1 /* system/debuggerd/debuggerd.c 2 ** 3 ** Copyright 2006, The Android Open Source Project 4 ** 5 ** Licensed under the Apache License, Version 2.0 (the "License"); 6 ** you may not use this file except in compliance with the License. 7 ** You may obtain a copy of the License at 8 ** 9 ** http://www.apache.org/licenses/LICENSE-2.0 10 ** 11 ** Unless required by applicable law or agreed to in writing, software 12 ** distributed under the License is distributed on an "AS IS" BASIS, 13 ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 ** See the License for the specific language governing permissions and 15 ** limitations under the License. 16 */ 17 18 #include <stdio.h> 19 #include <errno.h> 20 #include <signal.h> 21 #include <pthread.h> 22 #include <stdarg.h> 23 #include <fcntl.h> 24 #include <sys/types.h> 25 #include <dirent.h> 26 #include <time.h> 27 28 #include <sys/ptrace.h> 29 #include <sys/wait.h> 30 #include <sys/exec_elf.h> 31 #include <sys/stat.h> 32 #include <sys/poll.h> 33 34 #include <cutils/sockets.h> 35 #include <cutils/logd.h> 36 #include <cutils/logger.h> 37 #include <cutils/properties.h> 38 #include <cutils/debugger.h> 39 40 #include <corkscrew/backtrace.h> 41 42 #include <linux/input.h> 43 44 #include <private/android_filesystem_config.h> 45 46 #include "backtrace.h" 47 #include "getevent.h" 48 #include "tombstone.h" 49 #include "utility.h" 50 51 typedef struct { 52 debugger_action_t action; 53 pid_t pid, tid; 54 uid_t uid, gid; 55 uintptr_t abort_msg_address; 56 } debugger_request_t; 57 58 static int 59 write_string(const char* file, const char* string) 60 { 61 int len; 62 int fd; 63 ssize_t amt; 64 fd = open(file, O_RDWR); 65 len = strlen(string); 66 if (fd < 0) 67 return -errno; 68 amt = write(fd, string, len); 69 close(fd); 70 return amt >= 0 ? 0 : -errno; 71 } 72 73 static 74 void init_debug_led(void) 75 { 76 // trout leds 77 write_string("/sys/class/leds/red/brightness", "0"); 78 write_string("/sys/class/leds/green/brightness", "0"); 79 write_string("/sys/class/leds/blue/brightness", "0"); 80 write_string("/sys/class/leds/red/device/blink", "0"); 81 // sardine leds 82 write_string("/sys/class/leds/left/cadence", "0,0"); 83 } 84 85 static 86 void enable_debug_led(void) 87 { 88 // trout leds 89 write_string("/sys/class/leds/red/brightness", "255"); 90 // sardine leds 91 write_string("/sys/class/leds/left/cadence", "1,0"); 92 } 93 94 static 95 void disable_debug_led(void) 96 { 97 // trout leds 98 write_string("/sys/class/leds/red/brightness", "0"); 99 // sardine leds 100 write_string("/sys/class/leds/left/cadence", "0,0"); 101 } 102 103 static void wait_for_user_action(pid_t pid) { 104 /* First log a helpful message */ 105 LOG( "********************************************************\n" 106 "* Process %d has been suspended while crashing. To\n" 107 "* attach gdbserver for a gdb connection on port 5039\n" 108 "* and start gdbclient:\n" 109 "*\n" 110 "* gdbclient app_process :5039 %d\n" 111 "*\n" 112 "* Wait for gdb to start, then press HOME or VOLUME DOWN key\n" 113 "* to let the process continue crashing.\n" 114 "********************************************************\n", 115 pid, pid); 116 117 /* wait for HOME or VOLUME DOWN key */ 118 if (init_getevent() == 0) { 119 int ms = 1200 / 10; 120 int dit = 1; 121 int dah = 3*dit; 122 int _ = -dit; 123 int ___ = 3*_; 124 int _______ = 7*_; 125 const signed char codes[] = { 126 dit,_,dit,_,dit,___,dah,_,dah,_,dah,___,dit,_,dit,_,dit,_______ 127 }; 128 size_t s = 0; 129 struct input_event e; 130 bool done = false; 131 init_debug_led(); 132 enable_debug_led(); 133 do { 134 int timeout = abs((int)(codes[s])) * ms; 135 int res = get_event(&e, timeout); 136 if (res == 0) { 137 if (e.type == EV_KEY 138 && (e.code == KEY_HOME || e.code == KEY_VOLUMEDOWN) 139 && e.value == 0) { 140 done = true; 141 } 142 } else if (res == 1) { 143 if (++s >= sizeof(codes)/sizeof(*codes)) 144 s = 0; 145 if (codes[s] > 0) { 146 enable_debug_led(); 147 } else { 148 disable_debug_led(); 149 } 150 } 151 } while (!done); 152 uninit_getevent(); 153 } 154 155 /* don't forget to turn debug led off */ 156 disable_debug_led(); 157 LOG("debuggerd resuming process %d", pid); 158 } 159 160 static int get_process_info(pid_t tid, pid_t* out_pid, uid_t* out_uid, uid_t* out_gid) { 161 char path[64]; 162 snprintf(path, sizeof(path), "/proc/%d/status", tid); 163 164 FILE* fp = fopen(path, "r"); 165 if (!fp) { 166 return -1; 167 } 168 169 int fields = 0; 170 char line[1024]; 171 while (fgets(line, sizeof(line), fp)) { 172 size_t len = strlen(line); 173 if (len > 6 && !memcmp(line, "Tgid:\t", 6)) { 174 *out_pid = atoi(line + 6); 175 fields |= 1; 176 } else if (len > 5 && !memcmp(line, "Uid:\t", 5)) { 177 *out_uid = atoi(line + 5); 178 fields |= 2; 179 } else if (len > 5 && !memcmp(line, "Gid:\t", 5)) { 180 *out_gid = atoi(line + 5); 181 fields |= 4; 182 } 183 } 184 fclose(fp); 185 return fields == 7 ? 0 : -1; 186 } 187 188 static int read_request(int fd, debugger_request_t* out_request) { 189 struct ucred cr; 190 int len = sizeof(cr); 191 int status = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cr, &len); 192 if (status != 0) { 193 LOG("cannot get credentials\n"); 194 return -1; 195 } 196 197 XLOG("reading tid\n"); 198 fcntl(fd, F_SETFL, O_NONBLOCK); 199 200 struct pollfd pollfds[1]; 201 pollfds[0].fd = fd; 202 pollfds[0].events = POLLIN; 203 pollfds[0].revents = 0; 204 status = TEMP_FAILURE_RETRY(poll(pollfds, 1, 3000)); 205 if (status != 1) { 206 LOG("timed out reading tid (from pid=%d uid=%d)\n", cr.pid, cr.uid); 207 return -1; 208 } 209 210 debugger_msg_t msg; 211 memset(&msg, 0, sizeof(msg)); 212 status = TEMP_FAILURE_RETRY(read(fd, &msg, sizeof(msg))); 213 if (status < 0) { 214 LOG("read failure? %s (pid=%d uid=%d)\n", 215 strerror(errno), cr.pid, cr.uid); 216 return -1; 217 } 218 if (status == sizeof(debugger_msg_t)) { 219 XLOG("crash request of size %d abort_msg_address=%#08x\n", status, msg.abort_msg_address); 220 } else { 221 LOG("invalid crash request of size %d (from pid=%d uid=%d)\n", 222 status, cr.pid, cr.uid); 223 return -1; 224 } 225 226 out_request->action = msg.action; 227 out_request->tid = msg.tid; 228 out_request->pid = cr.pid; 229 out_request->uid = cr.uid; 230 out_request->gid = cr.gid; 231 out_request->abort_msg_address = msg.abort_msg_address; 232 233 if (msg.action == DEBUGGER_ACTION_CRASH) { 234 /* Ensure that the tid reported by the crashing process is valid. */ 235 char buf[64]; 236 struct stat s; 237 snprintf(buf, sizeof buf, "/proc/%d/task/%d", out_request->pid, out_request->tid); 238 if(stat(buf, &s)) { 239 LOG("tid %d does not exist in pid %d. ignoring debug request\n", 240 out_request->tid, out_request->pid); 241 return -1; 242 } 243 } else if (cr.uid == 0 244 || (cr.uid == AID_SYSTEM && msg.action == DEBUGGER_ACTION_DUMP_BACKTRACE)) { 245 /* Only root or system can ask us to attach to any process and dump it explicitly. 246 * However, system is only allowed to collect backtraces but cannot dump tombstones. */ 247 status = get_process_info(out_request->tid, &out_request->pid, 248 &out_request->uid, &out_request->gid); 249 if (status < 0) { 250 LOG("tid %d does not exist. ignoring explicit dump request\n", 251 out_request->tid); 252 return -1; 253 } 254 } else { 255 /* No one else is allowed to dump arbitrary processes. */ 256 return -1; 257 } 258 return 0; 259 } 260 261 static bool should_attach_gdb(debugger_request_t* request) { 262 if (request->action == DEBUGGER_ACTION_CRASH) { 263 char value[PROPERTY_VALUE_MAX]; 264 property_get("debug.db.uid", value, "-1"); 265 int debug_uid = atoi(value); 266 return debug_uid >= 0 && request->uid <= (uid_t)debug_uid; 267 } 268 return false; 269 } 270 271 static void handle_request(int fd) { 272 XLOG("handle_request(%d)\n", fd); 273 274 debugger_request_t request; 275 memset(&request, 0, sizeof(request)); 276 int status = read_request(fd, &request); 277 if (!status) { 278 XLOG("BOOM: pid=%d uid=%d gid=%d tid=%d\n", 279 request.pid, request.uid, request.gid, request.tid); 280 281 /* At this point, the thread that made the request is blocked in 282 * a read() call. If the thread has crashed, then this gives us 283 * time to PTRACE_ATTACH to it before it has a chance to really fault. 284 * 285 * The PTRACE_ATTACH sends a SIGSTOP to the target process, but it 286 * won't necessarily have stopped by the time ptrace() returns. (We 287 * currently assume it does.) We write to the file descriptor to 288 * ensure that it can run as soon as we call PTRACE_CONT below. 289 * See details in bionic/libc/linker/debugger.c, in function 290 * debugger_signal_handler(). 291 */ 292 if (ptrace(PTRACE_ATTACH, request.tid, 0, 0)) { 293 LOG("ptrace attach failed: %s\n", strerror(errno)); 294 } else { 295 bool detach_failed = false; 296 bool attach_gdb = should_attach_gdb(&request); 297 if (TEMP_FAILURE_RETRY(write(fd, "\0", 1)) != 1) { 298 LOG("failed responding to client: %s\n", strerror(errno)); 299 } else { 300 char* tombstone_path = NULL; 301 302 if (request.action == DEBUGGER_ACTION_CRASH) { 303 close(fd); 304 fd = -1; 305 } 306 307 int total_sleep_time_usec = 0; 308 for (;;) { 309 int signal = wait_for_signal(request.tid, &total_sleep_time_usec); 310 if (signal < 0) { 311 break; 312 } 313 314 switch (signal) { 315 case SIGSTOP: 316 if (request.action == DEBUGGER_ACTION_DUMP_TOMBSTONE) { 317 XLOG("stopped -- dumping to tombstone\n"); 318 tombstone_path = engrave_tombstone(request.pid, request.tid, 319 signal, request.abort_msg_address, true, true, &detach_failed, 320 &total_sleep_time_usec); 321 } else if (request.action == DEBUGGER_ACTION_DUMP_BACKTRACE) { 322 XLOG("stopped -- dumping to fd\n"); 323 dump_backtrace(fd, -1, 324 request.pid, request.tid, &detach_failed, 325 &total_sleep_time_usec); 326 } else { 327 XLOG("stopped -- continuing\n"); 328 status = ptrace(PTRACE_CONT, request.tid, 0, 0); 329 if (status) { 330 LOG("ptrace continue failed: %s\n", strerror(errno)); 331 } 332 continue; /* loop again */ 333 } 334 break; 335 336 case SIGILL: 337 case SIGABRT: 338 case SIGBUS: 339 case SIGFPE: 340 case SIGSEGV: 341 case SIGPIPE: 342 #ifdef SIGSTKFLT 343 case SIGSTKFLT: 344 #endif 345 { 346 XLOG("stopped -- fatal signal\n"); 347 /* 348 * Send a SIGSTOP to the process to make all of 349 * the non-signaled threads stop moving. Without 350 * this we get a lot of "ptrace detach failed: 351 * No such process". 352 */ 353 kill(request.pid, SIGSTOP); 354 /* don't dump sibling threads when attaching to GDB because it 355 * makes the process less reliable, apparently... */ 356 tombstone_path = engrave_tombstone(request.pid, request.tid, 357 signal, request.abort_msg_address, !attach_gdb, false, 358 &detach_failed, &total_sleep_time_usec); 359 break; 360 } 361 362 default: 363 XLOG("stopped -- unexpected signal\n"); 364 LOG("process stopped due to unexpected signal %d\n", signal); 365 break; 366 } 367 break; 368 } 369 370 if (request.action == DEBUGGER_ACTION_DUMP_TOMBSTONE) { 371 if (tombstone_path) { 372 write(fd, tombstone_path, strlen(tombstone_path)); 373 } 374 close(fd); 375 fd = -1; 376 } 377 free(tombstone_path); 378 } 379 380 XLOG("detaching\n"); 381 if (attach_gdb) { 382 /* stop the process so we can debug */ 383 kill(request.pid, SIGSTOP); 384 385 /* detach so we can attach gdbserver */ 386 if (ptrace(PTRACE_DETACH, request.tid, 0, 0)) { 387 LOG("ptrace detach from %d failed: %s\n", request.tid, strerror(errno)); 388 detach_failed = true; 389 } 390 391 /* 392 * if debug.db.uid is set, its value indicates if we should wait 393 * for user action for the crashing process. 394 * in this case, we log a message and turn the debug LED on 395 * waiting for a gdb connection (for instance) 396 */ 397 wait_for_user_action(request.pid); 398 } else { 399 /* just detach */ 400 if (ptrace(PTRACE_DETACH, request.tid, 0, 0)) { 401 LOG("ptrace detach from %d failed: %s\n", request.tid, strerror(errno)); 402 detach_failed = true; 403 } 404 } 405 406 /* resume stopped process (so it can crash in peace). */ 407 kill(request.pid, SIGCONT); 408 409 /* If we didn't successfully detach, we're still the parent, and the 410 * actual parent won't receive a death notification via wait(2). At this point 411 * there's not much we can do about that. */ 412 if (detach_failed) { 413 LOG("debuggerd committing suicide to free the zombie!\n"); 414 kill(getpid(), SIGKILL); 415 } 416 } 417 418 } 419 if (fd >= 0) { 420 close(fd); 421 } 422 } 423 424 static int do_server() { 425 int s; 426 struct sigaction act; 427 int logsocket = -1; 428 429 /* 430 * debuggerd crashes can't be reported to debuggerd. Reset all of the 431 * crash handlers. 432 */ 433 signal(SIGILL, SIG_DFL); 434 signal(SIGABRT, SIG_DFL); 435 signal(SIGBUS, SIG_DFL); 436 signal(SIGFPE, SIG_DFL); 437 signal(SIGSEGV, SIG_DFL); 438 signal(SIGPIPE, SIG_DFL); 439 #ifdef SIGSTKFLT 440 signal(SIGSTKFLT, SIG_DFL); 441 #endif 442 443 logsocket = socket_local_client("logd", 444 ANDROID_SOCKET_NAMESPACE_ABSTRACT, SOCK_DGRAM); 445 if(logsocket < 0) { 446 logsocket = -1; 447 } else { 448 fcntl(logsocket, F_SETFD, FD_CLOEXEC); 449 } 450 451 act.sa_handler = SIG_DFL; 452 sigemptyset(&act.sa_mask); 453 sigaddset(&act.sa_mask,SIGCHLD); 454 act.sa_flags = SA_NOCLDWAIT; 455 sigaction(SIGCHLD, &act, 0); 456 457 s = socket_local_server(DEBUGGER_SOCKET_NAME, 458 ANDROID_SOCKET_NAMESPACE_ABSTRACT, SOCK_STREAM); 459 if(s < 0) return 1; 460 fcntl(s, F_SETFD, FD_CLOEXEC); 461 462 LOG("debuggerd: " __DATE__ " " __TIME__ "\n"); 463 464 for(;;) { 465 struct sockaddr addr; 466 socklen_t alen; 467 int fd; 468 469 alen = sizeof(addr); 470 XLOG("waiting for connection\n"); 471 fd = accept(s, &addr, &alen); 472 if(fd < 0) { 473 XLOG("accept failed: %s\n", strerror(errno)); 474 continue; 475 } 476 477 fcntl(fd, F_SETFD, FD_CLOEXEC); 478 479 handle_request(fd); 480 } 481 return 0; 482 } 483 484 static int do_explicit_dump(pid_t tid, bool dump_backtrace) { 485 fprintf(stdout, "Sending request to dump task %d.\n", tid); 486 487 if (dump_backtrace) { 488 fflush(stdout); 489 if (dump_backtrace_to_file(tid, fileno(stdout)) < 0) { 490 fputs("Error dumping backtrace.\n", stderr); 491 return 1; 492 } 493 } else { 494 char tombstone_path[PATH_MAX]; 495 if (dump_tombstone(tid, tombstone_path, sizeof(tombstone_path)) < 0) { 496 fputs("Error dumping tombstone.\n", stderr); 497 return 1; 498 } 499 fprintf(stderr, "Tombstone written to: %s\n", tombstone_path); 500 } 501 return 0; 502 } 503 504 static void usage() { 505 fputs("Usage: -b [<tid>]\n" 506 " -b dump backtrace to console, otherwise dump full tombstone file\n" 507 "\n" 508 "If tid specified, sends a request to debuggerd to dump that task.\n" 509 "Otherwise, starts the debuggerd server.\n", stderr); 510 } 511 512 int main(int argc, char** argv) { 513 if (argc == 1) { 514 return do_server(); 515 } 516 517 bool dump_backtrace = false; 518 bool have_tid = false; 519 pid_t tid = 0; 520 for (int i = 1; i < argc; i++) { 521 if (!strcmp(argv[i], "-b")) { 522 dump_backtrace = true; 523 } else if (!have_tid) { 524 tid = atoi(argv[i]); 525 have_tid = true; 526 } else { 527 usage(); 528 return 1; 529 } 530 } 531 if (!have_tid) { 532 usage(); 533 return 1; 534 } 535 return do_explicit_dump(tid, dump_backtrace); 536 } 537