1 /*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <sys/ptrace.h>
18
19 #include <elf.h>
20 #include <err.h>
21 #include <fcntl.h>
22 #include <sched.h>
23 #include <sys/prctl.h>
24 #include <sys/ptrace.h>
25 #include <sys/uio.h>
26 #include <sys/user.h>
27 #include <sys/wait.h>
28 #include <unistd.h>
29
30 #include <chrono>
31 #include <thread>
32
33 #include <gtest/gtest.h>
34
35 #include <android-base/macros.h>
36 #include <android-base/unique_fd.h>
37
38 using namespace std::chrono_literals;
39
40 using android::base::unique_fd;
41
42 // Host libc does not define this.
43 #ifndef TRAP_HWBKPT
44 #define TRAP_HWBKPT 4
45 #endif
46
47 class ChildGuard {
48 public:
ChildGuard(pid_t pid)49 explicit ChildGuard(pid_t pid) : pid(pid) {}
50
~ChildGuard()51 ~ChildGuard() {
52 kill(pid, SIGKILL);
53 int status;
54 waitpid(pid, &status, 0);
55 }
56
57 private:
58 pid_t pid;
59 };
60
61 enum class HwFeature { Watchpoint, Breakpoint };
62
is_hw_feature_supported(pid_t child,HwFeature feature)63 static bool is_hw_feature_supported(pid_t child, HwFeature feature) {
64 #if defined(__arm__)
65 long capabilities;
66 long result = ptrace(PTRACE_GETHBPREGS, child, 0, &capabilities);
67 if (result == -1) {
68 EXPECT_EQ(EIO, errno);
69 GTEST_LOG_(INFO) << "Hardware debug support disabled at kernel configuration time.";
70 return false;
71 }
72 uint8_t hb_count = capabilities & 0xff;
73 capabilities >>= 8;
74 uint8_t wp_count = capabilities & 0xff;
75 capabilities >>= 8;
76 uint8_t max_wp_size = capabilities & 0xff;
77 if (max_wp_size == 0) {
78 GTEST_LOG_(INFO)
79 << "Kernel reports zero maximum watchpoint size. Hardware debug support missing.";
80 return false;
81 }
82 if (feature == HwFeature::Watchpoint && wp_count == 0) {
83 GTEST_LOG_(INFO) << "Kernel reports zero hardware watchpoints";
84 return false;
85 }
86 if (feature == HwFeature::Breakpoint && hb_count == 0) {
87 GTEST_LOG_(INFO) << "Kernel reports zero hardware breakpoints";
88 return false;
89 }
90 return true;
91 #elif defined(__aarch64__)
92 user_hwdebug_state dreg_state;
93 iovec iov;
94 iov.iov_base = &dreg_state;
95 iov.iov_len = sizeof(dreg_state);
96
97 long result = ptrace(PTRACE_GETREGSET, child,
98 feature == HwFeature::Watchpoint ? NT_ARM_HW_WATCH : NT_ARM_HW_BREAK, &iov);
99 if (result == -1) {
100 EXPECT_EQ(EINVAL, errno);
101 return false;
102 }
103 return (dreg_state.dbg_info & 0xff) > 0;
104 #elif defined(__i386__) || defined(__x86_64__)
105 // We assume watchpoints and breakpoints are always supported on x86.
106 UNUSED(child);
107 UNUSED(feature);
108 return true;
109 #else
110 // TODO: mips support.
111 UNUSED(child);
112 UNUSED(feature);
113 return false;
114 #endif
115 }
116
set_watchpoint(pid_t child,uintptr_t address,size_t size)117 static void set_watchpoint(pid_t child, uintptr_t address, size_t size) {
118 ASSERT_EQ(0u, address & 0x7) << "address: " << address;
119 #if defined(__arm__) || defined(__aarch64__)
120 const unsigned byte_mask = (1 << size) - 1;
121 const unsigned type = 2; // Write.
122 const unsigned enable = 1;
123 const unsigned control = byte_mask << 5 | type << 3 | enable;
124
125 #ifdef __arm__
126 ASSERT_EQ(0, ptrace(PTRACE_SETHBPREGS, child, -1, &address)) << strerror(errno);
127 ASSERT_EQ(0, ptrace(PTRACE_SETHBPREGS, child, -2, &control)) << strerror(errno);
128 #else // aarch64
129 user_hwdebug_state dreg_state;
130 memset(&dreg_state, 0, sizeof dreg_state);
131 dreg_state.dbg_regs[0].addr = address;
132 dreg_state.dbg_regs[0].ctrl = control;
133
134 iovec iov;
135 iov.iov_base = &dreg_state;
136 iov.iov_len = offsetof(user_hwdebug_state, dbg_regs) + sizeof(dreg_state.dbg_regs[0]);
137
138 ASSERT_EQ(0, ptrace(PTRACE_SETREGSET, child, NT_ARM_HW_WATCH, &iov)) << strerror(errno);
139 #endif
140 #elif defined(__i386__) || defined(__x86_64__)
141 ASSERT_EQ(0, ptrace(PTRACE_POKEUSER, child, offsetof(user, u_debugreg[0]), address)) << strerror(errno);
142 errno = 0;
143 unsigned data = ptrace(PTRACE_PEEKUSER, child, offsetof(user, u_debugreg[7]), nullptr);
144 ASSERT_EQ(0, errno);
145
146 const unsigned size_flag = (size == 8) ? 2 : size - 1;
147 const unsigned enable = 1;
148 const unsigned type = 1; // Write.
149
150 const unsigned mask = 3 << 18 | 3 << 16 | 1;
151 const unsigned value = size_flag << 18 | type << 16 | enable;
152 data &= mask;
153 data |= value;
154 ASSERT_EQ(0, ptrace(PTRACE_POKEUSER, child, offsetof(user, u_debugreg[7]), data)) << strerror(errno);
155 #else
156 UNUSED(child);
157 UNUSED(address);
158 UNUSED(size);
159 #endif
160 }
161
162 template <typename T>
run_watchpoint_test(std::function<void (T &)> child_func,size_t offset,size_t size)163 static void run_watchpoint_test(std::function<void(T&)> child_func, size_t offset, size_t size) {
164 alignas(16) T data{};
165
166 pid_t child = fork();
167 ASSERT_NE(-1, child) << strerror(errno);
168 if (child == 0) {
169 // Extra precaution: make sure we go away if anything happens to our parent.
170 if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0) == -1) {
171 perror("prctl(PR_SET_PDEATHSIG)");
172 _exit(1);
173 }
174
175 if (ptrace(PTRACE_TRACEME, 0, nullptr, nullptr) == -1) {
176 perror("ptrace(PTRACE_TRACEME)");
177 _exit(2);
178 }
179
180 child_func(data);
181 _exit(0);
182 }
183
184 ChildGuard guard(child);
185
186 int status;
187 ASSERT_EQ(child, waitpid(child, &status, __WALL)) << strerror(errno);
188 ASSERT_TRUE(WIFSTOPPED(status)) << "Status was: " << status;
189 ASSERT_EQ(SIGSTOP, WSTOPSIG(status)) << "Status was: " << status;
190
191 if (!is_hw_feature_supported(child, HwFeature::Watchpoint)) {
192 GTEST_LOG_(INFO) << "Skipping test because hardware support is not available.\n";
193 return;
194 }
195
196 set_watchpoint(child, uintptr_t(&data) + offset, size);
197
198 ASSERT_EQ(0, ptrace(PTRACE_CONT, child, nullptr, nullptr)) << strerror(errno);
199 ASSERT_EQ(child, waitpid(child, &status, __WALL)) << strerror(errno);
200 ASSERT_TRUE(WIFSTOPPED(status)) << "Status was: " << status;
201 ASSERT_EQ(SIGTRAP, WSTOPSIG(status)) << "Status was: " << status;
202
203 siginfo_t siginfo;
204 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child, nullptr, &siginfo)) << strerror(errno);
205 ASSERT_EQ(TRAP_HWBKPT, siginfo.si_code);
206 #if defined(__arm__) || defined(__aarch64__)
207 ASSERT_LE(&data, siginfo.si_addr);
208 ASSERT_GT((&data) + 1, siginfo.si_addr);
209 #endif
210 }
211
212 template <typename T>
watchpoint_stress_child(unsigned cpu,T & data)213 static void watchpoint_stress_child(unsigned cpu, T& data) {
214 cpu_set_t cpus;
215 CPU_ZERO(&cpus);
216 CPU_SET(cpu, &cpus);
217 if (sched_setaffinity(0, sizeof cpus, &cpus) == -1) {
218 perror("sched_setaffinity");
219 _exit(3);
220 }
221 raise(SIGSTOP); // Synchronize with the tracer, let it set the watchpoint.
222
223 data = 1; // Now trigger the watchpoint.
224 }
225
226 template <typename T>
run_watchpoint_stress(size_t cpu)227 static void run_watchpoint_stress(size_t cpu) {
228 run_watchpoint_test<T>(std::bind(watchpoint_stress_child<T>, cpu, std::placeholders::_1), 0,
229 sizeof(T));
230 }
231
232 // Test watchpoint API. The test is considered successful if our watchpoints get hit OR the
233 // system reports that watchpoint support is not present. We run the test for different
234 // watchpoint sizes, while pinning the process to each cpu in turn, for better coverage.
TEST(sys_ptrace,watchpoint_stress)235 TEST(sys_ptrace, watchpoint_stress) {
236 cpu_set_t available_cpus;
237 ASSERT_EQ(0, sched_getaffinity(0, sizeof available_cpus, &available_cpus));
238
239 for (size_t cpu = 0; cpu < CPU_SETSIZE; ++cpu) {
240 if (!CPU_ISSET(cpu, &available_cpus)) continue;
241
242 run_watchpoint_stress<uint8_t>(cpu);
243 run_watchpoint_stress<uint16_t>(cpu);
244 run_watchpoint_stress<uint32_t>(cpu);
245 #if defined(__LP64__)
246 run_watchpoint_stress<uint64_t>(cpu);
247 #endif
248 }
249 }
250
251 struct Uint128_t {
252 uint64_t data[2];
253 };
watchpoint_imprecise_child(Uint128_t & data)254 static void watchpoint_imprecise_child(Uint128_t& data) {
255 raise(SIGSTOP); // Synchronize with the tracer, let it set the watchpoint.
256
257 #if defined(__i386__) || defined(__x86_64__)
258 asm volatile("movdqa %%xmm0, %0" : : "m"(data));
259 #elif defined(__arm__)
260 asm volatile("stm %0, { r0, r1, r2, r3 }" : : "r"(&data));
261 #elif defined(__aarch64__)
262 asm volatile("stp x0, x1, %0" : : "m"(data));
263 #elif defined(__mips__)
264 // TODO
265 UNUSED(data);
266 #endif
267 }
268
269 // Test that the kernel is able to handle the case when the instruction writes
270 // to a larger block of memory than the one we are watching. If you see this
271 // test fail on arm64, you will likely need to cherry-pick fdfeff0f into your
272 // kernel.
TEST(sys_ptrace,watchpoint_imprecise)273 TEST(sys_ptrace, watchpoint_imprecise) {
274 // Make sure we get interrupted in case a buggy kernel does not report the
275 // watchpoint hit correctly.
276 struct sigaction action, oldaction;
277 action.sa_handler = [](int) {};
278 sigemptyset(&action.sa_mask);
279 action.sa_flags = 0;
280 ASSERT_EQ(0, sigaction(SIGALRM, &action, &oldaction)) << strerror(errno);
281 alarm(5);
282
283 run_watchpoint_test<Uint128_t>(watchpoint_imprecise_child, 8, sizeof(void*));
284
285 ASSERT_EQ(0, sigaction(SIGALRM, &oldaction, nullptr)) << strerror(errno);
286 }
287
breakpoint_func()288 static void __attribute__((noinline)) breakpoint_func() {
289 asm volatile("");
290 }
291
breakpoint_fork_child()292 static void __attribute__((noreturn)) breakpoint_fork_child() {
293 // Extra precaution: make sure we go away if anything happens to our parent.
294 if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0) == -1) {
295 perror("prctl(PR_SET_PDEATHSIG)");
296 _exit(1);
297 }
298
299 if (ptrace(PTRACE_TRACEME, 0, nullptr, nullptr) == -1) {
300 perror("ptrace(PTRACE_TRACEME)");
301 _exit(2);
302 }
303
304 raise(SIGSTOP); // Synchronize with the tracer, let it set the breakpoint.
305
306 breakpoint_func(); // Now trigger the breakpoint.
307
308 _exit(0);
309 }
310
set_breakpoint(pid_t child)311 static void set_breakpoint(pid_t child) {
312 uintptr_t address = uintptr_t(breakpoint_func);
313 #if defined(__arm__) || defined(__aarch64__)
314 address &= ~3;
315 const unsigned byte_mask = 0xf;
316 const unsigned enable = 1;
317 const unsigned control = byte_mask << 5 | enable;
318
319 #ifdef __arm__
320 ASSERT_EQ(0, ptrace(PTRACE_SETHBPREGS, child, 1, &address)) << strerror(errno);
321 ASSERT_EQ(0, ptrace(PTRACE_SETHBPREGS, child, 2, &control)) << strerror(errno);
322 #else // aarch64
323 user_hwdebug_state dreg_state;
324 memset(&dreg_state, 0, sizeof dreg_state);
325 dreg_state.dbg_regs[0].addr = reinterpret_cast<uintptr_t>(address);
326 dreg_state.dbg_regs[0].ctrl = control;
327
328 iovec iov;
329 iov.iov_base = &dreg_state;
330 iov.iov_len = offsetof(user_hwdebug_state, dbg_regs) + sizeof(dreg_state.dbg_regs[0]);
331
332 ASSERT_EQ(0, ptrace(PTRACE_SETREGSET, child, NT_ARM_HW_BREAK, &iov)) << strerror(errno);
333 #endif
334 #elif defined(__i386__) || defined(__x86_64__)
335 ASSERT_EQ(0, ptrace(PTRACE_POKEUSER, child, offsetof(user, u_debugreg[0]), address))
336 << strerror(errno);
337 errno = 0;
338 unsigned data = ptrace(PTRACE_PEEKUSER, child, offsetof(user, u_debugreg[7]), nullptr);
339 ASSERT_EQ(0, errno);
340
341 const unsigned size = 0;
342 const unsigned enable = 1;
343 const unsigned type = 0; // Execute
344
345 const unsigned mask = 3 << 18 | 3 << 16 | 1;
346 const unsigned value = size << 18 | type << 16 | enable;
347 data &= mask;
348 data |= value;
349 ASSERT_EQ(0, ptrace(PTRACE_POKEUSER, child, offsetof(user, u_debugreg[7]), data))
350 << strerror(errno);
351 #else
352 UNUSED(child);
353 UNUSED(address);
354 #endif
355 }
356
357 // Test hardware breakpoint API. The test is considered successful if the breakpoints get hit OR the
358 // system reports that hardware breakpoint support is not present.
TEST(sys_ptrace,hardware_breakpoint)359 TEST(sys_ptrace, hardware_breakpoint) {
360 pid_t child = fork();
361 ASSERT_NE(-1, child) << strerror(errno);
362 if (child == 0) breakpoint_fork_child();
363
364 ChildGuard guard(child);
365
366 int status;
367 ASSERT_EQ(child, waitpid(child, &status, __WALL)) << strerror(errno);
368 ASSERT_TRUE(WIFSTOPPED(status)) << "Status was: " << status;
369 ASSERT_EQ(SIGSTOP, WSTOPSIG(status)) << "Status was: " << status;
370
371 if (!is_hw_feature_supported(child, HwFeature::Breakpoint)) {
372 GTEST_LOG_(INFO) << "Skipping test because hardware support is not available.\n";
373 return;
374 }
375
376 set_breakpoint(child);
377
378 ASSERT_EQ(0, ptrace(PTRACE_CONT, child, nullptr, nullptr)) << strerror(errno);
379 ASSERT_EQ(child, waitpid(child, &status, __WALL)) << strerror(errno);
380 ASSERT_TRUE(WIFSTOPPED(status)) << "Status was: " << status;
381 ASSERT_EQ(SIGTRAP, WSTOPSIG(status)) << "Status was: " << status;
382
383 siginfo_t siginfo;
384 ASSERT_EQ(0, ptrace(PTRACE_GETSIGINFO, child, nullptr, &siginfo)) << strerror(errno);
385 ASSERT_EQ(TRAP_HWBKPT, siginfo.si_code);
386 }
387
388 class PtraceResumptionTest : public ::testing::Test {
389 public:
390 unique_fd worker_pipe_write;
391
392 pid_t worker = -1;
393 pid_t tracer = -1;
394
PtraceResumptionTest()395 PtraceResumptionTest() {
396 unique_fd worker_pipe_read;
397 int pipefd[2];
398 if (pipe2(pipefd, O_CLOEXEC) != 0) {
399 err(1, "failed to create pipe");
400 }
401
402 worker_pipe_read.reset(pipefd[0]);
403 worker_pipe_write.reset(pipefd[1]);
404
405 worker = fork();
406 if (worker == -1) {
407 err(1, "failed to fork worker");
408 } else if (worker == 0) {
409 char buf;
410 worker_pipe_write.reset();
411 TEMP_FAILURE_RETRY(read(worker_pipe_read.get(), &buf, sizeof(buf)));
412 exit(0);
413 }
414 }
415
~PtraceResumptionTest()416 ~PtraceResumptionTest() {
417 }
418
419 void AssertDeath(int signo);
420
StartTracer(std::function<void ()> f)421 void StartTracer(std::function<void()> f) {
422 tracer = fork();
423 ASSERT_NE(-1, tracer);
424 if (tracer == 0) {
425 f();
426 if (HasFatalFailure()) {
427 exit(1);
428 }
429 exit(0);
430 }
431 }
432
WaitForTracer()433 bool WaitForTracer() {
434 if (tracer == -1) {
435 errx(1, "tracer not started");
436 }
437
438 int result;
439 pid_t rc = waitpid(tracer, &result, 0);
440 if (rc != tracer) {
441 printf("waitpid returned %d (%s)\n", rc, strerror(errno));
442 return false;
443 }
444
445 if (!WIFEXITED(result) && !WIFSIGNALED(result)) {
446 printf("!WIFEXITED && !WIFSIGNALED\n");
447 return false;
448 }
449
450 if (WIFEXITED(result)) {
451 if (WEXITSTATUS(result) != 0) {
452 printf("tracer failed\n");
453 return false;
454 }
455 }
456
457 return true;
458 }
459
WaitForWorker()460 bool WaitForWorker() {
461 if (worker == -1) {
462 errx(1, "worker not started");
463 }
464
465 int result;
466 pid_t rc = waitpid(worker, &result, WNOHANG);
467 if (rc != 0) {
468 printf("worker exited prematurely\n");
469 return false;
470 }
471
472 worker_pipe_write.reset();
473
474 rc = waitpid(worker, &result, 0);
475 if (rc != worker) {
476 printf("waitpid for worker returned %d (%s)\n", rc, strerror(errno));
477 return false;
478 }
479
480 if (!WIFEXITED(result)) {
481 printf("worker didn't exit\n");
482 return false;
483 }
484
485 if (WEXITSTATUS(result) != 0) {
486 printf("worker exited with status %d\n", WEXITSTATUS(result));
487 return false;
488 }
489
490 return true;
491 }
492 };
493
wait_for_ptrace_stop(pid_t pid)494 static void wait_for_ptrace_stop(pid_t pid) {
495 while (true) {
496 int status;
497 pid_t rc = TEMP_FAILURE_RETRY(waitpid(pid, &status, __WALL));
498 if (rc != pid) {
499 abort();
500 }
501 if (WIFSTOPPED(status)) {
502 return;
503 }
504 }
505 }
506
TEST_F(PtraceResumptionTest,smoke)507 TEST_F(PtraceResumptionTest, smoke) {
508 // Make sure that the worker doesn't exit before the tracer stops tracing.
509 StartTracer([this]() {
510 ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno);
511 ASSERT_EQ(0, ptrace(PTRACE_INTERRUPT, worker, 0, 0)) << strerror(errno);
512 wait_for_ptrace_stop(worker);
513 std::this_thread::sleep_for(500ms);
514 });
515
516 worker_pipe_write.reset();
517 std::this_thread::sleep_for(250ms);
518
519 int result;
520 ASSERT_EQ(0, waitpid(worker, &result, WNOHANG));
521 ASSERT_TRUE(WaitForTracer());
522 ASSERT_EQ(worker, waitpid(worker, &result, 0));
523 }
524
TEST_F(PtraceResumptionTest,seize)525 TEST_F(PtraceResumptionTest, seize) {
526 StartTracer([this]() { ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno); });
527 ASSERT_TRUE(WaitForTracer());
528 ASSERT_TRUE(WaitForWorker());
529 }
530
TEST_F(PtraceResumptionTest,seize_interrupt)531 TEST_F(PtraceResumptionTest, seize_interrupt) {
532 StartTracer([this]() {
533 ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno);
534 ASSERT_EQ(0, ptrace(PTRACE_INTERRUPT, worker, 0, 0)) << strerror(errno);
535 wait_for_ptrace_stop(worker);
536 });
537 ASSERT_TRUE(WaitForTracer());
538 ASSERT_TRUE(WaitForWorker());
539 }
540
TEST_F(PtraceResumptionTest,seize_interrupt_cont)541 TEST_F(PtraceResumptionTest, seize_interrupt_cont) {
542 StartTracer([this]() {
543 ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno);
544 ASSERT_EQ(0, ptrace(PTRACE_INTERRUPT, worker, 0, 0)) << strerror(errno);
545 wait_for_ptrace_stop(worker);
546 ASSERT_EQ(0, ptrace(PTRACE_CONT, worker, 0, 0)) << strerror(errno);
547 });
548 ASSERT_TRUE(WaitForTracer());
549 ASSERT_TRUE(WaitForWorker());
550 }
551
TEST_F(PtraceResumptionTest,zombie_seize)552 TEST_F(PtraceResumptionTest, zombie_seize) {
553 StartTracer([this]() { ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno); });
554 ASSERT_TRUE(WaitForWorker());
555 ASSERT_TRUE(WaitForTracer());
556 }
557
TEST_F(PtraceResumptionTest,zombie_seize_interrupt)558 TEST_F(PtraceResumptionTest, zombie_seize_interrupt) {
559 StartTracer([this]() {
560 ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno);
561 ASSERT_EQ(0, ptrace(PTRACE_INTERRUPT, worker, 0, 0)) << strerror(errno);
562 wait_for_ptrace_stop(worker);
563 });
564 ASSERT_TRUE(WaitForWorker());
565 ASSERT_TRUE(WaitForTracer());
566 }
567
TEST_F(PtraceResumptionTest,zombie_seize_interrupt_cont)568 TEST_F(PtraceResumptionTest, zombie_seize_interrupt_cont) {
569 StartTracer([this]() {
570 ASSERT_EQ(0, ptrace(PTRACE_SEIZE, worker, 0, 0)) << strerror(errno);
571 ASSERT_EQ(0, ptrace(PTRACE_INTERRUPT, worker, 0, 0)) << strerror(errno);
572 wait_for_ptrace_stop(worker);
573 ASSERT_EQ(0, ptrace(PTRACE_CONT, worker, 0, 0)) << strerror(errno);
574 });
575 ASSERT_TRUE(WaitForWorker());
576 ASSERT_TRUE(WaitForTracer());
577 }
578