1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include <sys/ptrace.h> 18 19 #include <elf.h> 20 #include <err.h> 21 #include <fcntl.h> 22 #include <sched.h> 23 #include <sys/prctl.h> 24 #include <sys/ptrace.h> 25 #include <sys/uio.h> 26 #include <sys/user.h> 27 #include <sys/wait.h> 28 #include <unistd.h> 29 30 #include <chrono> 31 #include <thread> 32 33 #include <gtest/gtest.h> 34 35 #include <android-base/macros.h> 36 #include <android-base/unique_fd.h> 37 38 #include "utils.h" 39 40 using namespace std::chrono_literals; 41 42 using android::base::unique_fd; 43 44 // Host libc does not define this. 45 #ifndef TRAP_HWBKPT 46 #define TRAP_HWBKPT 4 47 #endif 48 49 class ChildGuard { 50 public: 51 explicit ChildGuard(pid_t pid) : pid(pid) {} 52 53 ~ChildGuard() { 54 kill(pid, SIGKILL); 55 int status; 56 TEMP_FAILURE_RETRY(waitpid(pid, &status, 0)); 57 } 58 59 private: 60 pid_t pid; 61 }; 62 63 enum class HwFeature { Watchpoint, Breakpoint }; 64 65 static void check_hw_feature_supported(pid_t child, HwFeature feature) { 66 #if defined(__arm__) 67 long capabilities; 68 long result = ptrace(PTRACE_GETHBPREGS, child, 0, &capabilities); 69 if (result == -1) { 70 EXPECT_EQ(EIO, errno); 71 GTEST_SKIP() << "Hardware debug support disabled at kernel configuration time"; 72 } 73 uint8_t hb_count = capabilities & 0xff; 74 capabilities >>= 8; 75 uint8_t wp_count = capabilities & 0xff; 76 capabilities >>= 8; 77 uint8_t max_wp_size = capabilities & 0xff; 78 if (max_wp_size == 0) { 79 GTEST_SKIP() << "Kernel reports zero maximum watchpoint size"; 80 } else if (feature == HwFeature::Watchpoint && wp_count == 0) { 81 GTEST_SKIP() << "Kernel reports zero hardware watchpoints"; 82 } else if (feature == HwFeature::Breakpoint && hb_count == 0) { 83 GTEST_SKIP() << "Kernel reports zero hardware breakpoints"; 84 } 85 #elif defined(__aarch64__) 86 user_hwdebug_state dreg_state; 87 iovec iov; 88 iov.iov_base = &dreg_state; 89 iov.iov_len = sizeof(dreg_state); 90 91 long result = ptrace(PTRACE_GETREGSET, child, 92 feature == HwFeature::Watchpoint ? NT_ARM_HW_WATCH : NT_ARM_HW_BREAK, &iov); 93 if (result == -1) { 94 ASSERT_EQ(EINVAL, errno); 95 } 96 if ((dreg_state.dbg_info & 0xff) == 0) GTEST_SKIP() << "hardware support missing"; 97 #else 98 // We assume watchpoints and breakpoints are always supported on x86. 99 UNUSED(child); 100 UNUSED(feature); 101 #endif 102 } 103 104 static void set_watchpoint(pid_t child, uintptr_t address, size_t size) { 105 ASSERT_EQ(0u, address & 0x7) << "address: " << address; 106 #if defined(__arm__) || defined(__aarch64__) 107 const unsigned byte_mask = (1 << size) - 1; 108 const unsigned type = 2; // Write. 109 const unsigned enable = 1; 110 const unsigned control = byte_mask << 5 | type << 3 | enable; 111 112 #ifdef __arm__ 113 ASSERT_EQ(0, ptrace(PTRACE_SETHBPREGS, child, -1, &address)) << strerror(errno); 114 ASSERT_EQ(0, ptrace(PTRACE_SETHBPREGS, child, -2, &control)) << strerror(errno); 115 #else // aarch64 116 user_hwdebug_state dreg_state; 117 memset(&dreg_state, 0, sizeof dreg_state); 118 dreg_state.dbg_regs[0].addr = address; 119 dreg_state.dbg_regs[0].ctrl = control; 120 121 iovec iov; 122 iov.iov_base = &dreg_state; 123 iov.iov_len = offsetof(user_hwdebug_state, dbg_regs) + sizeof(dreg_state.dbg_regs[0]); 124 125 ASSERT_EQ(0, ptrace(PTRACE_SETREGSET, child, NT_ARM_HW_WATCH, &iov)) << strerror(errno); 126 #endif 127 #elif defined(__i386__) || defined(__x86_64__) 128 ASSERT_EQ(0, ptrace(PTRACE_POKEUSER, child, offsetof(user, u_debugreg[0]), address)) << strerror(errno); 129 errno = 0; 130 unsigned data = ptrace(PTRACE_PEEKUSER, child, offsetof(user, u_debugreg[7]), nullptr); 131 ASSERT_EQ(0, errno); 132 133 const unsigned size_flag = (size == 8) ? 2 : size - 1; 134 const unsigned enable = 1; 135 const unsigned type = 1; // Write. 136 137 const unsigned mask = 3 << 18 | 3 << 16 | 1; 138 const unsigned value = size_flag << 18 | type << 16 | enable; 139 data &= mask; 140 data |= value; 141 ASSERT_EQ(0, ptrace(PTRACE_POKEUSER, child, offsetof(user, u_debugreg[7]), data)) << strerror(errno); 142 #else 143 UNUSED(child); 144 UNUSED(address); 145 UNUSED(size); 146 #endif 147 } 148 149 template <typename T> 150 static void run_watchpoint_test(std::function<void(T&)> child_func, size_t offset, size_t size) { 151 alignas(16) T data{}; 152 153 pid_t child = fork(); 154 ASSERT_NE(-1, child) << strerror(errno); 155 if (child == 0) { 156 // Extra precaution: make sure we go away if anything happens to our parent. 157 if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0) == -1) { 158 perror("prctl(PR_SET_PDEATHSIG)"); 159 _exit(1); 160 } 161 162 if (ptrace(PTRACE_TRACEME, 0, nullptr, nullptr) == -1) { 163 perror("ptrace(PTRACE_TRACEME)"); 164 _exit(2); 165 } 166 167 child_func(data); 168 _exit(0); 169 } 170 171 ChildGuard guard(child); 172 173 int status; 174 ASSERT_EQ(child, TEMP_FAILURE_RETRY(waitpid(child, &status, __WALL))) << strerror(errno); 175 ASSERT_TRUE(WIFSTOPPED(status)) << "Status was: " << status; 176 ASSERT_EQ(SIGSTOP, WSTOPSIG(status)) << "Status was: " << status; 177 178 check_hw_feature_supported(child, HwFeature::Watchpoint); 179 180 set_watchpoint(child, uintptr_t(untag_address(&data)) + offset, size); 181 182 ASSERT_EQ(0, ptrace(PTRACE_CONT, child, nullptr, nullptr)) << strerror(errno); 183 ASSERT_EQ(child, TEMP_FAILURE_RETRY(waitpid(child, &status, __WALL))) << strerror(errno); 184 ASSERT_TRUE(WIFSTOPPED(status)) << "Status was: " << status; 185 ASSERT_EQ(SIGTRAP, WSTOPSIG(status)) << "Status was: " << status; 186 187 siginfo_t siginfo; 188 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child, nullptr, &siginfo)) << strerror(errno); 189 ASSERT_EQ(TRAP_HWBKPT, siginfo.si_code); 190 #if defined(__arm__) || defined(__aarch64__) 191 ASSERT_LE(&data, siginfo.si_addr); 192 ASSERT_GT((&data) + 1, siginfo.si_addr); 193 #endif 194 } 195 196 template <typename T> 197 static void watchpoint_stress_child(unsigned cpu, T& data) { 198 cpu_set_t cpus; 199 CPU_ZERO(&cpus); 200 CPU_SET(cpu, &cpus); 201 if (sched_setaffinity(0, sizeof cpus, &cpus) == -1) { 202 perror("sched_setaffinity"); 203 _exit(3); 204 } 205 raise(SIGSTOP); // Synchronize with the tracer, let it set the watchpoint. 206 207 data = 1; // Now trigger the watchpoint. 208 } 209 210 template <typename T> 211 static void run_watchpoint_stress(size_t cpu) { 212 run_watchpoint_test<T>(std::bind(watchpoint_stress_child<T>, cpu, std::placeholders::_1), 0, 213 sizeof(T)); 214 } 215 216 // Test watchpoint API. The test is considered successful if our watchpoints get hit OR the 217 // system reports that watchpoint support is not present. We run the test for different 218 // watchpoint sizes, while pinning the process to each cpu in turn, for better coverage. 219 TEST(sys_ptrace, watchpoint_stress) { 220 cpu_set_t available_cpus; 221 ASSERT_EQ(0, sched_getaffinity(0, sizeof available_cpus, &available_cpus)); 222 223 for (size_t cpu = 0; cpu < CPU_SETSIZE; ++cpu) { 224 if (!CPU_ISSET(cpu, &available_cpus)) continue; 225 226 run_watchpoint_stress<uint8_t>(cpu); 227 run_watchpoint_stress<uint16_t>(cpu); 228 run_watchpoint_stress<uint32_t>(cpu); 229 #if defined(__LP64__) 230 run_watchpoint_stress<uint64_t>(cpu); 231 #endif 232 } 233 } 234 235 struct Uint128_t { 236 uint64_t data[2]; 237 }; 238 static void watchpoint_imprecise_child(Uint128_t& data) { 239 raise(SIGSTOP); // Synchronize with the tracer, let it set the watchpoint. 240 241 #if defined(__i386__) || defined(__x86_64__) 242 asm volatile("movdqa %%xmm0, %0" : : "m"(data)); 243 #elif defined(__arm__) 244 asm volatile("stm %0, { r0, r1, r2, r3 }" : : "r"(&data)); 245 #elif defined(__aarch64__) 246 asm volatile("stp x0, x1, %0" : : "m"(data)); 247 #elif defined(__mips__) 248 // TODO 249 UNUSED(data); 250 #endif 251 } 252 253 // Test that the kernel is able to handle the case when the instruction writes 254 // to a larger block of memory than the one we are watching. If you see this 255 // test fail on arm64, you will likely need to cherry-pick fdfeff0f into your 256 // kernel. 257 TEST(sys_ptrace, watchpoint_imprecise) { 258 // This test relies on the infrastructure to timeout if the test hangs. 259 run_watchpoint_test<Uint128_t>(watchpoint_imprecise_child, 8, sizeof(void*)); 260 } 261 262 static void __attribute__((noinline)) breakpoint_func() { 263 asm volatile(""); 264 } 265 266 static void __attribute__((noreturn)) breakpoint_fork_child() { 267 // Extra precaution: make sure we go away if anything happens to our parent. 268 if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0) == -1) { 269 perror("prctl(PR_SET_PDEATHSIG)"); 270 _exit(1); 271 } 272 273 if (ptrace(PTRACE_TRACEME, 0, nullptr, nullptr) == -1) { 274 perror("ptrace(PTRACE_TRACEME)"); 275 _exit(2); 276 } 277 278 raise(SIGSTOP); // Synchronize with the tracer, let it set the breakpoint. 279 280 breakpoint_func(); // Now trigger the breakpoint. 281 282 _exit(0); 283 } 284 285 static void set_breakpoint(pid_t child) { 286 uintptr_t address = uintptr_t(breakpoint_func); 287 #if defined(__arm__) || defined(__aarch64__) 288 address &= ~3; 289 const unsigned byte_mask = 0xf; 290 const unsigned enable = 1; 291 const unsigned control = byte_mask << 5 | enable; 292 293 #ifdef __arm__ 294 ASSERT_EQ(0, ptrace(PTRACE_SETHBPREGS, child, 1, &address)) << strerror(errno); 295 ASSERT_EQ(0, ptrace(PTRACE_SETHBPREGS, child, 2, &control)) << strerror(errno); 296 #else // aarch64 297 user_hwdebug_state dreg_state; 298 memset(&dreg_state, 0, sizeof dreg_state); 299 dreg_state.dbg_regs[0].addr = reinterpret_cast<uintptr_t>(address); 300 dreg_state.dbg_regs[0].ctrl = control; 301 302 iovec iov; 303 iov.iov_base = &dreg_state; 304 iov.iov_len = offsetof(user_hwdebug_state, dbg_regs) + sizeof(dreg_state.dbg_regs[0]); 305 306 ASSERT_EQ(0, ptrace(PTRACE_SETREGSET, child, NT_ARM_HW_BREAK, &iov)) << strerror(errno); 307 #endif 308 #elif defined(__i386__) || defined(__x86_64__) 309 ASSERT_EQ(0, ptrace(PTRACE_POKEUSER, child, offsetof(user, u_debugreg[0]), address)) 310 << strerror(errno); 311 errno = 0; 312 unsigned data = ptrace(PTRACE_PEEKUSER, child, offsetof(user, u_debugreg[7]), nullptr); 313 ASSERT_EQ(0, errno); 314 315 const unsigned size = 0; 316 const unsigned enable = 1; 317 const unsigned type = 0; // Execute 318 319 const unsigned mask = 3 << 18 | 3 << 16 | 1; 320 const unsigned value = size << 18 | type << 16 | enable; 321 data &= mask; 322 data |= value; 323 ASSERT_EQ(0, ptrace(PTRACE_POKEUSER, child, offsetof(user, u_debugreg[7]), data)) 324 << strerror(errno); 325 #else 326 UNUSED(child); 327 UNUSED(address); 328 #endif 329 } 330 331 // Test hardware breakpoint API. The test is considered successful if the breakpoints get hit OR the 332 // system reports that hardware breakpoint support is not present. 333 TEST(sys_ptrace, hardware_breakpoint) { 334 pid_t child = fork(); 335 ASSERT_NE(-1, child) << strerror(errno); 336 if (child == 0) breakpoint_fork_child(); 337 338 ChildGuard guard(child); 339 340 int status; 341 ASSERT_EQ(child, TEMP_FAILURE_RETRY(waitpid(child, &status, __WALL))) << strerror(errno); 342 ASSERT_TRUE(WIFSTOPPED(status)) << "Status was: " << status; 343 ASSERT_EQ(SIGSTOP, WSTOPSIG(status)) << "Status was: " << status; 344 345 check_hw_feature_supported(child, HwFeature::Breakpoint); 346 347 set_breakpoint(child); 348 349 ASSERT_EQ(0, ptrace(PTRACE_CONT, child, nullptr, nullptr)) << strerror(errno); 350 ASSERT_EQ(child, TEMP_FAILURE_RETRY(waitpid(child, &status, __WALL))) << strerror(errno); 351 ASSERT_TRUE(WIFSTOPPED(status)) << "Status was: " << status; 352 ASSERT_EQ(SIGTRAP, WSTOPSIG(status)) << "Status was: " << status; 353 354 siginfo_t siginfo; 355 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child, nullptr, &siginfo)) << strerror(errno); 356 ASSERT_EQ(TRAP_HWBKPT, siginfo.si_code); 357 } 358 359 class PtraceResumptionTest : public ::testing::Test { 360 public: 361 unique_fd worker_pipe_write; 362 363 pid_t worker = -1; 364 pid_t tracer = -1; 365 366 PtraceResumptionTest() { 367 unique_fd worker_pipe_read; 368 if (!android::base::Pipe(&worker_pipe_read, &worker_pipe_write)) { 369 err(1, "failed to create pipe"); 370 } 371 372 // Second pipe to synchronize the Yama ptracer setup. 373 unique_fd worker_pipe_setup_read, worker_pipe_setup_write; 374 if (!android::base::Pipe(&worker_pipe_setup_read, &worker_pipe_setup_write)) { 375 err(1, "failed to create pipe"); 376 } 377 378 worker = fork(); 379 if (worker == -1) { 380 err(1, "failed to fork worker"); 381 } else if (worker == 0) { 382 char buf; 383 // Allow the tracer process, which is not a direct process ancestor, to 384 // be able to use ptrace(2) on this process when Yama LSM is active. 385 if (prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, 0, 0, 0) == -1) { 386 // if Yama is off prctl(PR_SET_PTRACER) returns EINVAL - don't log in this 387 // case since it's expected behaviour. 388 if (errno != EINVAL) { 389 err(1, "prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY) failed for pid %d", getpid()); 390 } 391 } 392 worker_pipe_setup_write.reset(); 393 394 worker_pipe_write.reset(); 395 TEMP_FAILURE_RETRY(read(worker_pipe_read.get(), &buf, sizeof(buf))); 396 exit(0); 397 } else { 398 // Wait until the Yama ptracer is setup. 399 char buf; 400 worker_pipe_setup_write.reset(); 401 TEMP_FAILURE_RETRY(read(worker_pipe_setup_read.get(), &buf, sizeof(buf))); 402 } 403 } 404 405 ~PtraceResumptionTest() override { 406 } 407 408 void AssertDeath(int signo); 409 410 void StartTracer(std::function<void()> f) { 411 tracer = fork(); 412 ASSERT_NE(-1, tracer); 413 if (tracer == 0) { 414 f(); 415 if (HasFatalFailure()) { 416 exit(1); 417 } 418 exit(0); 419 } 420 } 421 422 bool WaitForTracer() { 423 if (tracer == -1) { 424 errx(1, "tracer not started"); 425 } 426 427 int result; 428 pid_t rc = TEMP_FAILURE_RETRY(waitpid(tracer, &result, 0)); 429 if (rc != tracer) { 430 printf("waitpid returned %d (%s)\n", rc, strerror(errno)); 431 return false; 432 } 433 434 if (!WIFEXITED(result) && !WIFSIGNALED(result)) { 435 printf("!WIFEXITED && !WIFSIGNALED\n"); 436 return false; 437 } 438 439 if (WIFEXITED(result)) { 440 if (WEXITSTATUS(result) != 0) { 441 printf("tracer failed\n"); 442 return false; 443 } 444 } 445 446 return true; 447 } 448 449 bool WaitForWorker() { 450 if (worker == -1) { 451 errx(1, "worker not started"); 452 } 453 454 int result; 455 pid_t rc = TEMP_FAILURE_RETRY(waitpid(worker, &result, WNOHANG)); 456 if (rc != 0) { 457 printf("worker exited prematurely\n"); 458 return false; 459 } 460 461 worker_pipe_write.reset(); 462 463 rc = TEMP_FAILURE_RETRY(waitpid(worker, &result, 0)); 464 if (rc != worker) { 465 printf("waitpid for worker returned %d (%s)\n", rc, strerror(errno)); 466 return false; 467 } 468 469 if (!WIFEXITED(result)) { 470 printf("worker didn't exit\n"); 471 return false; 472 } 473 474 if (WEXITSTATUS(result) != 0) { 475 printf("worker exited with status %d\n", WEXITSTATUS(result)); 476 return false; 477 } 478 479 return true; 480 } 481 }; 482 483 static void wait_for_ptrace_stop(pid_t pid) { 484 while (true) { 485 int status; 486 pid_t rc = TEMP_FAILURE_RETRY(waitpid(pid, &status, __WALL)); 487 if (rc != pid) { 488 abort(); 489 } 490 if (WIFSTOPPED(status)) { 491 return; 492 } 493 } 494 } 495 496 TEST_F(PtraceResumptionTest, smoke) { 497 // Make sure that the worker doesn't exit before the tracer stops tracing. 498 StartTracer([this]() { 499 ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno); 500 ASSERT_EQ(0, ptrace(PTRACE_INTERRUPT, worker, 0, 0)) << strerror(errno); 501 wait_for_ptrace_stop(worker); 502 std::this_thread::sleep_for(500ms); 503 }); 504 505 worker_pipe_write.reset(); 506 std::this_thread::sleep_for(250ms); 507 508 int result; 509 ASSERT_EQ(0, TEMP_FAILURE_RETRY(waitpid(worker, &result, WNOHANG))); 510 ASSERT_TRUE(WaitForTracer()); 511 ASSERT_EQ(worker, TEMP_FAILURE_RETRY(waitpid(worker, &result, 0))); 512 } 513 514 TEST_F(PtraceResumptionTest, seize) { 515 StartTracer([this]() { ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno); }); 516 ASSERT_TRUE(WaitForTracer()); 517 ASSERT_TRUE(WaitForWorker()); 518 } 519 520 TEST_F(PtraceResumptionTest, seize_interrupt) { 521 StartTracer([this]() { 522 ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno); 523 ASSERT_EQ(0, ptrace(PTRACE_INTERRUPT, worker, 0, 0)) << strerror(errno); 524 wait_for_ptrace_stop(worker); 525 }); 526 ASSERT_TRUE(WaitForTracer()); 527 ASSERT_TRUE(WaitForWorker()); 528 } 529 530 TEST_F(PtraceResumptionTest, seize_interrupt_cont) { 531 StartTracer([this]() { 532 ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno); 533 ASSERT_EQ(0, ptrace(PTRACE_INTERRUPT, worker, 0, 0)) << strerror(errno); 534 wait_for_ptrace_stop(worker); 535 ASSERT_EQ(0, ptrace(PTRACE_CONT, worker, 0, 0)) << strerror(errno); 536 }); 537 ASSERT_TRUE(WaitForTracer()); 538 ASSERT_TRUE(WaitForWorker()); 539 } 540 541 TEST_F(PtraceResumptionTest, zombie_seize) { 542 StartTracer([this]() { ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno); }); 543 ASSERT_TRUE(WaitForWorker()); 544 ASSERT_TRUE(WaitForTracer()); 545 } 546 547 TEST_F(PtraceResumptionTest, zombie_seize_interrupt) { 548 StartTracer([this]() { 549 ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno); 550 ASSERT_EQ(0, ptrace(PTRACE_INTERRUPT, worker, 0, 0)) << strerror(errno); 551 wait_for_ptrace_stop(worker); 552 }); 553 ASSERT_TRUE(WaitForWorker()); 554 ASSERT_TRUE(WaitForTracer()); 555 } 556 557 TEST_F(PtraceResumptionTest, zombie_seize_interrupt_cont) { 558 StartTracer([this]() { 559 ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno); 560 ASSERT_EQ(0, ptrace(PTRACE_INTERRUPT, worker, 0, 0)) << strerror(errno); 561 wait_for_ptrace_stop(worker); 562 ASSERT_EQ(0, ptrace(PTRACE_CONT, worker, 0, 0)) << strerror(errno); 563 }); 564 ASSERT_TRUE(WaitForWorker()); 565 ASSERT_TRUE(WaitForTracer()); 566 } 567