1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include <sys/ptrace.h> 18 19 #include <elf.h> 20 #include <err.h> 21 #include <fcntl.h> 22 #include <sched.h> 23 #include <sys/prctl.h> 24 #include <sys/ptrace.h> 25 #include <sys/uio.h> 26 #include <sys/user.h> 27 #include <sys/wait.h> 28 #include <unistd.h> 29 30 #include <chrono> 31 #include <thread> 32 33 #include <gtest/gtest.h> 34 35 #include <android-base/macros.h> 36 #include <android-base/unique_fd.h> 37 38 using namespace std::chrono_literals; 39 40 using android::base::unique_fd; 41 42 // Host libc does not define this. 43 #ifndef TRAP_HWBKPT 44 #define TRAP_HWBKPT 4 45 #endif 46 47 class ChildGuard { 48 public: 49 explicit ChildGuard(pid_t pid) : pid(pid) {} 50 51 ~ChildGuard() { 52 kill(pid, SIGKILL); 53 int status; 54 TEMP_FAILURE_RETRY(waitpid(pid, &status, 0)); 55 } 56 57 private: 58 pid_t pid; 59 }; 60 61 enum class HwFeature { Watchpoint, Breakpoint }; 62 63 static bool is_hw_feature_supported(pid_t child, HwFeature feature) { 64 #if defined(__arm__) 65 long capabilities; 66 long result = ptrace(PTRACE_GETHBPREGS, child, 0, &capabilities); 67 if (result == -1) { 68 EXPECT_EQ(EIO, errno); 69 GTEST_LOG_(INFO) << "Hardware debug support disabled at kernel configuration time."; 70 return false; 71 } 72 uint8_t hb_count = capabilities & 0xff; 73 capabilities >>= 8; 74 uint8_t wp_count = capabilities & 0xff; 75 capabilities >>= 8; 76 uint8_t max_wp_size = capabilities & 0xff; 77 if (max_wp_size == 0) { 78 GTEST_LOG_(INFO) 79 << "Kernel reports zero maximum watchpoint size. Hardware debug support missing."; 80 return false; 81 } 82 if (feature == HwFeature::Watchpoint && wp_count == 0) { 83 GTEST_LOG_(INFO) << "Kernel reports zero hardware watchpoints"; 84 return false; 85 } 86 if (feature == HwFeature::Breakpoint && hb_count == 0) { 87 GTEST_LOG_(INFO) << "Kernel reports zero hardware breakpoints"; 88 return false; 89 } 90 return true; 91 #elif defined(__aarch64__) 92 user_hwdebug_state dreg_state; 93 iovec iov; 94 iov.iov_base = &dreg_state; 95 iov.iov_len = sizeof(dreg_state); 96 97 long result = ptrace(PTRACE_GETREGSET, child, 98 feature == HwFeature::Watchpoint ? NT_ARM_HW_WATCH : NT_ARM_HW_BREAK, &iov); 99 if (result == -1) { 100 EXPECT_EQ(EINVAL, errno); 101 return false; 102 } 103 return (dreg_state.dbg_info & 0xff) > 0; 104 #elif defined(__i386__) || defined(__x86_64__) 105 // We assume watchpoints and breakpoints are always supported on x86. 106 UNUSED(child); 107 UNUSED(feature); 108 return true; 109 #else 110 // TODO: mips support. 111 UNUSED(child); 112 UNUSED(feature); 113 return false; 114 #endif 115 } 116 117 static void set_watchpoint(pid_t child, uintptr_t address, size_t size) { 118 ASSERT_EQ(0u, address & 0x7) << "address: " << address; 119 #if defined(__arm__) || defined(__aarch64__) 120 const unsigned byte_mask = (1 << size) - 1; 121 const unsigned type = 2; // Write. 122 const unsigned enable = 1; 123 const unsigned control = byte_mask << 5 | type << 3 | enable; 124 125 #ifdef __arm__ 126 ASSERT_EQ(0, ptrace(PTRACE_SETHBPREGS, child, -1, &address)) << strerror(errno); 127 ASSERT_EQ(0, ptrace(PTRACE_SETHBPREGS, child, -2, &control)) << strerror(errno); 128 #else // aarch64 129 user_hwdebug_state dreg_state; 130 memset(&dreg_state, 0, sizeof dreg_state); 131 dreg_state.dbg_regs[0].addr = address; 132 dreg_state.dbg_regs[0].ctrl = control; 133 134 iovec iov; 135 iov.iov_base = &dreg_state; 136 iov.iov_len = offsetof(user_hwdebug_state, dbg_regs) + sizeof(dreg_state.dbg_regs[0]); 137 138 ASSERT_EQ(0, ptrace(PTRACE_SETREGSET, child, NT_ARM_HW_WATCH, &iov)) << strerror(errno); 139 #endif 140 #elif defined(__i386__) || defined(__x86_64__) 141 ASSERT_EQ(0, ptrace(PTRACE_POKEUSER, child, offsetof(user, u_debugreg[0]), address)) << strerror(errno); 142 errno = 0; 143 unsigned data = ptrace(PTRACE_PEEKUSER, child, offsetof(user, u_debugreg[7]), nullptr); 144 ASSERT_EQ(0, errno); 145 146 const unsigned size_flag = (size == 8) ? 2 : size - 1; 147 const unsigned enable = 1; 148 const unsigned type = 1; // Write. 149 150 const unsigned mask = 3 << 18 | 3 << 16 | 1; 151 const unsigned value = size_flag << 18 | type << 16 | enable; 152 data &= mask; 153 data |= value; 154 ASSERT_EQ(0, ptrace(PTRACE_POKEUSER, child, offsetof(user, u_debugreg[7]), data)) << strerror(errno); 155 #else 156 UNUSED(child); 157 UNUSED(address); 158 UNUSED(size); 159 #endif 160 } 161 162 template <typename T> 163 static void run_watchpoint_test(std::function<void(T&)> child_func, size_t offset, size_t size) { 164 alignas(16) T data{}; 165 166 pid_t child = fork(); 167 ASSERT_NE(-1, child) << strerror(errno); 168 if (child == 0) { 169 // Extra precaution: make sure we go away if anything happens to our parent. 170 if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0) == -1) { 171 perror("prctl(PR_SET_PDEATHSIG)"); 172 _exit(1); 173 } 174 175 if (ptrace(PTRACE_TRACEME, 0, nullptr, nullptr) == -1) { 176 perror("ptrace(PTRACE_TRACEME)"); 177 _exit(2); 178 } 179 180 child_func(data); 181 _exit(0); 182 } 183 184 ChildGuard guard(child); 185 186 int status; 187 ASSERT_EQ(child, TEMP_FAILURE_RETRY(waitpid(child, &status, __WALL))) << strerror(errno); 188 ASSERT_TRUE(WIFSTOPPED(status)) << "Status was: " << status; 189 ASSERT_EQ(SIGSTOP, WSTOPSIG(status)) << "Status was: " << status; 190 191 if (!is_hw_feature_supported(child, HwFeature::Watchpoint)) { 192 GTEST_LOG_(INFO) << "Skipping test because hardware support is not available.\n"; 193 return; 194 } 195 196 set_watchpoint(child, uintptr_t(&data) + offset, size); 197 198 ASSERT_EQ(0, ptrace(PTRACE_CONT, child, nullptr, nullptr)) << strerror(errno); 199 ASSERT_EQ(child, TEMP_FAILURE_RETRY(waitpid(child, &status, __WALL))) << strerror(errno); 200 ASSERT_TRUE(WIFSTOPPED(status)) << "Status was: " << status; 201 ASSERT_EQ(SIGTRAP, WSTOPSIG(status)) << "Status was: " << status; 202 203 siginfo_t siginfo; 204 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child, nullptr, &siginfo)) << strerror(errno); 205 ASSERT_EQ(TRAP_HWBKPT, siginfo.si_code); 206 #if defined(__arm__) || defined(__aarch64__) 207 ASSERT_LE(&data, siginfo.si_addr); 208 ASSERT_GT((&data) + 1, siginfo.si_addr); 209 #endif 210 } 211 212 template <typename T> 213 static void watchpoint_stress_child(unsigned cpu, T& data) { 214 cpu_set_t cpus; 215 CPU_ZERO(&cpus); 216 CPU_SET(cpu, &cpus); 217 if (sched_setaffinity(0, sizeof cpus, &cpus) == -1) { 218 perror("sched_setaffinity"); 219 _exit(3); 220 } 221 raise(SIGSTOP); // Synchronize with the tracer, let it set the watchpoint. 222 223 data = 1; // Now trigger the watchpoint. 224 } 225 226 template <typename T> 227 static void run_watchpoint_stress(size_t cpu) { 228 run_watchpoint_test<T>(std::bind(watchpoint_stress_child<T>, cpu, std::placeholders::_1), 0, 229 sizeof(T)); 230 } 231 232 // Test watchpoint API. The test is considered successful if our watchpoints get hit OR the 233 // system reports that watchpoint support is not present. We run the test for different 234 // watchpoint sizes, while pinning the process to each cpu in turn, for better coverage. 235 TEST(sys_ptrace, watchpoint_stress) { 236 cpu_set_t available_cpus; 237 ASSERT_EQ(0, sched_getaffinity(0, sizeof available_cpus, &available_cpus)); 238 239 for (size_t cpu = 0; cpu < CPU_SETSIZE; ++cpu) { 240 if (!CPU_ISSET(cpu, &available_cpus)) continue; 241 242 run_watchpoint_stress<uint8_t>(cpu); 243 run_watchpoint_stress<uint16_t>(cpu); 244 run_watchpoint_stress<uint32_t>(cpu); 245 #if defined(__LP64__) 246 run_watchpoint_stress<uint64_t>(cpu); 247 #endif 248 } 249 } 250 251 struct Uint128_t { 252 uint64_t data[2]; 253 }; 254 static void watchpoint_imprecise_child(Uint128_t& data) { 255 raise(SIGSTOP); // Synchronize with the tracer, let it set the watchpoint. 256 257 #if defined(__i386__) || defined(__x86_64__) 258 asm volatile("movdqa %%xmm0, %0" : : "m"(data)); 259 #elif defined(__arm__) 260 asm volatile("stm %0, { r0, r1, r2, r3 }" : : "r"(&data)); 261 #elif defined(__aarch64__) 262 asm volatile("stp x0, x1, %0" : : "m"(data)); 263 #elif defined(__mips__) 264 // TODO 265 UNUSED(data); 266 #endif 267 } 268 269 // Test that the kernel is able to handle the case when the instruction writes 270 // to a larger block of memory than the one we are watching. If you see this 271 // test fail on arm64, you will likely need to cherry-pick fdfeff0f into your 272 // kernel. 273 TEST(sys_ptrace, watchpoint_imprecise) { 274 // This test relies on the infrastructure to timeout if the test hangs. 275 run_watchpoint_test<Uint128_t>(watchpoint_imprecise_child, 8, sizeof(void*)); 276 } 277 278 static void __attribute__((noinline)) breakpoint_func() { 279 asm volatile(""); 280 } 281 282 static void __attribute__((noreturn)) breakpoint_fork_child() { 283 // Extra precaution: make sure we go away if anything happens to our parent. 284 if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0) == -1) { 285 perror("prctl(PR_SET_PDEATHSIG)"); 286 _exit(1); 287 } 288 289 if (ptrace(PTRACE_TRACEME, 0, nullptr, nullptr) == -1) { 290 perror("ptrace(PTRACE_TRACEME)"); 291 _exit(2); 292 } 293 294 raise(SIGSTOP); // Synchronize with the tracer, let it set the breakpoint. 295 296 breakpoint_func(); // Now trigger the breakpoint. 297 298 _exit(0); 299 } 300 301 static void set_breakpoint(pid_t child) { 302 uintptr_t address = uintptr_t(breakpoint_func); 303 #if defined(__arm__) || defined(__aarch64__) 304 address &= ~3; 305 const unsigned byte_mask = 0xf; 306 const unsigned enable = 1; 307 const unsigned control = byte_mask << 5 | enable; 308 309 #ifdef __arm__ 310 ASSERT_EQ(0, ptrace(PTRACE_SETHBPREGS, child, 1, &address)) << strerror(errno); 311 ASSERT_EQ(0, ptrace(PTRACE_SETHBPREGS, child, 2, &control)) << strerror(errno); 312 #else // aarch64 313 user_hwdebug_state dreg_state; 314 memset(&dreg_state, 0, sizeof dreg_state); 315 dreg_state.dbg_regs[0].addr = reinterpret_cast<uintptr_t>(address); 316 dreg_state.dbg_regs[0].ctrl = control; 317 318 iovec iov; 319 iov.iov_base = &dreg_state; 320 iov.iov_len = offsetof(user_hwdebug_state, dbg_regs) + sizeof(dreg_state.dbg_regs[0]); 321 322 ASSERT_EQ(0, ptrace(PTRACE_SETREGSET, child, NT_ARM_HW_BREAK, &iov)) << strerror(errno); 323 #endif 324 #elif defined(__i386__) || defined(__x86_64__) 325 ASSERT_EQ(0, ptrace(PTRACE_POKEUSER, child, offsetof(user, u_debugreg[0]), address)) 326 << strerror(errno); 327 errno = 0; 328 unsigned data = ptrace(PTRACE_PEEKUSER, child, offsetof(user, u_debugreg[7]), nullptr); 329 ASSERT_EQ(0, errno); 330 331 const unsigned size = 0; 332 const unsigned enable = 1; 333 const unsigned type = 0; // Execute 334 335 const unsigned mask = 3 << 18 | 3 << 16 | 1; 336 const unsigned value = size << 18 | type << 16 | enable; 337 data &= mask; 338 data |= value; 339 ASSERT_EQ(0, ptrace(PTRACE_POKEUSER, child, offsetof(user, u_debugreg[7]), data)) 340 << strerror(errno); 341 #else 342 UNUSED(child); 343 UNUSED(address); 344 #endif 345 } 346 347 // Test hardware breakpoint API. The test is considered successful if the breakpoints get hit OR the 348 // system reports that hardware breakpoint support is not present. 349 TEST(sys_ptrace, hardware_breakpoint) { 350 pid_t child = fork(); 351 ASSERT_NE(-1, child) << strerror(errno); 352 if (child == 0) breakpoint_fork_child(); 353 354 ChildGuard guard(child); 355 356 int status; 357 ASSERT_EQ(child, TEMP_FAILURE_RETRY(waitpid(child, &status, __WALL))) << strerror(errno); 358 ASSERT_TRUE(WIFSTOPPED(status)) << "Status was: " << status; 359 ASSERT_EQ(SIGSTOP, WSTOPSIG(status)) << "Status was: " << status; 360 361 if (!is_hw_feature_supported(child, HwFeature::Breakpoint)) { 362 GTEST_LOG_(INFO) << "Skipping test because hardware support is not available.\n"; 363 return; 364 } 365 366 set_breakpoint(child); 367 368 ASSERT_EQ(0, ptrace(PTRACE_CONT, child, nullptr, nullptr)) << strerror(errno); 369 ASSERT_EQ(child, TEMP_FAILURE_RETRY(waitpid(child, &status, __WALL))) << strerror(errno); 370 ASSERT_TRUE(WIFSTOPPED(status)) << "Status was: " << status; 371 ASSERT_EQ(SIGTRAP, WSTOPSIG(status)) << "Status was: " << status; 372 373 siginfo_t siginfo; 374 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child, nullptr, &siginfo)) << strerror(errno); 375 ASSERT_EQ(TRAP_HWBKPT, siginfo.si_code); 376 } 377 378 class PtraceResumptionTest : public ::testing::Test { 379 public: 380 unique_fd worker_pipe_write; 381 382 pid_t worker = -1; 383 pid_t tracer = -1; 384 385 PtraceResumptionTest() { 386 unique_fd worker_pipe_read; 387 if (!android::base::Pipe(&worker_pipe_read, &worker_pipe_write)) { 388 err(1, "failed to create pipe"); 389 } 390 391 // Second pipe to synchronize the Yama ptracer setup. 392 unique_fd worker_pipe_setup_read, worker_pipe_setup_write; 393 if (!android::base::Pipe(&worker_pipe_setup_read, &worker_pipe_setup_write)) { 394 err(1, "failed to create pipe"); 395 } 396 397 worker = fork(); 398 if (worker == -1) { 399 err(1, "failed to fork worker"); 400 } else if (worker == 0) { 401 char buf; 402 // Allow the tracer process, which is not a direct process ancestor, to 403 // be able to use ptrace(2) on this process when Yama LSM is active. 404 if (prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, 0, 0, 0) == -1) { 405 // if Yama is off prctl(PR_SET_PTRACER) returns EINVAL - don't log in this 406 // case since it's expected behaviour. 407 if (errno != EINVAL) { 408 err(1, "prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY) failed for pid %d", getpid()); 409 } 410 } 411 worker_pipe_setup_write.reset(); 412 413 worker_pipe_write.reset(); 414 TEMP_FAILURE_RETRY(read(worker_pipe_read.get(), &buf, sizeof(buf))); 415 exit(0); 416 } else { 417 // Wait until the Yama ptracer is setup. 418 char buf; 419 worker_pipe_setup_write.reset(); 420 TEMP_FAILURE_RETRY(read(worker_pipe_setup_read.get(), &buf, sizeof(buf))); 421 } 422 } 423 424 ~PtraceResumptionTest() { 425 } 426 427 void AssertDeath(int signo); 428 429 void StartTracer(std::function<void()> f) { 430 tracer = fork(); 431 ASSERT_NE(-1, tracer); 432 if (tracer == 0) { 433 f(); 434 if (HasFatalFailure()) { 435 exit(1); 436 } 437 exit(0); 438 } 439 } 440 441 bool WaitForTracer() { 442 if (tracer == -1) { 443 errx(1, "tracer not started"); 444 } 445 446 int result; 447 pid_t rc = TEMP_FAILURE_RETRY(waitpid(tracer, &result, 0)); 448 if (rc != tracer) { 449 printf("waitpid returned %d (%s)\n", rc, strerror(errno)); 450 return false; 451 } 452 453 if (!WIFEXITED(result) && !WIFSIGNALED(result)) { 454 printf("!WIFEXITED && !WIFSIGNALED\n"); 455 return false; 456 } 457 458 if (WIFEXITED(result)) { 459 if (WEXITSTATUS(result) != 0) { 460 printf("tracer failed\n"); 461 return false; 462 } 463 } 464 465 return true; 466 } 467 468 bool WaitForWorker() { 469 if (worker == -1) { 470 errx(1, "worker not started"); 471 } 472 473 int result; 474 pid_t rc = TEMP_FAILURE_RETRY(waitpid(worker, &result, WNOHANG)); 475 if (rc != 0) { 476 printf("worker exited prematurely\n"); 477 return false; 478 } 479 480 worker_pipe_write.reset(); 481 482 rc = TEMP_FAILURE_RETRY(waitpid(worker, &result, 0)); 483 if (rc != worker) { 484 printf("waitpid for worker returned %d (%s)\n", rc, strerror(errno)); 485 return false; 486 } 487 488 if (!WIFEXITED(result)) { 489 printf("worker didn't exit\n"); 490 return false; 491 } 492 493 if (WEXITSTATUS(result) != 0) { 494 printf("worker exited with status %d\n", WEXITSTATUS(result)); 495 return false; 496 } 497 498 return true; 499 } 500 }; 501 502 static void wait_for_ptrace_stop(pid_t pid) { 503 while (true) { 504 int status; 505 pid_t rc = TEMP_FAILURE_RETRY(waitpid(pid, &status, __WALL)); 506 if (rc != pid) { 507 abort(); 508 } 509 if (WIFSTOPPED(status)) { 510 return; 511 } 512 } 513 } 514 515 TEST_F(PtraceResumptionTest, smoke) { 516 // Make sure that the worker doesn't exit before the tracer stops tracing. 517 StartTracer([this]() { 518 ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno); 519 ASSERT_EQ(0, ptrace(PTRACE_INTERRUPT, worker, 0, 0)) << strerror(errno); 520 wait_for_ptrace_stop(worker); 521 std::this_thread::sleep_for(500ms); 522 }); 523 524 worker_pipe_write.reset(); 525 std::this_thread::sleep_for(250ms); 526 527 int result; 528 ASSERT_EQ(0, TEMP_FAILURE_RETRY(waitpid(worker, &result, WNOHANG))); 529 ASSERT_TRUE(WaitForTracer()); 530 ASSERT_EQ(worker, TEMP_FAILURE_RETRY(waitpid(worker, &result, 0))); 531 } 532 533 TEST_F(PtraceResumptionTest, seize) { 534 StartTracer([this]() { ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno); }); 535 ASSERT_TRUE(WaitForTracer()); 536 ASSERT_TRUE(WaitForWorker()); 537 } 538 539 TEST_F(PtraceResumptionTest, seize_interrupt) { 540 StartTracer([this]() { 541 ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno); 542 ASSERT_EQ(0, ptrace(PTRACE_INTERRUPT, worker, 0, 0)) << strerror(errno); 543 wait_for_ptrace_stop(worker); 544 }); 545 ASSERT_TRUE(WaitForTracer()); 546 ASSERT_TRUE(WaitForWorker()); 547 } 548 549 TEST_F(PtraceResumptionTest, seize_interrupt_cont) { 550 StartTracer([this]() { 551 ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno); 552 ASSERT_EQ(0, ptrace(PTRACE_INTERRUPT, worker, 0, 0)) << strerror(errno); 553 wait_for_ptrace_stop(worker); 554 ASSERT_EQ(0, ptrace(PTRACE_CONT, worker, 0, 0)) << strerror(errno); 555 }); 556 ASSERT_TRUE(WaitForTracer()); 557 ASSERT_TRUE(WaitForWorker()); 558 } 559 560 TEST_F(PtraceResumptionTest, zombie_seize) { 561 StartTracer([this]() { ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno); }); 562 ASSERT_TRUE(WaitForWorker()); 563 ASSERT_TRUE(WaitForTracer()); 564 } 565 566 TEST_F(PtraceResumptionTest, zombie_seize_interrupt) { 567 StartTracer([this]() { 568 ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno); 569 ASSERT_EQ(0, ptrace(PTRACE_INTERRUPT, worker, 0, 0)) << strerror(errno); 570 wait_for_ptrace_stop(worker); 571 }); 572 ASSERT_TRUE(WaitForWorker()); 573 ASSERT_TRUE(WaitForTracer()); 574 } 575 576 TEST_F(PtraceResumptionTest, zombie_seize_interrupt_cont) { 577 StartTracer([this]() { 578 ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno); 579 ASSERT_EQ(0, ptrace(PTRACE_INTERRUPT, worker, 0, 0)) << strerror(errno); 580 wait_for_ptrace_stop(worker); 581 ASSERT_EQ(0, ptrace(PTRACE_CONT, worker, 0, 0)) << strerror(errno); 582 }); 583 ASSERT_TRUE(WaitForWorker()); 584 ASSERT_TRUE(WaitForTracer()); 585 } 586