Home | History | Annotate | Download | only in debuggerd 
      1 #include <assert.h>
      2 #include <errno.h>
      3 #include <pthread.h>
      4 #include <sched.h>
      5 #include <signal.h>
      6 #include <stdio.h>
      7 #include <stdlib.h>
      8 #include <string.h>
      9 #include <sys/cdefs.h>
     10 #include <sys/mman.h>
     11 #include <sys/ptrace.h>
     12 #include <sys/socket.h>
     13 #include <sys/wait.h>
     14 #include <unistd.h>
     15 
     16 #include <cutils/sockets.h>
     17 #include <log/log.h>
     18 
     19 #ifndef __unused
     20 #define __unused __attribute__((__unused__))
     21 #endif
     22 
     23 extern const char* __progname;
     24 
     25 void crash1(void);
     26 void crashnostack(void);
     27 static int do_action(const char* arg);
     28 
     29 static void maybe_abort() {
     30     if (time(0) != 42) {
     31         abort();
     32     }
     33 }
     34 
     35 static char* smash_stack_dummy_buf;
     36 __attribute__ ((noinline)) static void smash_stack_dummy_function(volatile int* plen) {
     37   smash_stack_dummy_buf[*plen] = 0;
     38 }
     39 
     40 // This must be marked with "__attribute__ ((noinline))", to ensure the
     41 // compiler generates the proper stack guards around this function.
     42 // Assign local array address to global variable to force stack guards.
     43 // Use another noinline function to corrupt the stack.
     44 __attribute__ ((noinline)) static int smash_stack(volatile int* plen) {
     45     printf("crasher: deliberately corrupting stack...\n");
     46 
     47     char buf[128];
     48     smash_stack_dummy_buf = buf;
     49     // This should corrupt stack guards and make process abort.
     50     smash_stack_dummy_function(plen);
     51     return 0;
     52 }
     53 
     54 #if defined(__clang__)
     55 #pragma clang diagnostic push
     56 #pragma clang diagnostic ignored "-Winfinite-recursion"
     57 #endif
     58 
     59 static void* global = 0; // So GCC doesn't optimize the tail recursion out of overflow_stack.
     60 
     61 __attribute__((noinline)) static void overflow_stack(void* p) {
     62     void* buf[1];
     63     buf[0] = p;
     64     global = buf;
     65     overflow_stack(&buf);
     66 }
     67 
     68 #if defined(__clang__)
     69 #pragma clang diagnostic pop
     70 #endif
     71 
     72 static void *noisy(void *x)
     73 {
     74     char c = (uintptr_t) x;
     75     for(;;) {
     76         usleep(250*1000);
     77         write(2, &c, 1);
     78         if(c == 'C') *((volatile unsigned*) 0) = 42;
     79     }
     80     return NULL;
     81 }
     82 
     83 static int ctest()
     84 {
     85     pthread_t thr;
     86     pthread_attr_t attr;
     87     pthread_attr_init(&attr);
     88     pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
     89     pthread_create(&thr, &attr, noisy, (void*) 'A');
     90     pthread_create(&thr, &attr, noisy, (void*) 'B');
     91     pthread_create(&thr, &attr, noisy, (void*) 'C');
     92     for(;;) ;
     93     return 0;
     94 }
     95 
     96 static void* thread_callback(void* raw_arg)
     97 {
     98     return (void*) (uintptr_t) do_action((const char*) raw_arg);
     99 }
    100 
    101 static int do_action_on_thread(const char* arg)
    102 {
    103     pthread_t t;
    104     pthread_create(&t, NULL, thread_callback, (void*) arg);
    105     void* result = NULL;
    106     pthread_join(t, &result);
    107     return (int) (uintptr_t) result;
    108 }
    109 
    110 __attribute__((noinline)) static int crash3(int a) {
    111     *((int*) 0xdead) = a;
    112     return a*4;
    113 }
    114 
    115 __attribute__((noinline)) static int crash2(int a) {
    116     a = crash3(a) + 2;
    117     return a*3;
    118 }
    119 
    120 __attribute__((noinline)) static int crash(int a) {
    121     a = crash2(a) + 1;
    122     return a*2;
    123 }
    124 
    125 static void abuse_heap() {
    126     char buf[16];
    127     free((void*) buf); // GCC is smart enough to warn about this, but we're doing it deliberately.
    128 }
    129 
    130 static void sigsegv_non_null() {
    131     int* a = (int *)(&do_action);
    132     *a = 42;
    133 }
    134 
    135 static int do_action(const char* arg)
    136 {
    137     fprintf(stderr,"crasher: init pid=%d tid=%d\n", getpid(), gettid());
    138 
    139     if (!strncmp(arg, "thread-", strlen("thread-"))) {
    140         return do_action_on_thread(arg + strlen("thread-"));
    141     } else if (!strcmp(arg, "SIGSEGV-non-null")) {
    142         sigsegv_non_null();
    143     } else if (!strcmp(arg, "smash-stack")) {
    144         volatile int len = 128;
    145         return smash_stack(&len);
    146     } else if (!strcmp(arg, "stack-overflow")) {
    147         overflow_stack(NULL);
    148     } else if (!strcmp(arg, "nostack")) {
    149         crashnostack();
    150     } else if (!strcmp(arg, "ctest")) {
    151         return ctest();
    152     } else if (!strcmp(arg, "exit")) {
    153         exit(1);
    154     } else if (!strcmp(arg, "crash") || !strcmp(arg, "SIGSEGV")) {
    155         return crash(42);
    156     } else if (!strcmp(arg, "abort")) {
    157         maybe_abort();
    158     } else if (!strcmp(arg, "assert")) {
    159         __assert("some_file.c", 123, "false");
    160     } else if (!strcmp(arg, "assert2")) {
    161         __assert2("some_file.c", 123, "some_function", "false");
    162     } else if (!strcmp(arg, "LOG_ALWAYS_FATAL")) {
    163         LOG_ALWAYS_FATAL("hello %s", "world");
    164     } else if (!strcmp(arg, "LOG_ALWAYS_FATAL_IF")) {
    165         LOG_ALWAYS_FATAL_IF(true, "hello %s", "world");
    166     } else if (!strcmp(arg, "SIGFPE")) {
    167         raise(SIGFPE);
    168         return EXIT_SUCCESS;
    169     } else if (!strcmp(arg, "SIGTRAP")) {
    170         raise(SIGTRAP);
    171         return EXIT_SUCCESS;
    172     } else if (!strcmp(arg, "heap-usage")) {
    173         abuse_heap();
    174     } else if (!strcmp(arg, "SIGSEGV-unmapped")) {
    175         char* map = mmap(NULL, sizeof(int), PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0);
    176         munmap(map, sizeof(int));
    177         map[0] = '8';
    178     }
    179 
    180     fprintf(stderr, "%s OP\n", __progname);
    181     fprintf(stderr, "where OP is:\n");
    182     fprintf(stderr, "  smash-stack           overwrite a stack-guard canary\n");
    183     fprintf(stderr, "  stack-overflow        recurse until the stack overflows\n");
    184     fprintf(stderr, "  heap-corruption       cause a libc abort by corrupting the heap\n");
    185     fprintf(stderr, "  heap-usage            cause a libc abort by abusing a heap function\n");
    186     fprintf(stderr, "  nostack               crash with a NULL stack pointer\n");
    187     fprintf(stderr, "  ctest                 (obsoleted by thread-crash?)\n");
    188     fprintf(stderr, "  exit                  call exit(1)\n");
    189     fprintf(stderr, "  abort                 call abort()\n");
    190     fprintf(stderr, "  assert                call assert() without a function\n");
    191     fprintf(stderr, "  assert2               call assert() with a function\n");
    192     fprintf(stderr, "  LOG_ALWAYS_FATAL      call LOG_ALWAYS_FATAL\n");
    193     fprintf(stderr, "  LOG_ALWAYS_FATAL_IF   call LOG_ALWAYS_FATAL\n");
    194     fprintf(stderr, "  SIGFPE                cause a SIGFPE\n");
    195     fprintf(stderr, "  SIGSEGV               cause a SIGSEGV at address 0x0 (synonym: crash)\n");
    196     fprintf(stderr, "  SIGSEGV-non-null      cause a SIGSEGV at a non-zero address\n");
    197     fprintf(stderr, "  SIGSEGV-unmapped      mmap/munmap a region of memory and then attempt to access it\n");
    198     fprintf(stderr, "  SIGTRAP               cause a SIGTRAP\n");
    199     fprintf(stderr, "prefix any of the above with 'thread-' to not run\n");
    200     fprintf(stderr, "on the process' main thread.\n");
    201     return EXIT_SUCCESS;
    202 }
    203 
    204 int main(int argc, char **argv)
    205 {
    206     fprintf(stderr,"crasher: built at " __TIME__ "!@\n");
    207 
    208     if(argc > 1) {
    209         return do_action(argv[1]);
    210     } else {
    211         crash1();
    212     }
    213 
    214     return 0;
    215 }
    216