1 /*
2 * Copyright (C) 2008 The Android Open Source Project
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in
12 * the documentation and/or other materials provided with the
13 * distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29 #include "debuggerd/handler.h"
30
31 #include <errno.h>
32 #include <fcntl.h>
33 #include <inttypes.h>
34 #include <linux/futex.h>
35 #include <pthread.h>
36 #include <sched.h>
37 #include <signal.h>
38 #include <stddef.h>
39 #include <stdio.h>
40 #include <stdlib.h>
41 #include <string.h>
42 #include <sys/capability.h>
43 #include <sys/mman.h>
44 #include <sys/prctl.h>
45 #include <sys/socket.h>
46 #include <sys/syscall.h>
47 #include <sys/uio.h>
48 #include <sys/un.h>
49 #include <sys/wait.h>
50 #include <unistd.h>
51
52 #include <android-base/macros.h>
53 #include <android-base/unique_fd.h>
54 #include <async_safe/log.h>
55 #include <bionic/reserved_signals.h>
56 #include <cutils/properties.h>
57
58 #include <libdebuggerd/utility.h>
59
60 #include "dump_type.h"
61 #include "protocol.h"
62
63 #include "handler/fallback.h"
64
65 using android::base::Pipe;
66
67 // We muck with our fds in a 'thread' that doesn't share the same fd table.
68 // Close fds in that thread with a raw close syscall instead of going through libc.
69 struct FdsanBypassCloser {
CloseFdsanBypassCloser70 static void Close(int fd) {
71 syscall(__NR_close, fd);
72 }
73 };
74
75 using unique_fd = android::base::unique_fd_impl<FdsanBypassCloser>;
76
77 // see man(2) prctl, specifically the section about PR_GET_NAME
78 #define MAX_TASK_NAME_LEN (16)
79
80 #if defined(__LP64__)
81 #define CRASH_DUMP_NAME "crash_dump64"
82 #else
83 #define CRASH_DUMP_NAME "crash_dump32"
84 #endif
85
86 #define CRASH_DUMP_PATH "/system/bin/" CRASH_DUMP_NAME
87
88 // Wrappers that directly invoke the respective syscalls, in case the cached values are invalid.
89 #pragma GCC poison getpid gettid
__getpid()90 static pid_t __getpid() {
91 return syscall(__NR_getpid);
92 }
93
__gettid()94 static pid_t __gettid() {
95 return syscall(__NR_gettid);
96 }
97
futex_wait(volatile void * ftx,int value)98 static inline void futex_wait(volatile void* ftx, int value) {
99 syscall(__NR_futex, ftx, FUTEX_WAIT, value, nullptr, nullptr, 0);
100 }
101
102 class ErrnoRestorer {
103 public:
ErrnoRestorer()104 ErrnoRestorer() : saved_errno_(errno) {
105 }
106
~ErrnoRestorer()107 ~ErrnoRestorer() {
108 errno = saved_errno_;
109 }
110
111 private:
112 int saved_errno_;
113 };
114
115 extern "C" void* android_fdsan_get_fd_table();
116 extern "C" void debuggerd_fallback_handler(siginfo_t*, ucontext_t*, void*);
117
118 static debuggerd_callbacks_t g_callbacks;
119
120 // Mutex to ensure only one crashing thread dumps itself.
121 static pthread_mutex_t crash_mutex = PTHREAD_MUTEX_INITIALIZER;
122
123 // Don't use async_safe_fatal because it exits via abort, which might put us back into
124 // a signal handler.
fatal(const char * fmt,...)125 static void __noreturn __printflike(1, 2) fatal(const char* fmt, ...) {
126 va_list args;
127 va_start(args, fmt);
128 async_safe_format_log_va_list(ANDROID_LOG_FATAL, "libc", fmt, args);
129 _exit(1);
130 }
131
fatal_errno(const char * fmt,...)132 static void __noreturn __printflike(1, 2) fatal_errno(const char* fmt, ...) {
133 int err = errno;
134 va_list args;
135 va_start(args, fmt);
136
137 char buf[256];
138 async_safe_format_buffer_va_list(buf, sizeof(buf), fmt, args);
139 fatal("%s: %s", buf, strerror(err));
140 }
141
get_main_thread_name(char * buf,size_t len)142 static bool get_main_thread_name(char* buf, size_t len) {
143 unique_fd fd(open("/proc/self/comm", O_RDONLY | O_CLOEXEC));
144 if (fd == -1) {
145 return false;
146 }
147
148 ssize_t rc = read(fd, buf, len);
149 if (rc == -1) {
150 return false;
151 } else if (rc == 0) {
152 // Should never happen?
153 return false;
154 }
155
156 // There's a trailing newline, replace it with a NUL.
157 buf[rc - 1] = '\0';
158 return true;
159 }
160
161 /*
162 * Writes a summary of the signal to the log file. We do this so that, if
163 * for some reason we're not able to contact debuggerd, there is still some
164 * indication of the failure in the log.
165 *
166 * We could be here as a result of native heap corruption, or while a
167 * mutex is being held, so we don't want to use any libc functions that
168 * could allocate memory or hold a lock.
169 */
log_signal_summary(const siginfo_t * info)170 static void log_signal_summary(const siginfo_t* info) {
171 char thread_name[MAX_TASK_NAME_LEN + 1]; // one more for termination
172 if (prctl(PR_GET_NAME, reinterpret_cast<unsigned long>(thread_name), 0, 0, 0) != 0) {
173 strcpy(thread_name, "<name unknown>");
174 } else {
175 // short names are null terminated by prctl, but the man page
176 // implies that 16 byte names are not.
177 thread_name[MAX_TASK_NAME_LEN] = 0;
178 }
179
180 if (info->si_signo == BIONIC_SIGNAL_DEBUGGER) {
181 async_safe_format_log(ANDROID_LOG_INFO, "libc", "Requested dump for tid %d (%s)", __gettid(),
182 thread_name);
183 return;
184 }
185
186 // Many signals don't have an address or sender.
187 char addr_desc[32] = ""; // ", fault addr 0x1234"
188 if (signal_has_si_addr(info)) {
189 async_safe_format_buffer(addr_desc, sizeof(addr_desc), ", fault addr %p", info->si_addr);
190 }
191 pid_t self_pid = __getpid();
192 char sender_desc[32] = {}; // " from pid 1234, uid 666"
193 if (signal_has_sender(info, self_pid)) {
194 get_signal_sender(sender_desc, sizeof(sender_desc), info);
195 }
196
197 char main_thread_name[MAX_TASK_NAME_LEN + 1];
198 if (!get_main_thread_name(main_thread_name, sizeof(main_thread_name))) {
199 strncpy(main_thread_name, "<unknown>", sizeof(main_thread_name));
200 }
201
202 async_safe_format_log(ANDROID_LOG_FATAL, "libc",
203 "Fatal signal %d (%s), code %d (%s%s)%s in tid %d (%s), pid %d (%s)",
204 info->si_signo, get_signame(info), info->si_code, get_sigcode(info),
205 sender_desc, addr_desc, __gettid(), thread_name, self_pid, main_thread_name);
206 }
207
208 /*
209 * Returns true if the handler for signal "signum" has SA_SIGINFO set.
210 */
have_siginfo(int signum)211 static bool have_siginfo(int signum) {
212 struct sigaction old_action;
213 if (sigaction(signum, nullptr, &old_action) < 0) {
214 async_safe_format_log(ANDROID_LOG_WARN, "libc", "Failed testing for SA_SIGINFO: %s",
215 strerror(errno));
216 return false;
217 }
218 return (old_action.sa_flags & SA_SIGINFO) != 0;
219 }
220
raise_caps()221 static void raise_caps() {
222 // Raise CapInh to match CapPrm, so that we can set the ambient bits.
223 __user_cap_header_struct capheader;
224 memset(&capheader, 0, sizeof(capheader));
225 capheader.version = _LINUX_CAPABILITY_VERSION_3;
226 capheader.pid = 0;
227
228 __user_cap_data_struct capdata[2];
229 if (capget(&capheader, &capdata[0]) == -1) {
230 fatal_errno("capget failed");
231 }
232
233 if (capdata[0].permitted != capdata[0].inheritable ||
234 capdata[1].permitted != capdata[1].inheritable) {
235 capdata[0].inheritable = capdata[0].permitted;
236 capdata[1].inheritable = capdata[1].permitted;
237
238 if (capset(&capheader, &capdata[0]) == -1) {
239 async_safe_format_log(ANDROID_LOG_ERROR, "libc", "capset failed: %s", strerror(errno));
240 }
241 }
242
243 // Set the ambient capability bits so that crash_dump gets all of our caps and can ptrace us.
244 uint64_t capmask = capdata[0].inheritable;
245 capmask |= static_cast<uint64_t>(capdata[1].inheritable) << 32;
246 for (unsigned long i = 0; i < 64; ++i) {
247 if (capmask & (1ULL << i)) {
248 if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0) != 0) {
249 async_safe_format_log(ANDROID_LOG_ERROR, "libc",
250 "failed to raise ambient capability %lu: %s", i, strerror(errno));
251 }
252 }
253 }
254 }
255
__fork()256 static pid_t __fork() {
257 return clone(nullptr, nullptr, 0, nullptr);
258 }
259
260 // Double-clone, with CLONE_FILES to share the file descriptor table for kcmp validation.
261 // Returns 0 in the orphaned child, the pid of the orphan in the original process, or -1 on failure.
create_vm_process()262 static void create_vm_process() {
263 pid_t first = clone(nullptr, nullptr, CLONE_FILES, nullptr);
264 if (first == -1) {
265 fatal_errno("failed to clone vm process");
266 } else if (first == 0) {
267 drop_capabilities();
268
269 if (clone(nullptr, nullptr, CLONE_FILES, nullptr) == -1) {
270 _exit(errno);
271 }
272
273 // crash_dump is ptracing both sides of the fork; it'll let the parent exit,
274 // but keep the orphan stopped to peek at its memory.
275
276 // There appears to be a bug in the kernel where our death causes SIGHUP to
277 // be sent to our process group if we exit while it has stopped jobs (e.g.
278 // because of wait_for_gdb). Use setsid to create a new process group to
279 // avoid hitting this.
280 setsid();
281
282 _exit(0);
283 }
284
285 int status;
286 if (TEMP_FAILURE_RETRY(waitpid(first, &status, __WCLONE)) != first) {
287 fatal_errno("failed to waitpid in double fork");
288 } else if (!WIFEXITED(status)) {
289 fatal("intermediate process didn't exit cleanly in double fork (status = %d)", status);
290 } else if (WEXITSTATUS(status)) {
291 fatal("second clone failed: %s", strerror(WEXITSTATUS(status)));
292 }
293 }
294
295 struct debugger_thread_info {
296 pid_t crashing_tid;
297 pid_t pseudothread_tid;
298 siginfo_t* siginfo;
299 void* ucontext;
300 uintptr_t abort_msg;
301 uintptr_t fdsan_table;
302 uintptr_t gwp_asan_state;
303 uintptr_t gwp_asan_metadata;
304 };
305
306 // Logging and contacting debuggerd requires free file descriptors, which we might not have.
307 // Work around this by spawning a "thread" that shares its parent's address space, but not its file
308 // descriptor table, so that we can close random file descriptors without affecting the original
309 // process. Note that this doesn't go through pthread_create, so TLS is shared with the spawning
310 // process.
311 static void* pseudothread_stack;
312
get_dump_type(const debugger_thread_info * thread_info)313 static DebuggerdDumpType get_dump_type(const debugger_thread_info* thread_info) {
314 if (thread_info->siginfo->si_signo == BIONIC_SIGNAL_DEBUGGER &&
315 thread_info->siginfo->si_value.sival_int) {
316 return kDebuggerdNativeBacktrace;
317 }
318
319 return kDebuggerdTombstone;
320 }
321
debuggerd_dispatch_pseudothread(void * arg)322 static int debuggerd_dispatch_pseudothread(void* arg) {
323 debugger_thread_info* thread_info = static_cast<debugger_thread_info*>(arg);
324
325 for (int i = 0; i < 1024; ++i) {
326 // Don't use close to avoid bionic's file descriptor ownership checks.
327 syscall(__NR_close, i);
328 }
329
330 int devnull = TEMP_FAILURE_RETRY(open("/dev/null", O_RDWR));
331 if (devnull == -1) {
332 fatal_errno("failed to open /dev/null");
333 } else if (devnull != 0) {
334 fatal_errno("expected /dev/null fd to be 0, actually %d", devnull);
335 }
336
337 // devnull will be 0.
338 TEMP_FAILURE_RETRY(dup2(devnull, 1));
339 TEMP_FAILURE_RETRY(dup2(devnull, 2));
340
341 unique_fd input_read, input_write;
342 unique_fd output_read, output_write;
343 if (!Pipe(&input_read, &input_write) != 0 || !Pipe(&output_read, &output_write)) {
344 fatal_errno("failed to create pipe");
345 }
346
347 // ucontext_t is absurdly large on AArch64, so piece it together manually with writev.
348 uint32_t version = 3;
349 constexpr size_t expected = sizeof(CrashInfoHeader) + sizeof(CrashInfoDataV3);
350
351 errno = 0;
352 if (fcntl(output_write.get(), F_SETPIPE_SZ, expected) < static_cast<int>(expected)) {
353 fatal_errno("failed to set pipe buffer size");
354 }
355
356 struct iovec iovs[] = {
357 {.iov_base = &version, .iov_len = sizeof(version)},
358 {.iov_base = thread_info->siginfo, .iov_len = sizeof(siginfo_t)},
359 {.iov_base = thread_info->ucontext, .iov_len = sizeof(ucontext_t)},
360 {.iov_base = &thread_info->abort_msg, .iov_len = sizeof(uintptr_t)},
361 {.iov_base = &thread_info->fdsan_table, .iov_len = sizeof(uintptr_t)},
362 {.iov_base = &thread_info->gwp_asan_state, .iov_len = sizeof(uintptr_t)},
363 {.iov_base = &thread_info->gwp_asan_metadata, .iov_len = sizeof(uintptr_t)},
364 };
365
366 ssize_t rc = TEMP_FAILURE_RETRY(writev(output_write.get(), iovs, arraysize(iovs)));
367 if (rc == -1) {
368 fatal_errno("failed to write crash info");
369 } else if (rc != expected) {
370 fatal("failed to write crash info, wrote %zd bytes, expected %zd", rc, expected);
371 }
372
373 // Don't use fork(2) to avoid calling pthread_atfork handlers.
374 pid_t crash_dump_pid = __fork();
375 if (crash_dump_pid == -1) {
376 async_safe_format_log(ANDROID_LOG_FATAL, "libc",
377 "failed to fork in debuggerd signal handler: %s", strerror(errno));
378 } else if (crash_dump_pid == 0) {
379 TEMP_FAILURE_RETRY(dup2(input_write.get(), STDOUT_FILENO));
380 TEMP_FAILURE_RETRY(dup2(output_read.get(), STDIN_FILENO));
381 input_read.reset();
382 input_write.reset();
383 output_read.reset();
384 output_write.reset();
385
386 raise_caps();
387
388 char main_tid[10];
389 char pseudothread_tid[10];
390 char debuggerd_dump_type[10];
391 async_safe_format_buffer(main_tid, sizeof(main_tid), "%d", thread_info->crashing_tid);
392 async_safe_format_buffer(pseudothread_tid, sizeof(pseudothread_tid), "%d",
393 thread_info->pseudothread_tid);
394 async_safe_format_buffer(debuggerd_dump_type, sizeof(debuggerd_dump_type), "%d",
395 get_dump_type(thread_info));
396
397 execle(CRASH_DUMP_PATH, CRASH_DUMP_NAME, main_tid, pseudothread_tid, debuggerd_dump_type,
398 nullptr, nullptr);
399 async_safe_format_log(ANDROID_LOG_FATAL, "libc", "failed to exec crash_dump helper: %s",
400 strerror(errno));
401 return 1;
402 }
403
404 input_write.reset();
405 output_read.reset();
406
407 // crash_dump will ptrace and pause all of our threads, and then write to the pipe to tell
408 // us to fork off a process to read memory from.
409 char buf[4];
410 rc = TEMP_FAILURE_RETRY(read(input_read.get(), &buf, sizeof(buf)));
411 if (rc == -1) {
412 async_safe_format_log(ANDROID_LOG_FATAL, "libc", "read of IPC pipe failed: %s", strerror(errno));
413 return 1;
414 } else if (rc == 0) {
415 async_safe_format_log(ANDROID_LOG_FATAL, "libc", "crash_dump helper failed to exec");
416 return 1;
417 } else if (rc != 1) {
418 async_safe_format_log(ANDROID_LOG_FATAL, "libc",
419 "read of IPC pipe returned unexpected value: %zd", rc);
420 return 1;
421 } else if (buf[0] != '\1') {
422 async_safe_format_log(ANDROID_LOG_FATAL, "libc", "crash_dump helper reported failure");
423 return 1;
424 }
425
426 // crash_dump is ptracing us, fork off a copy of our address space for it to use.
427 create_vm_process();
428
429 // Don't leave a zombie child.
430 int status;
431 if (TEMP_FAILURE_RETRY(waitpid(crash_dump_pid, &status, 0)) == -1) {
432 async_safe_format_log(ANDROID_LOG_FATAL, "libc", "failed to wait for crash_dump helper: %s",
433 strerror(errno));
434 } else if (WIFSTOPPED(status) || WIFSIGNALED(status)) {
435 async_safe_format_log(ANDROID_LOG_FATAL, "libc", "crash_dump helper crashed or stopped");
436 }
437
438 if (thread_info->siginfo->si_signo != BIONIC_SIGNAL_DEBUGGER) {
439 // For crashes, we don't need to minimize pause latency.
440 // Wait for the dump to complete before having the process exit, to avoid being murdered by
441 // ActivityManager or init.
442 TEMP_FAILURE_RETRY(read(input_read, &buf, sizeof(buf)));
443 }
444
445 return 0;
446 }
447
resend_signal(siginfo_t * info)448 static void resend_signal(siginfo_t* info) {
449 // Signals can either be fatal or nonfatal.
450 // For fatal signals, crash_dump will send us the signal we crashed with
451 // before resuming us, so that processes using waitpid on us will see that we
452 // exited with the correct exit status (e.g. so that sh will report
453 // "Segmentation fault" instead of "Killed"). For this to work, we need
454 // to deregister our signal handler for that signal before continuing.
455 if (info->si_signo != BIONIC_SIGNAL_DEBUGGER) {
456 signal(info->si_signo, SIG_DFL);
457 int rc = syscall(SYS_rt_tgsigqueueinfo, __getpid(), __gettid(), info->si_signo, info);
458 if (rc != 0) {
459 fatal_errno("failed to resend signal during crash");
460 }
461 }
462 }
463
464 // Handler that does crash dumping by forking and doing the processing in the child.
465 // Do this by ptracing the relevant thread, and then execing debuggerd to do the actual dump.
debuggerd_signal_handler(int signal_number,siginfo_t * info,void * context)466 static void debuggerd_signal_handler(int signal_number, siginfo_t* info, void* context) {
467 // Make sure we don't change the value of errno, in case a signal comes in between the process
468 // making a syscall and checking errno.
469 ErrnoRestorer restorer;
470
471 // It's possible somebody cleared the SA_SIGINFO flag, which would mean
472 // our "info" arg holds an undefined value.
473 if (!have_siginfo(signal_number)) {
474 info = nullptr;
475 }
476
477 struct siginfo dummy_info = {};
478 if (!info) {
479 memset(&dummy_info, 0, sizeof(dummy_info));
480 dummy_info.si_signo = signal_number;
481 dummy_info.si_code = SI_USER;
482 dummy_info.si_pid = __getpid();
483 dummy_info.si_uid = getuid();
484 info = &dummy_info;
485 } else if (info->si_code >= 0 || info->si_code == SI_TKILL) {
486 // rt_tgsigqueueinfo(2)'s documentation appears to be incorrect on kernels
487 // that contain commit 66dd34a (3.9+). The manpage claims to only allow
488 // negative si_code values that are not SI_TKILL, but 66dd34a changed the
489 // check to allow all si_code values in calls coming from inside the house.
490 }
491
492 void* abort_message = nullptr;
493 const gwp_asan::AllocatorState* gwp_asan_state = nullptr;
494 const gwp_asan::AllocationMetadata* gwp_asan_metadata = nullptr;
495 uintptr_t si_val = reinterpret_cast<uintptr_t>(info->si_ptr);
496 if (signal_number == BIONIC_SIGNAL_DEBUGGER) {
497 if (info->si_code == SI_QUEUE && info->si_pid == __getpid()) {
498 // Allow for the abort message to be explicitly specified via the sigqueue value.
499 // Keep the bottom bit intact for representing whether we want a backtrace or a tombstone.
500 if (si_val != kDebuggerdFallbackSivalUintptrRequestDump) {
501 abort_message = reinterpret_cast<void*>(si_val & ~1);
502 info->si_ptr = reinterpret_cast<void*>(si_val & 1);
503 }
504 }
505 } else {
506 if (g_callbacks.get_abort_message) {
507 abort_message = g_callbacks.get_abort_message();
508 }
509 if (g_callbacks.get_gwp_asan_state) {
510 gwp_asan_state = g_callbacks.get_gwp_asan_state();
511 }
512 if (g_callbacks.get_gwp_asan_metadata) {
513 gwp_asan_metadata = g_callbacks.get_gwp_asan_metadata();
514 }
515 }
516
517 // If sival_int is ~0, it means that the fallback handler has been called
518 // once before and this function is being called again to dump the stack
519 // of a specific thread. It is possible that the prctl call might return 1,
520 // then return 0 in subsequent calls, so check the sival_int to determine if
521 // the fallback handler should be called first.
522 if (si_val == kDebuggerdFallbackSivalUintptrRequestDump ||
523 prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0) == 1) {
524 // This check might be racy if another thread sets NO_NEW_PRIVS, but this should be unlikely,
525 // you can only set NO_NEW_PRIVS to 1, and the effect should be at worst a single missing
526 // ANR trace.
527 debuggerd_fallback_handler(info, static_cast<ucontext_t*>(context), abort_message);
528 resend_signal(info);
529 return;
530 }
531
532 // Only allow one thread to handle a signal at a time.
533 int ret = pthread_mutex_lock(&crash_mutex);
534 if (ret != 0) {
535 async_safe_format_log(ANDROID_LOG_INFO, "libc", "pthread_mutex_lock failed: %s", strerror(ret));
536 return;
537 }
538
539 log_signal_summary(info);
540
541 debugger_thread_info thread_info = {
542 .crashing_tid = __gettid(),
543 .pseudothread_tid = -1,
544 .siginfo = info,
545 .ucontext = context,
546 .abort_msg = reinterpret_cast<uintptr_t>(abort_message),
547 .fdsan_table = reinterpret_cast<uintptr_t>(android_fdsan_get_fd_table()),
548 .gwp_asan_state = reinterpret_cast<uintptr_t>(gwp_asan_state),
549 .gwp_asan_metadata = reinterpret_cast<uintptr_t>(gwp_asan_metadata),
550 };
551
552 // Set PR_SET_DUMPABLE to 1, so that crash_dump can ptrace us.
553 int orig_dumpable = prctl(PR_GET_DUMPABLE);
554 if (prctl(PR_SET_DUMPABLE, 1) != 0) {
555 fatal_errno("failed to set dumpable");
556 }
557
558 // On kernels with yama_ptrace enabled, also allow any process to attach.
559 bool restore_orig_ptracer = true;
560 if (prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY) != 0) {
561 if (errno == EINVAL) {
562 // This kernel does not support PR_SET_PTRACER_ANY, or Yama is not enabled.
563 restore_orig_ptracer = false;
564 } else {
565 fatal_errno("failed to set traceable");
566 }
567 }
568
569 // Essentially pthread_create without CLONE_FILES, so we still work during file descriptor
570 // exhaustion.
571 pid_t child_pid =
572 clone(debuggerd_dispatch_pseudothread, pseudothread_stack,
573 CLONE_THREAD | CLONE_SIGHAND | CLONE_VM | CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID,
574 &thread_info, nullptr, nullptr, &thread_info.pseudothread_tid);
575 if (child_pid == -1) {
576 fatal_errno("failed to spawn debuggerd dispatch thread");
577 }
578
579 // Wait for the child to start...
580 futex_wait(&thread_info.pseudothread_tid, -1);
581
582 // and then wait for it to terminate.
583 futex_wait(&thread_info.pseudothread_tid, child_pid);
584
585 // Restore PR_SET_DUMPABLE to its original value.
586 if (prctl(PR_SET_DUMPABLE, orig_dumpable) != 0) {
587 fatal_errno("failed to restore dumpable");
588 }
589
590 // Restore PR_SET_PTRACER to its original value.
591 if (restore_orig_ptracer && prctl(PR_SET_PTRACER, 0) != 0) {
592 fatal_errno("failed to restore traceable");
593 }
594
595 if (info->si_signo == BIONIC_SIGNAL_DEBUGGER) {
596 // If the signal is fatal, don't unlock the mutex to prevent other crashing threads from
597 // starting to dump right before our death.
598 pthread_mutex_unlock(&crash_mutex);
599 } else {
600 // Resend the signal, so that either gdb or the parent's waitpid sees it.
601 resend_signal(info);
602 }
603 }
604
debuggerd_init(debuggerd_callbacks_t * callbacks)605 void debuggerd_init(debuggerd_callbacks_t* callbacks) {
606 if (callbacks) {
607 g_callbacks = *callbacks;
608 }
609
610 size_t thread_stack_pages = 8;
611 void* thread_stack_allocation = mmap(nullptr, PAGE_SIZE * (thread_stack_pages + 2), PROT_NONE,
612 MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
613 if (thread_stack_allocation == MAP_FAILED) {
614 fatal_errno("failed to allocate debuggerd thread stack");
615 }
616
617 char* stack = static_cast<char*>(thread_stack_allocation) + PAGE_SIZE;
618 if (mprotect(stack, PAGE_SIZE * thread_stack_pages, PROT_READ | PROT_WRITE) != 0) {
619 fatal_errno("failed to mprotect debuggerd thread stack");
620 }
621
622 // Stack grows negatively, set it to the last byte in the page...
623 stack = (stack + thread_stack_pages * PAGE_SIZE - 1);
624 // and align it.
625 stack -= 15;
626 pseudothread_stack = stack;
627
628 struct sigaction action;
629 memset(&action, 0, sizeof(action));
630 sigfillset(&action.sa_mask);
631 action.sa_sigaction = debuggerd_signal_handler;
632 action.sa_flags = SA_RESTART | SA_SIGINFO;
633
634 // Use the alternate signal stack if available so we can catch stack overflows.
635 action.sa_flags |= SA_ONSTACK;
636 debuggerd_register_handlers(&action);
637 }
638