2 * Copyright 2006, The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
23 #include <sys/types.h>
27 #include <sys/ptrace.h>
33 #include <selinux/android.h>
35 #include <log/logger.h>
37 #include <cutils/sockets.h>
38 #include <cutils/properties.h>
39 #include <cutils/debugger.h>
41 #include <linux/input.h>
43 #include <private/android_filesystem_config.h>
45 #include "backtrace.h"
47 #include "tombstone.h"
50 // If the 32 bit executable is compiled on a 64 bit system,
51 // use the 32 bit socket name.
52 #if defined(TARGET_IS_64_BIT) && !defined(__LP64__)
53 #define SOCKET_NAME DEBUGGER32_SOCKET_NAME
55 #define SOCKET_NAME DEBUGGER_SOCKET_NAME
58 struct debugger_request_t {
59 debugger_action_t action;
62 uintptr_t abort_msg_address;
63 int32_t original_si_code;
66 static void wait_for_user_action(const debugger_request_t &request) {
67 // Find out the name of the process that crashed.
69 snprintf(path, sizeof(path), "/proc/%d/exe", request.pid);
73 if ((count = readlink(path, exe, sizeof(exe) - 1)) == -1) {
74 ALOGE("readlink('%s') failed: %s", path, strerror(errno));
75 strlcpy(exe, "unknown", sizeof(exe));
80 // Explain how to attach the debugger.
81 ALOGI("********************************************************\n"
82 "* Process %d has been suspended while crashing.\n"
83 "* To attach gdbserver for a gdb connection on port 5039\n"
84 "* and start gdbclient:\n"
86 "* gdbclient %s :5039 %d\n"
88 "* Wait for gdb to start, then press the VOLUME DOWN key\n"
89 "* to let the process continue crashing.\n"
90 "********************************************************",
91 request.pid, exe, request.tid);
93 // Wait for VOLUME DOWN.
94 if (init_getevent() == 0) {
97 if (get_event(&e, -1) == 0) {
98 if (e.type == EV_KEY && e.code == KEY_VOLUMEDOWN && e.value == 0) {
106 ALOGI("debuggerd resuming process %d", request.pid);
109 static int get_process_info(pid_t tid, pid_t* out_pid, uid_t* out_uid, uid_t* out_gid) {
111 snprintf(path, sizeof(path), "/proc/%d/status", tid);
113 FILE* fp = fopen(path, "r");
120 while (fgets(line, sizeof(line), fp)) {
121 size_t len = strlen(line);
122 if (len > 6 && !memcmp(line, "Tgid:\t", 6)) {
123 *out_pid = atoi(line + 6);
125 } else if (len > 5 && !memcmp(line, "Uid:\t", 5)) {
126 *out_uid = atoi(line + 5);
128 } else if (len > 5 && !memcmp(line, "Gid:\t", 5)) {
129 *out_gid = atoi(line + 5);
134 return fields == 7 ? 0 : -1;
137 static int selinux_enabled;
140 * Corresponds with debugger_action_t enum type in
141 * include/cutils/debugger.h.
143 static const char *debuggerd_perms[] = {
144 NULL, /* crash is only used on self, no check applied */
149 static bool selinux_action_allowed(int s, pid_t tid, debugger_action_t action)
151 char *scon = NULL, *tcon = NULL;
152 const char *tclass = "debuggerd";
154 bool allowed = false;
156 if (selinux_enabled <= 0)
159 if (action <= 0 || action >= (sizeof(debuggerd_perms)/sizeof(debuggerd_perms[0]))) {
160 ALOGE("SELinux: No permission defined for debugger action %d", action);
164 perm = debuggerd_perms[action];
166 if (getpeercon(s, &scon) < 0) {
167 ALOGE("Cannot get peer context from socket\n");
171 if (getpidcon(tid, &tcon) < 0) {
172 ALOGE("Cannot get context for tid %d\n", tid);
176 allowed = (selinux_check_access(scon, tcon, tclass, perm, NULL) == 0);
184 static int read_request(int fd, debugger_request_t* out_request) {
186 socklen_t len = sizeof(cr);
187 int status = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cr, &len);
189 ALOGE("cannot get credentials");
193 ALOGV("reading tid");
194 fcntl(fd, F_SETFL, O_NONBLOCK);
198 pollfds[0].events = POLLIN;
199 pollfds[0].revents = 0;
200 status = TEMP_FAILURE_RETRY(poll(pollfds, 1, 3000));
202 ALOGE("timed out reading tid (from pid=%d uid=%d)\n", cr.pid, cr.uid);
207 memset(&msg, 0, sizeof(msg));
208 status = TEMP_FAILURE_RETRY(read(fd, &msg, sizeof(msg)));
210 ALOGE("read failure? %s (pid=%d uid=%d)\n", strerror(errno), cr.pid, cr.uid);
213 if (status != sizeof(debugger_msg_t)) {
214 ALOGE("invalid crash request of size %d (from pid=%d uid=%d)\n", status, cr.pid, cr.uid);
218 out_request->action = static_cast<debugger_action_t>(msg.action);
219 out_request->tid = msg.tid;
220 out_request->pid = cr.pid;
221 out_request->uid = cr.uid;
222 out_request->gid = cr.gid;
223 out_request->abort_msg_address = msg.abort_msg_address;
224 out_request->original_si_code = msg.original_si_code;
226 if (msg.action == DEBUGGER_ACTION_CRASH) {
227 // Ensure that the tid reported by the crashing process is valid.
228 // This check needs to happen again after ptracing the requested thread to prevent a race.
229 if (!pid_contains_tid(out_request->pid, out_request->tid)) {
230 ALOGE("tid %d does not exist in pid %d. ignoring debug request\n",
231 out_request->tid, out_request->pid);
234 } else if (cr.uid == 0
235 || (cr.uid == AID_SYSTEM && msg.action == DEBUGGER_ACTION_DUMP_BACKTRACE)) {
236 // Only root or system can ask us to attach to any process and dump it explicitly.
237 // However, system is only allowed to collect backtraces but cannot dump tombstones.
238 status = get_process_info(out_request->tid, &out_request->pid,
239 &out_request->uid, &out_request->gid);
241 ALOGE("tid %d does not exist. ignoring explicit dump request\n", out_request->tid);
245 if (!selinux_action_allowed(fd, out_request->tid, out_request->action))
248 // No one else is allowed to dump arbitrary processes.
254 static bool should_attach_gdb(debugger_request_t* request) {
255 if (request->action == DEBUGGER_ACTION_CRASH) {
256 char value[PROPERTY_VALUE_MAX];
257 property_get("debug.db.uid", value, "-1");
258 int debug_uid = atoi(value);
259 return debug_uid >= 0 && request->uid <= (uid_t)debug_uid;
264 #if defined(__LP64__)
265 static bool is32bit(pid_t tid) {
267 if (asprintf(&exeline, "/proc/%d/exe", tid) == -1) {
270 int fd = TEMP_FAILURE_RETRY(open(exeline, O_RDONLY | O_CLOEXEC));
271 int saved_errno = errno;
274 ALOGW("Failed to open /proc/%d/exe %s", tid, strerror(saved_errno));
278 char ehdr[EI_NIDENT];
279 ssize_t bytes = TEMP_FAILURE_RETRY(read(fd, &ehdr, sizeof(ehdr)));
281 if (bytes != (ssize_t) sizeof(ehdr) || memcmp(ELFMAG, ehdr, SELFMAG) != 0) {
284 if (ehdr[EI_CLASS] == ELFCLASS32) {
290 static void redirect_to_32(int fd, debugger_request_t* request) {
292 memset(&msg, 0, sizeof(msg));
293 msg.tid = request->tid;
294 msg.action = request->action;
296 int sock_fd = socket_local_client(DEBUGGER32_SOCKET_NAME, ANDROID_SOCKET_NAMESPACE_ABSTRACT,
297 SOCK_STREAM | SOCK_CLOEXEC);
299 ALOGE("Failed to connect to debuggerd32: %s", strerror(errno));
303 if (TEMP_FAILURE_RETRY(write(sock_fd, &msg, sizeof(msg))) != (ssize_t) sizeof(msg)) {
304 ALOGE("Failed to write request to debuggerd32 socket: %s", strerror(errno));
310 if (TEMP_FAILURE_RETRY(read(sock_fd, &ack, 1)) == -1) {
311 ALOGE("Failed to read ack from debuggerd32 socket: %s", strerror(errno));
318 while ((bytes_read = TEMP_FAILURE_RETRY(read(sock_fd, buffer, sizeof(buffer)))) > 0) {
319 ssize_t bytes_to_send = bytes_read;
320 ssize_t bytes_written;
322 bytes_written = TEMP_FAILURE_RETRY(write(fd, buffer + bytes_read - bytes_to_send,
324 if (bytes_written == -1) {
325 if (errno == EAGAIN) {
329 ALOGE("Error while writing data to fd: %s", strerror(errno));
332 bytes_to_send -= bytes_written;
333 } while (bytes_written != 0 && bytes_to_send > 0);
334 if (bytes_to_send != 0) {
335 ALOGE("Failed to write all data to fd: read %zd, sent %zd", bytes_read, bytes_to_send);
343 static void handle_request(int fd) {
344 ALOGV("handle_request(%d)\n", fd);
346 debugger_request_t request;
347 memset(&request, 0, sizeof(request));
348 int status = read_request(fd, &request);
350 ALOGV("BOOM: pid=%d uid=%d gid=%d tid=%d\n",
351 request.pid, request.uid, request.gid, request.tid);
353 #if defined(__LP64__)
354 // On 64 bit systems, requests to dump 32 bit and 64 bit tids come
355 // to the 64 bit debuggerd. If the process is a 32 bit executable,
356 // redirect the request to the 32 bit debuggerd.
357 if (is32bit(request.tid)) {
358 // Only dump backtrace and dump tombstone requests can be redirected.
359 if (request.action == DEBUGGER_ACTION_DUMP_BACKTRACE
360 || request.action == DEBUGGER_ACTION_DUMP_TOMBSTONE) {
361 redirect_to_32(fd, &request);
363 ALOGE("debuggerd: Not allowed to redirect action %d to 32 bit debuggerd\n",
371 // At this point, the thread that made the request is blocked in
372 // a read() call. If the thread has crashed, then this gives us
373 // time to PTRACE_ATTACH to it before it has a chance to really fault.
375 // The PTRACE_ATTACH sends a SIGSTOP to the target process, but it
376 // won't necessarily have stopped by the time ptrace() returns. (We
377 // currently assume it does.) We write to the file descriptor to
378 // ensure that it can run as soon as we call PTRACE_CONT below.
379 // See details in bionic/libc/linker/debugger.c, in function
380 // debugger_signal_handler().
381 if (!ptrace_attach_thread(request.pid, request.tid)) {
382 ALOGE("ptrace attach failed: %s\n", strerror(errno));
384 // DEBUGGER_ACTION_CRASH requests can come from arbitrary processes and the tid field in
385 // the request is sent from the other side. If an attacker can cause a process to be
386 // spawned with the pid of their process, they could trick debuggerd into dumping that
387 // process by exiting after sending the request. Validate the trusted request.uid/gid
388 // to defend against this.
389 if (request.action == DEBUGGER_ACTION_CRASH) {
393 if (get_process_info(request.tid, &pid, &uid, &gid) != 0) {
394 ALOGE("debuggerd: failed to get process info for tid '%d'", request.tid);
398 if (pid != request.pid || uid != request.uid || gid != request.gid) {
400 "debuggerd: attached task %d does not match request: "
401 "expected pid=%d,uid=%d,gid=%d, actual pid=%d,uid=%d,gid=%d",
402 request.tid, request.pid, request.uid, request.gid, pid, uid, gid);
407 bool detach_failed = false;
408 bool tid_unresponsive = false;
409 bool attach_gdb = should_attach_gdb(&request);
410 if (TEMP_FAILURE_RETRY(write(fd, "\0", 1)) != 1) {
411 ALOGE("failed responding to client: %s\n", strerror(errno));
413 char* tombstone_path = NULL;
415 if (request.action == DEBUGGER_ACTION_CRASH) {
420 int total_sleep_time_usec = 0;
422 int signal = wait_for_sigstop(request.tid, &total_sleep_time_usec, &detach_failed);
424 tid_unresponsive = true;
430 if (request.action == DEBUGGER_ACTION_DUMP_TOMBSTONE) {
431 ALOGV("stopped -- dumping to tombstone\n");
432 tombstone_path = engrave_tombstone(request.pid, request.tid,
433 signal, request.original_si_code,
434 request.abort_msg_address, true,
435 &detach_failed, &total_sleep_time_usec);
436 } else if (request.action == DEBUGGER_ACTION_DUMP_BACKTRACE) {
437 ALOGV("stopped -- dumping to fd\n");
438 dump_backtrace(fd, -1, request.pid, request.tid, &detach_failed,
439 &total_sleep_time_usec);
441 ALOGV("stopped -- continuing\n");
442 status = ptrace(PTRACE_CONT, request.tid, 0, 0);
444 ALOGE("ptrace continue failed: %s\n", strerror(errno));
446 continue; // loop again
460 ALOGV("stopped -- fatal signal\n");
461 // Send a SIGSTOP to the process to make all of
462 // the non-signaled threads stop moving. Without
463 // this we get a lot of "ptrace detach failed:
465 kill(request.pid, SIGSTOP);
466 // don't dump sibling threads when attaching to GDB because it
467 // makes the process less reliable, apparently...
468 tombstone_path = engrave_tombstone(request.pid, request.tid,
469 signal, request.original_si_code,
470 request.abort_msg_address, !attach_gdb,
471 &detach_failed, &total_sleep_time_usec);
475 ALOGE("process stopped due to unexpected signal %d\n", signal);
481 if (request.action == DEBUGGER_ACTION_DUMP_TOMBSTONE) {
482 if (tombstone_path) {
483 write(fd, tombstone_path, strlen(tombstone_path));
488 free(tombstone_path);
491 if (!tid_unresponsive) {
494 // stop the process so we can debug
495 kill(request.pid, SIGSTOP);
497 if (ptrace(PTRACE_DETACH, request.tid, 0, 0)) {
498 ALOGE("ptrace detach from %d failed: %s", request.tid, strerror(errno));
499 detach_failed = true;
500 } else if (attach_gdb) {
501 // if debug.db.uid is set, its value indicates if we should wait
502 // for user action for the crashing process.
503 // in this case, we log a message and turn the debug LED on
504 // waiting for a gdb connection (for instance)
505 wait_for_user_action(request);
509 // resume stopped process (so it can crash in peace).
510 kill(request.pid, SIGCONT);
512 // If we didn't successfully detach, we're still the parent, and the
513 // actual parent won't receive a death notification via wait(2). At this point
514 // there's not much we can do about that.
516 ALOGE("debuggerd committing suicide to free the zombie!\n");
517 kill(getpid(), SIGKILL);
527 static int do_server() {
528 // debuggerd crashes can't be reported to debuggerd.
529 // Reset all of the crash handlers.
530 signal(SIGABRT, SIG_DFL);
531 signal(SIGBUS, SIG_DFL);
532 signal(SIGFPE, SIG_DFL);
533 signal(SIGILL, SIG_DFL);
534 signal(SIGSEGV, SIG_DFL);
536 signal(SIGSTKFLT, SIG_DFL);
538 signal(SIGTRAP, SIG_DFL);
540 // Ignore failed writes to closed sockets
541 signal(SIGPIPE, SIG_IGN);
543 int logsocket = socket_local_client("logd", ANDROID_SOCKET_NAMESPACE_ABSTRACT, SOCK_DGRAM);
547 fcntl(logsocket, F_SETFD, FD_CLOEXEC);
550 struct sigaction act;
551 act.sa_handler = SIG_DFL;
552 sigemptyset(&act.sa_mask);
553 sigaddset(&act.sa_mask,SIGCHLD);
554 act.sa_flags = SA_NOCLDWAIT;
555 sigaction(SIGCHLD, &act, 0);
557 int s = socket_local_server(SOCKET_NAME, ANDROID_SOCKET_NAMESPACE_ABSTRACT, SOCK_STREAM);
560 fcntl(s, F_SETFD, FD_CLOEXEC);
562 ALOGI("debuggerd: " __DATE__ " " __TIME__ "\n");
566 socklen_t alen = sizeof(addr);
568 ALOGV("waiting for connection\n");
569 int fd = accept(s, &addr, &alen);
571 ALOGV("accept failed: %s\n", strerror(errno));
575 fcntl(fd, F_SETFD, FD_CLOEXEC);
582 static int do_explicit_dump(pid_t tid, bool dump_backtrace) {
583 fprintf(stdout, "Sending request to dump task %d.\n", tid);
585 if (dump_backtrace) {
587 if (dump_backtrace_to_file(tid, fileno(stdout)) < 0) {
588 fputs("Error dumping backtrace.\n", stderr);
592 char tombstone_path[PATH_MAX];
593 if (dump_tombstone(tid, tombstone_path, sizeof(tombstone_path)) < 0) {
594 fputs("Error dumping tombstone.\n", stderr);
597 fprintf(stderr, "Tombstone written to: %s\n", tombstone_path);
602 static void usage() {
603 fputs("Usage: -b [<tid>]\n"
604 " -b dump backtrace to console, otherwise dump full tombstone file\n"
606 "If tid specified, sends a request to debuggerd to dump that task.\n"
607 "Otherwise, starts the debuggerd server.\n", stderr);
610 int main(int argc, char** argv) {
611 union selinux_callback cb;
613 selinux_enabled = is_selinux_enabled();
614 cb.func_log = selinux_log_callback;
615 selinux_set_callback(SELINUX_CB_LOG, cb);
619 bool dump_backtrace = false;
620 bool have_tid = false;
622 for (int i = 1; i < argc; i++) {
623 if (!strcmp(argv[i], "-b")) {
624 dump_backtrace = true;
625 } else if (!have_tid) {
637 return do_explicit_dump(tid, dump_backtrace);