static void handle_request(int fd) { ALOGV("handle_request(%d)\n", fd); debugger_request_t request; memset(&request, 0, sizeof(request)); int status = read_request(fd, &request); if (!status) { ALOGV("BOOM: pid=%d uid=%d gid=%d tid=%d\n", request.pid, request.uid, request.gid, request.tid); // At this point, the thread that made the request is blocked in // a read() call. If the thread has crashed, then this gives us // time to PTRACE_ATTACH to it before it has a chance to really fault. // // The PTRACE_ATTACH sends a SIGSTOP to the target process, but it // won't necessarily have stopped by the time ptrace() returns. (We // currently assume it does.) We write to the file descriptor to // ensure that it can run as soon as we call PTRACE_CONT below. // See details in bionic/libc/linker/debugger.c, in function // debugger_signal_handler(). if (ptrace(PTRACE_ATTACH, request.tid, 0, 0)) { ALOGE("ptrace attach failed: %s\n", strerror(errno)); } else { bool detach_failed = false; bool attach_gdb = should_attach_gdb(&request); if (TEMP_FAILURE_RETRY(write(fd, "\0", 1)) != 1) { ALOGE("failed responding to client: %s\n", strerror(errno)); } else { char* tombstone_path = NULL; if (request.action == DEBUGGER_ACTION_CRASH) { close(fd); fd = -1; } int total_sleep_time_usec = 0; for (;;) { int signal = wait_for_signal(request.tid, &total_sleep_time_usec); if (signal < 0) { break; } switch (signal) { case SIGSTOP: if (request.action == DEBUGGER_ACTION_DUMP_TOMBSTONE) { ALOGV("stopped -- dumping to tombstone\n"); tombstone_path = engrave_tombstone(request.pid, request.tid, signal, request.original_si_code, request.abort_msg_address, true, &detach_failed, &total_sleep_time_usec); } else if (request.action == DEBUGGER_ACTION_DUMP_BACKTRACE) { ALOGV("stopped -- dumping to fd\n"); dump_backtrace(fd, -1, request.pid, request.tid, &detach_failed, &total_sleep_time_usec); } else { ALOGV("stopped -- continuing\n"); status = ptrace(PTRACE_CONT, request.tid, 0, 0); if (status) { ALOGE("ptrace continue failed: %s\n", strerror(errno)); } continue; // loop again } break; case SIGABRT: case SIGBUS: case SIGFPE: case SIGILL: case SIGPIPE: case SIGSEGV: #ifdef SIGSTKFLT case SIGSTKFLT: #endif case SIGTRAP: ALOGV("stopped -- fatal signal\n"); // Send a SIGSTOP to the process to make all of // the non-signaled threads stop moving. Without // this we get a lot of "ptrace detach failed: // No such process". kill(request.pid, SIGSTOP); // don't dump sibling threads when attaching to GDB because it // makes the process less reliable, apparently... tombstone_path = engrave_tombstone(request.pid, request.tid, signal, request.original_si_code, request.abort_msg_address, !attach_gdb, &detach_failed, &total_sleep_time_usec); break; default: ALOGE("process stopped due to unexpected signal %d\n", signal); break; } break; } if (request.action == DEBUGGER_ACTION_DUMP_TOMBSTONE) { if (tombstone_path) { write(fd, tombstone_path, strlen(tombstone_path)); } close(fd); fd = -1; } free(tombstone_path); } ALOGV("detaching\n"); if (attach_gdb) { // stop the process so we can debug kill(request.pid, SIGSTOP); // detach so we can attach gdbserver if (ptrace(PTRACE_DETACH, request.tid, 0, 0)) { ALOGE("ptrace detach from %d failed: %s\n", request.tid, strerror(errno)); detach_failed = true; } // if debug.db.uid is set, its value indicates if we should wait // for user action for the crashing process. // in this case, we log a message and turn the debug LED on // waiting for a gdb connection (for instance) wait_for_user_action(request); } else { // just detach if (ptrace(PTRACE_DETACH, request.tid, 0, 0)) { ALOGE("ptrace detach from %d failed: %s\n", request.tid, strerror(errno)); detach_failed = true; } } // resume stopped process (so it can crash in peace). kill(request.pid, SIGCONT); // If we didn't successfully detach, we're still the parent, and the // actual parent won't receive a death notification via wait(2). At this point // there's not much we can do about that. if (detach_failed) { ALOGE("debuggerd committing suicide to free the zombie!\n"); kill(getpid(), SIGKILL); } } } if (fd >= 0) { close(fd); } }
static void worker_process(int fd, debugger_request_t& request) { // Open the tombstone file if we need it. std::string tombstone_path; int tombstone_fd = -1; switch (request.action) { case DEBUGGER_ACTION_DUMP_TOMBSTONE: case DEBUGGER_ACTION_CRASH: tombstone_fd = open_tombstone(&tombstone_path); if (tombstone_fd == -1) { ALOGE("debuggerd: failed to open tombstone file: %s\n", strerror(errno)); exit(1); } break; case DEBUGGER_ACTION_DUMP_BACKTRACE: break; default: ALOGE("debuggerd: unexpected request action: %d", request.action); exit(1); } // At this point, the thread that made the request is blocked in // a read() call. If the thread has crashed, then this gives us // time to PTRACE_ATTACH to it before it has a chance to really fault. // // The PTRACE_ATTACH sends a SIGSTOP to the target process, but it // won't necessarily have stopped by the time ptrace() returns. (We // currently assume it does.) We write to the file descriptor to // ensure that it can run as soon as we call PTRACE_CONT below. // See details in bionic/libc/linker/debugger.c, in function // debugger_signal_handler(). // Attach to the target process. if (ptrace(PTRACE_ATTACH, request.tid, 0, 0) != 0) { ALOGE("debuggerd: ptrace attach failed: %s", strerror(errno)); exit(1); } // Don't attach to the sibling threads if we want to attach gdb. // Supposedly, it makes the process less reliable. bool attach_gdb = should_attach_gdb(request); if (attach_gdb) { // Open all of the input devices we need to listen for VOLUMEDOWN before dropping privileges. if (init_getevent() != 0) { ALOGE("debuggerd: failed to initialize input device, not waiting for gdb"); attach_gdb = false; } } std::set<pid_t> siblings; if (!attach_gdb) { ptrace_siblings(request.pid, request.tid, siblings); } // Generate the backtrace map before dropping privileges. std::unique_ptr<BacktraceMap> backtrace_map(BacktraceMap::Create(request.pid)); bool succeeded = false; // Now that we've done everything that requires privileges, we can drop them. if (!drop_privileges()) { ALOGE("debuggerd: failed to drop privileges, exiting"); _exit(1); } int crash_signal = SIGKILL; succeeded = perform_dump(request, fd, tombstone_fd, backtrace_map.get(), siblings, &crash_signal); if (succeeded) { if (request.action == DEBUGGER_ACTION_DUMP_TOMBSTONE) { if (!tombstone_path.empty()) { write(fd, tombstone_path.c_str(), tombstone_path.length()); } } } if (attach_gdb) { // Tell the signal process to send SIGSTOP to the target. if (!send_signal(request.pid, 0, SIGSTOP)) { ALOGE("debuggerd: failed to stop process for gdb attach: %s", strerror(errno)); attach_gdb = false; } } if (ptrace(PTRACE_DETACH, request.tid, 0, 0) != 0) { ALOGE("debuggerd: ptrace detach from %d failed: %s", request.tid, strerror(errno)); } for (pid_t sibling : siblings) { ptrace(PTRACE_DETACH, sibling, 0, 0); } // Send the signal back to the process if it crashed and we're not waiting for gdb. if (!attach_gdb && request.action == DEBUGGER_ACTION_CRASH) { if (!send_signal(request.pid, request.tid, crash_signal)) { ALOGE("debuggerd: failed to kill process %d: %s", request.pid, strerror(errno)); } } // Wait for gdb, if requested. if (attach_gdb && succeeded) { wait_for_user_action(request); // Tell the signal process to send SIGCONT to the target. if (!send_signal(request.pid, 0, SIGCONT)) { ALOGE("debuggerd: failed to resume process %d: %s", request.pid, strerror(errno)); } uninit_getevent(); } exit(!succeeded); }
void perform_debug(scp_operand op) { print_debugging_info(op); wait_for_user_action(); }
static void handle_crashing_process(int fd) { char buf[64]; struct stat s; unsigned tid; struct ucred cr; int n, len, status; int tid_attach_status = -1; unsigned retry = 30; bool need_cleanup = false; char value[PROPERTY_VALUE_MAX]; property_get("debug.db.uid", value, "-1"); int debug_uid = atoi(value); XLOG("handle_crashing_process(%d)\n", fd); len = sizeof(cr); n = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cr, &len); if(n != 0) { LOG("cannot get credentials\n"); goto done; } XLOG("reading tid\n"); fcntl(fd, F_SETFL, O_NONBLOCK); while((n = read(fd, &tid, sizeof(unsigned))) != sizeof(unsigned)) { if(errno == EINTR) continue; if(errno == EWOULDBLOCK) { if(retry-- > 0) { usleep(100 * 1000); continue; } LOG("timed out reading tid\n"); goto done; } LOG("read failure? %s\n", strerror(errno)); goto done; } sprintf(buf,"/proc/%d/task/%d", cr.pid, tid); if(stat(buf, &s)) { LOG("tid %d does not exist in pid %d. ignorning debug request\n", tid, cr.pid); close(fd); return; } XLOG("BOOM: pid=%d uid=%d gid=%d tid=%d\n", cr.pid, cr.uid, cr.gid, tid); tid_attach_status = ptrace(PTRACE_ATTACH, tid, 0, 0); if(tid_attach_status < 0) { LOG("ptrace attach failed: %s\n", strerror(errno)); goto done; } close(fd); fd = -1; for(;;) { n = waitpid(tid, &status, __WALL); if(n < 0) { if(errno == EAGAIN) continue; LOG("waitpid failed: %s\n", strerror(errno)); goto done; } XLOG("waitpid: n=%d status=%08x\n", n, status); if(WIFSTOPPED(status)){ n = WSTOPSIG(status); switch(n) { case SIGSTOP: XLOG("stopped -- continuing\n"); n = ptrace(PTRACE_CONT, tid, 0, 0); if(n) { LOG("ptrace failed: %s\n", strerror(errno)); goto done; } continue; case SIGILL: case SIGABRT: case SIGBUS: case SIGFPE: case SIGSEGV: case SIGSTKFLT: { XLOG("stopped -- fatal signal\n"); need_cleanup = engrave_tombstone(cr.pid, tid, debug_uid, n); kill(tid, SIGSTOP); goto done; } default: XLOG("stopped -- unexpected signal\n"); goto done; } } else { XLOG("unexpected waitpid response\n"); goto done; } } done: XLOG("detaching\n"); /* stop the process so we can debug */ kill(cr.pid, SIGSTOP); /* * If a thread has been attached by ptrace, make sure it is detached * successfully otherwise we will get a zombie. */ if (tid_attach_status == 0) { int detach_status; /* detach so we can attach gdbserver */ detach_status = ptrace(PTRACE_DETACH, tid, 0, 0); need_cleanup |= (detach_status != 0); } /* * if debug.db.uid is set, its value indicates if we should wait * for user action for the crashing process. * in this case, we log a message and turn the debug LED on * waiting for a gdb connection (for instance) */ if ((signed)cr.uid <= debug_uid) { wait_for_user_action(tid, &cr); } /* resume stopped process (so it can crash in peace) */ kill(cr.pid, SIGCONT); if (need_cleanup) { LOG("debuggerd committing suicide to free the zombie!\n"); kill(getpid(), SIGKILL); } if(fd != -1) close(fd); }
static void handle_request(int fd) { ALOGV("handle_request(%d)\n", fd); ScopedFd closer(fd); debugger_request_t request; memset(&request, 0, sizeof(request)); int status = read_request(fd, &request); if (status != 0) { return; } ALOGV("BOOM: pid=%d uid=%d gid=%d tid=%d\n", request.pid, request.uid, request.gid, request.tid); #if defined(__LP64__) // On 64 bit systems, requests to dump 32 bit and 64 bit tids come // to the 64 bit debuggerd. If the process is a 32 bit executable, // redirect the request to the 32 bit debuggerd. if (is32bit(request.tid)) { // Only dump backtrace and dump tombstone requests can be redirected. if (request.action == DEBUGGER_ACTION_DUMP_BACKTRACE || request.action == DEBUGGER_ACTION_DUMP_TOMBSTONE) { redirect_to_32(fd, &request); } else { ALOGE("debuggerd: Not allowed to redirect action %d to 32 bit debuggerd\n", request.action); } return; } #endif // Fork a child to handle the rest of the request. pid_t fork_pid = fork(); if (fork_pid == -1) { ALOGE("debuggerd: failed to fork: %s\n", strerror(errno)); return; } else if (fork_pid != 0) { waitpid(fork_pid, nullptr, 0); return; } // Open the tombstone file if we need it. std::string tombstone_path; int tombstone_fd = -1; switch (request.action) { case DEBUGGER_ACTION_DUMP_TOMBSTONE: case DEBUGGER_ACTION_CRASH: tombstone_fd = open_tombstone(&tombstone_path); if (tombstone_fd == -1) { ALOGE("debuggerd: failed to open tombstone file: %s\n", strerror(errno)); exit(1); } break; case DEBUGGER_ACTION_DUMP_BACKTRACE: break; default: ALOGE("debuggerd: unexpected request action: %d", request.action); exit(1); } // At this point, the thread that made the request is blocked in // a read() call. If the thread has crashed, then this gives us // time to PTRACE_ATTACH to it before it has a chance to really fault. // // The PTRACE_ATTACH sends a SIGSTOP to the target process, but it // won't necessarily have stopped by the time ptrace() returns. (We // currently assume it does.) We write to the file descriptor to // ensure that it can run as soon as we call PTRACE_CONT below. // See details in bionic/libc/linker/debugger.c, in function // debugger_signal_handler(). // Attach to the target process. if (ptrace(PTRACE_ATTACH, request.tid, 0, 0) != 0) { ALOGE("debuggerd: ptrace attach failed: %s", strerror(errno)); exit(1); } // Don't attach to the sibling threads if we want to attach gdb. // Supposedly, it makes the process less reliable. bool attach_gdb = should_attach_gdb(&request); int signal_in_fd = -1; int signal_out_fd = -1; pid_t signal_pid = 0; if (attach_gdb) { // Open all of the input devices we need to listen for VOLUMEDOWN before dropping privileges. if (init_getevent() != 0) { ALOGE("debuggerd: failed to initialize input device, not waiting for gdb"); attach_gdb = false; } // Fork a process that stays root, and listens on a pipe to pause and resume the target. if (!fork_signal_sender(&signal_in_fd, &signal_out_fd, &signal_pid, request.pid)) { attach_gdb = false; } } auto notify_signal_sender = [=]() { char buf[1]; if (TEMP_FAILURE_RETRY(write(signal_in_fd, "", 1)) != 1) { ALOGE("debuggerd: failed to notify signal process: %s", strerror(errno)); } else if (TEMP_FAILURE_RETRY(read(signal_out_fd, buf, 1)) != 1) { ALOGE("debuggerd: failed to read response from signal process: %s", strerror(errno)); } }; std::set<pid_t> siblings; if (!attach_gdb) { ptrace_siblings(request.pid, request.tid, siblings); } // Generate the backtrace map before dropping privileges. std::unique_ptr<BacktraceMap> backtrace_map(BacktraceMap::Create(request.pid)); bool succeeded = false; // Now that we've done everything that requires privileges, we can drop them. if (drop_privileges()) { succeeded = perform_dump(request, fd, tombstone_fd, backtrace_map.get(), siblings); if (succeeded) { if (request.action == DEBUGGER_ACTION_DUMP_TOMBSTONE) { if (!tombstone_path.empty()) { write(fd, tombstone_path.c_str(), tombstone_path.length()); } } } if (attach_gdb) { // Tell the signal process to send SIGSTOP to the target. notify_signal_sender(); } } if (ptrace(PTRACE_DETACH, request.tid, 0, 0) != 0) { ALOGE("debuggerd: ptrace detach from %d failed: %s", request.tid, strerror(errno)); } for (pid_t sibling : siblings) { ptrace(PTRACE_DETACH, sibling, 0, 0); } // Wait for gdb, if requested. if (attach_gdb && succeeded) { wait_for_user_action(request); // Tell the signal process to send SIGCONT to the target. notify_signal_sender(); uninit_getevent(); waitpid(signal_pid, nullptr, 0); } exit(!succeeded); }