platform_bionic/linker/linker_debuggerd_android.cpp
Mitch Phillips a493fe4153 Add the recoverable GWP-ASan feature.
GWP-ASan's recoverable mode was landed upstream in
https://reviews.llvm.org/D140173.

This mode allows for a use-after-free or a buffer-overflow bug to be
detected by GWP-ASan, a crash report dumped, but then GWP-ASan (through
the preCrashReport() and postCrashReportRecoverableOnly() hooks) will
patch up the memory so that the process can continue, in spite of the
memory safety bug.

This is desirable, as it allows us to consider migrating non-system apps
from opt-in GWP-ASan to opt-out GWP-ASan. The major concern was "if we
make it opt-out, then bad apps will start crashing". If we don't crash,
problem solved :). Obviously, we'll need to do this with an amount of
process sampling to mitigate against the 70KiB memory overhead.

The biggest problem is that the debuggerd signal handler isn't the first
signal handler for apps, it's the sigchain handler inside of libart.
Clearly, the sigchain handler needs to ask us whether the crash is
GWP-ASan's fault, and if so, please patch up the allocator. Because of
linker namespace restrictions, libart can't directly ask the linker
(which is where debuggerd lies), so we provide a proxy function in libc.

Test: Build the platform, run sanitizer-status and various test apps
with recoverable gwp-asan. Assert that it doesn't crash, and we get a
debuggerd report.
Bug: 247012630

Change-Id: I86d5e27a9ca5531c8942e62647fd377c3cd36dfd
2023-02-02 15:35:25 -08:00

73 lines
3 KiB
C++

/*
* Copyright (C) 2019 The Android Open Source Project
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "linker_debuggerd.h"
#include "debuggerd/handler.h"
#include "private/bionic_globals.h"
#include "linker_gdb_support.h"
#if defined(__ANDROID_APEX__)
static debugger_process_info get_process_info() {
return {
.abort_msg = __libc_shared_globals()->abort_msg,
.fdsan_table = &__libc_shared_globals()->fd_table,
.gwp_asan_state = __libc_shared_globals()->gwp_asan_state,
.gwp_asan_metadata = __libc_shared_globals()->gwp_asan_metadata,
.scudo_stack_depot = __libc_shared_globals()->scudo_stack_depot,
.scudo_region_info = __libc_shared_globals()->scudo_region_info,
.scudo_ring_buffer = __libc_shared_globals()->scudo_ring_buffer,
.scudo_ring_buffer_size = __libc_shared_globals()->scudo_ring_buffer_size,
};
}
static gwp_asan_callbacks_t get_gwp_asan_callbacks() {
return {
.debuggerd_needs_gwp_asan_recovery =
__libc_shared_globals()->debuggerd_needs_gwp_asan_recovery,
.debuggerd_gwp_asan_pre_crash_report =
__libc_shared_globals()->debuggerd_gwp_asan_pre_crash_report,
.debuggerd_gwp_asan_post_crash_report =
__libc_shared_globals()->debuggerd_gwp_asan_post_crash_report,
};
}
#endif
void linker_debuggerd_init() {
// There may be a version mismatch between the bootstrap linker and the crash_dump in the APEX,
// so don't pass in any process info from the bootstrap linker.
debuggerd_callbacks_t callbacks = {
#if defined(__ANDROID_APEX__)
.get_process_info = get_process_info,
.get_gwp_asan_callbacks = get_gwp_asan_callbacks,
#endif
.post_dump = notify_gdb_of_libraries,
};
debuggerd_init(&callbacks);
}