::unique_fd;
48 
is_allowed_in_logcat(enum logtype ltype)49 bool is_allowed_in_logcat(enum logtype ltype) {
50   return (ltype == HEADER) || (ltype == REGISTERS) || (ltype == BACKTRACE);
51 }
52 
should_write_to_kmsg()53 static bool should_write_to_kmsg() {
54   // Write to kmsg if tombstoned isn't up, and we're able to do so.
55   if (!android::base::GetBoolProperty("ro.debuggable", false)) {
56     return false;
57   }
58 
59   if (android::base::GetProperty("init.svc.tombstoned", "") == "running") {
60     return false;
61   }
62 
63   return true;
64 }
65 
66 __attribute__((__weak__, visibility("default")))
_LOG(log_t * log,enum logtype ltype,const char * fmt,...)67 void _LOG(log_t* log, enum logtype ltype, const char* fmt, ...) {
68   va_list ap;
69   va_start(ap, fmt);
70   _VLOG(log, ltype, fmt, ap);
71   va_end(ap);
72 }
73 
74 __attribute__((__weak__, visibility("default")))
_VLOG(log_t * log,enum logtype ltype,const char * fmt,va_list ap)75 void _VLOG(log_t* log, enum logtype ltype, const char* fmt, va_list ap) {
76   bool write_to_tombstone = (log->tfd != -1);
77   bool write_to_logcat = is_allowed_in_logcat(ltype)
78                       && log->crashed_tid != -1
79                       && log->current_tid != -1
80                       && (log->crashed_tid == log->current_tid);
81   static bool write_to_kmsg = should_write_to_kmsg();
82 
83   std::string msg;
84   android::base::StringAppendV(&msg, fmt, ap);
85 
86   if (msg.empty()) return;
87 
88   if (write_to_tombstone) {
89     TEMP_FAILURE_RETRY(write(log->tfd, msg.c_str(), msg.size()));
90   }
91 
92   if (write_to_logcat) {
93     __android_log_buf_write(LOG_ID_CRASH, ANDROID_LOG_FATAL, LOG_TAG, msg.c_str());
94     if (log->amfd_data != nullptr) {
95       *log->amfd_data += msg;
96     }
97 
98     if (write_to_kmsg) {
99       unique_fd kmsg_fd(open("/dev/kmsg_debug", O_WRONLY | O_APPEND | O_CLOEXEC));
100       if (kmsg_fd.get() >= 0) {
101         // Our output might contain newlines which would otherwise be handled by the android logger.
102         // Split the lines up ourselves before sending to the kernel logger.
103         if (msg.back() == '\n') {
104           msg.back() = '\0';
105         }
106 
107         std::vector<std::string> fragments = android::base::Split(msg, "\n");
108         for (const std::string& fragment : fragments) {
109           static constexpr char prefix[] = "<3>DEBUG: ";
110           struct iovec iov[3];
111           iov[0].iov_base = const_cast<char*>(prefix);
112           iov[0].iov_len = strlen(prefix);
113           iov[1].iov_base = const_cast<char*>(fragment.c_str());
114           iov[1].iov_len = fragment.length();
115           iov[2].iov_base = const_cast<char*>("\n");
116           iov[2].iov_len = 1;
117           TEMP_FAILURE_RETRY(writev(kmsg_fd.get(), iov, 3));
118         }
119       }
120     }
121   }
122 }
123 
124 #define MEMORY_BYTES_TO_DUMP 256
125 #define MEMORY_BYTES_PER_LINE 16
126 static_assert(MEMORY_BYTES_PER_LINE == kTagGranuleSize);
127 
dump_memory(void * out,size_t len,uint8_t * tags,size_t tags_len,uint64_t * addr,unwindstack::Memory * memory)128 ssize_t dump_memory(void* out, size_t len, uint8_t* tags, size_t tags_len, uint64_t* addr,
129                     unwindstack::Memory* memory) {
130   // Align the address to the number of bytes per line to avoid confusing memory tag output if
131   // memory is tagged and we start from a misaligned address. Start 32 bytes before the address.
132   *addr &= ~(MEMORY_BYTES_PER_LINE - 1);
133   if (*addr >= 4128) {
134     *addr -= 32;
135   }
136 
137   // We don't want the address tag to appear in the addresses in the memory dump.
138   *addr = untag_address(*addr);
139 
140   // Don't bother if the address would overflow, taking tag bits into account. Note that
141   // untag_address truncates to 32 bits on 32-bit platforms as a side effect of returning a
142   // uintptr_t, so this also checks for 32-bit overflow.
143   if (untag_address(*addr + MEMORY_BYTES_TO_DUMP - 1) < *addr) {
144     return -1;
145   }
146 
147   memset(out, 0, len);
148 
149   size_t bytes = memory->Read(*addr, reinterpret_cast<uint8_t*>(out), len);
150   if (bytes % sizeof(uintptr_t) != 0) {
151     // This should never happen, but just in case.
152     ALOGE("Bytes read %zu, is not a multiple of %zu", bytes, sizeof(uintptr_t));
153     bytes &= ~(sizeof(uintptr_t) - 1);
154   }
155 
156   bool skip_2nd_read = false;
157   if (bytes == 0) {
158     // In this case, we might want to try another read at the beginning of
159     // the next page only if it's within the amount of memory we would have
160     // read.
161     size_t page_size = sysconf(_SC_PAGE_SIZE);
162     uint64_t next_page = (*addr + (page_size - 1)) & ~(page_size - 1);
163     if (next_page == *addr || next_page >= *addr + len) {
164       skip_2nd_read = true;
165     }
166     *addr = next_page;
167   }
168 
169   if (bytes < len && !skip_2nd_read) {
170     // Try to do one more read. This could happen if a read crosses a map,
171     // but the maps do not have any break between them. Or it could happen
172     // if reading from an unreadable map, but the read would cross back
173     // into a readable map. Only requires one extra read because a map has
174     // to contain at least one page, and the total number of bytes to dump
175     // is smaller than a page.
176     size_t bytes2 = memory->Read(*addr + bytes, static_cast<uint8_t*>(out) + bytes, len - bytes);
177     bytes += bytes2;
178     if (bytes2 > 0 && bytes % sizeof(uintptr_t) != 0) {
179       // This should never happen, but we'll try and continue any way.
180       ALOGE("Bytes after second read %zu, is not a multiple of %zu", bytes, sizeof(uintptr_t));
181       bytes &= ~(sizeof(uintptr_t) - 1);
182     }
183   }
184 
185   // If we were unable to read anything, it probably means that the register doesn't contain a
186   // valid pointer.
187   if (bytes == 0) {
188     return -1;
189   }
190 
191   for (uint64_t tag_granule = 0; tag_granule < bytes / kTagGranuleSize; ++tag_granule) {
192     long tag = memory->ReadTag(*addr + kTagGranuleSize * tag_granule);
193     if (tag_granule < tags_len) {
194       tags[tag_granule] = tag >= 0 ? tag : 0;
195     } else {
196       ALOGE("Insufficient space for tags");
197     }
198   }
199 
200   return bytes;
201 }
202 
dump_memory(log_t * log,unwindstack::Memory * memory,uint64_t addr,const std::string & label)203 void dump_memory(log_t* log, unwindstack::Memory* memory, uint64_t addr, const std::string& label) {
204   // Dump 256 bytes
205   uintptr_t data[MEMORY_BYTES_TO_DUMP / sizeof(uintptr_t)];
206   uint8_t tags[MEMORY_BYTES_TO_DUMP / kTagGranuleSize];
207 
208   ssize_t bytes = dump_memory(data, sizeof(data), tags, sizeof(tags), &addr, memory);
209   if (bytes == -1) {
210     return;
211   }
212 
213   _LOG(log, logtype::MEMORY, "\n%s:\n", label.c_str());
214 
215   // Dump the code around memory as:
216   //  addr             contents                           ascii
217   //  0000000000008d34 ef000000e8bd0090 e1b00000512fff1e  ............../Q
218   //  0000000000008d44 ea00b1f9e92d0090 e3a070fcef000000  ......-..p......
219   // On 32-bit machines, there are still 16 bytes per line but addresses and
220   // words are of course presented differently.
221   uintptr_t* data_ptr = data;
222   uint8_t* tags_ptr = tags;
223   for (size_t line = 0; line < static_cast<size_t>(bytes) / MEMORY_BYTES_PER_LINE; line++) {
224     uint64_t tagged_addr = addr | static_cast<uint64_t>(*tags_ptr++) << 56;
225     std::string logline;
226     android::base::StringAppendF(&logline, "    %" PRIPTR, tagged_addr);
227 
228     addr += MEMORY_BYTES_PER_LINE;
229     std::string ascii;
230     for (size_t i = 0; i < MEMORY_BYTES_PER_LINE / sizeof(uintptr_t); i++) {
231       android::base::StringAppendF(&logline, " %" PRIPTR, static_cast<uint64_t>(*data_ptr));
232 
233       // Fill out the ascii string from the data.
234       uint8_t* ptr = reinterpret_cast<uint8_t*>(data_ptr);
235       for (size_t val = 0; val < sizeof(uintptr_t); val++, ptr++) {
236         if (*ptr >= 0x20 && *ptr < 0x7f) {
237           ascii += *ptr;
238         } else {
239           ascii += '.';
240         }
241       }
242       data_ptr++;
243     }
244     _LOG(log, logtype::MEMORY, "%s  %s\n", logline.c_str(), ascii.c_str());
245   }
246 }
247 
drop_capabilities()248 void drop_capabilities() {
249   __user_cap_header_struct capheader;
250   memset(&capheader, 0, sizeof(capheader));
251   capheader.version = _LINUX_CAPABILITY_VERSION_3;
252   capheader.pid = 0;
253 
254   __user_cap_data_struct capdata[2];
255   memset(&capdata, 0, sizeof(capdata));
256 
257   if (capset(&capheader, &capdata[0]) == -1) {
258     async_safe_fatal("failed to drop capabilities: %s", strerror(errno));
259   }
260 
261   if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) {
262     async_safe_fatal("failed to set PR_SET_NO_NEW_PRIVS: %s", strerror(errno));
263   }
264 }
265 
signal_has_si_addr(const siginfo_t * si)266 bool signal_has_si_addr(const siginfo_t* si) {
267   // Manually sent signals won't have si_addr.
268   if (si->si_code == SI_USER || si->si_code == SI_QUEUE || si->si_code == SI_TKILL) {
269     return false;
270   }
271 
272   switch (si->si_signo) {
273     case SIGBUS:
274     case SIGFPE:
275     case SIGILL:
276     case SIGTRAP:
277       return true;
278     case SIGSEGV:
279       return si->si_code != SEGV_MTEAERR;
280     default:
281       return false;
282   }
283 }
284 
signal_has_sender(const siginfo_t * si,pid_t caller_pid)285 bool signal_has_sender(const siginfo_t* si, pid_t caller_pid) {
286   return SI_FROMUSER(si) && (si->si_pid != 0) && (si->si_pid != caller_pid);
287 }
288 
get_signal_sender(char * buf,size_t n,const siginfo_t * si)289 void get_signal_sender(char* buf, size_t n, const siginfo_t* si) {
290   snprintf(buf, n, " from pid %d, uid %d", si->si_pid, si->si_uid);
291 }
292 
get_signame(const siginfo_t * si)293 const char* get_signame(const siginfo_t* si) {
294   switch (si->si_signo) {
295     case SIGABRT: return "SIGABRT";
296     case SIGBUS: return "SIGBUS";
297     case SIGFPE: return "SIGFPE";
298     case SIGILL: return "SIGILL";
299     case SIGSEGV: return "SIGSEGV";
300     case SIGSTKFLT: return "SIGSTKFLT";
301     case SIGSTOP: return "SIGSTOP";
302     case SIGSYS: return "SIGSYS";
303     case SIGTRAP: return "SIGTRAP";
304     case BIONIC_SIGNAL_DEBUGGER:
305       return "<debuggerd signal>";
306     default: return "?";
307   }
308 }
309 
get_sigcode(const siginfo_t * si)310 const char* get_sigcode(const siginfo_t* si) {
311   // Try the signal-specific codes...
312   switch (si->si_signo) {
313     case SIGILL:
314       switch (si->si_code) {
315         case ILL_ILLOPC: return "ILL_ILLOPC";
316         case ILL_ILLOPN: return "ILL_ILLOPN";
317         case ILL_ILLADR: return "ILL_ILLADR";
318         case ILL_ILLTRP: return "ILL_ILLTRP";
319         case ILL_PRVOPC: return "ILL_PRVOPC";
320         case ILL_PRVREG: return "ILL_PRVREG";
321         case ILL_COPROC: return "ILL_COPROC";
322         case ILL_BADSTK: return "ILL_BADSTK";
323         case ILL_BADIADDR:
324           return "ILL_BADIADDR";
325         case __ILL_BREAK:
326           return "ILL_BREAK";
327         case __ILL_BNDMOD:
328           return "ILL_BNDMOD";
329       }
330       static_assert(NSIGILL == __ILL_BNDMOD, "missing ILL_* si_code");
331       break;
332     case SIGBUS:
333       switch (si->si_code) {
334         case BUS_ADRALN: return "BUS_ADRALN";
335         case BUS_ADRERR: return "BUS_ADRERR";
336         case BUS_OBJERR: return "BUS_OBJERR";
337         case BUS_MCEERR_AR: return "BUS_MCEERR_AR";
338         case BUS_MCEERR_AO: return "BUS_MCEERR_AO";
339       }
340       static_assert(NSIGBUS == BUS_MCEERR_AO, "missing BUS_* si_code");
341       break;
342     case SIGFPE:
343       switch (si->si_code) {
344         case FPE_INTDIV: return "FPE_INTDIV";
345         case FPE_INTOVF: return "FPE_INTOVF";
346         case FPE_FLTDIV: return "FPE_FLTDIV";
347         case FPE_FLTOVF: return "FPE_FLTOVF";
348         case FPE_FLTUND: return "FPE_FLTUND";
349         case FPE_FLTRES: return "FPE_FLTRES";
350         case FPE_FLTINV: return "FPE_FLTINV";
351         case FPE_FLTSUB: return "FPE_FLTSUB";
352         case __FPE_DECOVF:
353           return "FPE_DECOVF";
354         case __FPE_DECDIV:
355           return "FPE_DECDIV";
356         case __FPE_DECERR:
357           return "FPE_DECERR";
358         case __FPE_INVASC:
359           return "FPE_INVASC";
360         case __FPE_INVDEC:
361           return "FPE_INVDEC";
362         case FPE_FLTUNK:
363           return "FPE_FLTUNK";
364         case FPE_CONDTRAP:
365           return "FPE_CONDTRAP";
366       }
367       static_assert(NSIGFPE == FPE_CONDTRAP, "missing FPE_* si_code");
368       break;
369     case SIGSEGV:
370       switch (si->si_code) {
371         case SEGV_MAPERR: return "SEGV_MAPERR";
372         case SEGV_ACCERR: return "SEGV_ACCERR";
373         case SEGV_BNDERR: return "SEGV_BNDERR";
374         case SEGV_PKUERR: return "SEGV_PKUERR";
375         case SEGV_ACCADI:
376           return "SEGV_ACCADI";
377         case SEGV_ADIDERR:
378           return "SEGV_ADIDERR";
379         case SEGV_ADIPERR:
380           return "SEGV_ADIPERR";
381         case SEGV_MTEAERR:
382           return "SEGV_MTEAERR";
383         case SEGV_MTESERR:
384           return "SEGV_MTESERR";
385         case SEGV_CPERR:
386           return "SEGV_CPERR";
387       }
388       static_assert(NSIGSEGV == SEGV_CPERR, "missing SEGV_* si_code");
389       break;
390     case SIGSYS:
391       switch (si->si_code) {
392         case SYS_SECCOMP: return "SYS_SECCOMP";
393         case SYS_USER_DISPATCH:
394           return "SYS_USER_DISPATCH";
395       }
396       static_assert(NSIGSYS == SYS_USER_DISPATCH, "missing SYS_* si_code");
397       break;
398     case SIGTRAP:
399       switch (si->si_code) {
400         case TRAP_BRKPT: return "TRAP_BRKPT";
401         case TRAP_TRACE: return "TRAP_TRACE";
402         case TRAP_BRANCH: return "TRAP_BRANCH";
403         case TRAP_HWBKPT: return "TRAP_HWBKPT";
404         case TRAP_UNK:
405           return "TRAP_UNDIAGNOSED";
406         case TRAP_PERF:
407           return "TRAP_PERF";
408       }
409       if ((si->si_code & 0xff) == SIGTRAP) {
410         switch ((si->si_code >> 8) & 0xff) {
411           case PTRACE_EVENT_FORK:
412             return "PTRACE_EVENT_FORK";
413           case PTRACE_EVENT_VFORK:
414             return "PTRACE_EVENT_VFORK";
415           case PTRACE_EVENT_CLONE:
416             return "PTRACE_EVENT_CLONE";
417           case PTRACE_EVENT_EXEC:
418             return "PTRACE_EVENT_EXEC";
419           case PTRACE_EVENT_VFORK_DONE:
420             return "PTRACE_EVENT_VFORK_DONE";
421           case PTRACE_EVENT_EXIT:
422             return "PTRACE_EVENT_EXIT";
423           case PTRACE_EVENT_SECCOMP:
424             return "PTRACE_EVENT_SECCOMP";
425           case PTRACE_EVENT_STOP:
426             return "PTRACE_EVENT_STOP";
427         }
428       }
429       static_assert(NSIGTRAP == TRAP_PERF, "missing TRAP_* si_code");
430       break;
431   }
432   // Then the other codes...
433   switch (si->si_code) {
434     case SI_USER: return "SI_USER";
435     case SI_KERNEL: return "SI_KERNEL";
436     case SI_QUEUE: return "SI_QUEUE";
437     case SI_TIMER: return "SI_TIMER";
438     case SI_MESGQ: return "SI_MESGQ";
439     case SI_ASYNCIO: return "SI_ASYNCIO";
440     case SI_SIGIO: return "SI_SIGIO";
441     case SI_TKILL: return "SI_TKILL";
442     case SI_DETHREAD: return "SI_DETHREAD";
443   }
444   // Then give up...
445   return "?";
446 }
447 
log_backtrace(log_t * log,unwindstack::AndroidUnwinder * unwinder,unwindstack::AndroidUnwinderData & data,const char * prefix)448 void log_backtrace(log_t* log, unwindstack::AndroidUnwinder* unwinder,
449                    unwindstack::AndroidUnwinderData& data, const char* prefix) {
450   std::set<std::string> unreadable_elf_files;
451   for (const auto& frame : data.frames) {
452     if (frame.map_info != nullptr && frame.map_info->ElfFileNotReadable()) {
453       unreadable_elf_files.emplace(frame.map_info->name());
454     }
455   }
456 
457   // Put the preamble ahead of the backtrace.
458   if (!unreadable_elf_files.empty()) {
459     _LOG(log, logtype::BACKTRACE,
460          "%sNOTE: Function names and BuildId information is missing for some frames due\n", prefix);
461     _LOG(log, logtype::BACKTRACE,
462          "%sNOTE: to unreadable libraries. For unwinds of apps, only shared libraries\n", prefix);
463     _LOG(log, logtype::BACKTRACE, "%sNOTE: found under the lib/ directory are readable.\n", prefix);
464 #if defined(ROOT_POSSIBLE)
465     _LOG(log, logtype::BACKTRACE,
466          "%sNOTE: On this device, run setenforce 0 to make the libraries readable.\n", prefix);
467 #endif
468     _LOG(log, logtype::BACKTRACE, "%sNOTE: Unreadable libraries:\n", prefix);
469     for (auto& name : unreadable_elf_files) {
470       _LOG(log, logtype::BACKTRACE, "%sNOTE:   %s\n", prefix, name.c_str());
471     }
472   }
473 
474   for (const auto& frame : data.frames) {
475     _LOG(log, logtype::BACKTRACE, "%s%s\n", prefix, unwinder->FormatFrame(frame).c_str());
476   }
477 }
478