Processes that handle SIGCHLD can race with the crash handler to wait
on the crash_dump process. Use clone flags that cause the forked
child's death to not be reported via SIGCHLD, and don't bail out of
dumping when waitpid returns ECHILD (in case another thread is already
in a waitpid(..., __WALL))
Note that the use of waitid was switched to waitpid, because waitid
doesn't support __WCLONE until kernel version 4.7.
Bug: none
Test: "debuggerd -b `pidof zygote64`" a few times (failed roughly 50%
of the time previously)
Change-Id: Ia41a26a61f13c6f9aa85c4c2f88aef8d279d35ad
Raise the ambient capability set to match CapEff so that crash_dump can
inherit all of the capabilities of the dumped process to be able to
ptrace. Note that selinux will prevent crash_dump from actually use
any of the capabilities.
Bug: http://b/34853272
Test: debuggerd -b `pidof system_server`
Test: debuggerd -b `pidof zygote`
Change-Id: I1fe69eff54c1c0a5b3ec63f6fa504b2681c47a88
Dump all of the threads when using `debuggerd -b`.
Bug: http://b/34719257
Test: `debuggerd -b mediaserver`
Change-Id: I2f57100985e5b0c2bf019482ba9feff31921692f
We can't do an selinux transition when this is on.
Bug: http://b/34472671
Test: logcat -c; debuggerd `pidof media.codec`; logcat
Change-Id: Ie6c1832ab838df48879c32a86126862de9a15420
Actually exit when receiving a signal via kill(2) or raise(2) and
PR_GET_DUMPABLE is 0.
Bug: none
Test: /data/nativetest/debuggerd_test/debuggerd_test32
Test: /data/nativetest64/bionic-unit-tests/bionic-unit-tests --gtest_filter=pthread_DeathTest.pthread_mutex_lock_null_64
Change-Id: I833a2a34238129237bd9f953959ebda51d8d04d7
PTRACE_DETACH is only necessary if the process is in group-stop state,
the tracer exiting is sufficient to detach and resume tracees.
Using this, set a 5 second timer with alarm(2) that just kills us, to
avoid leaving processes stopped.
Bug: http://b/34472671
Test: debuggerd_test
Test: crasher + manually inserting a 10 second sleep into crash_dump
Change-Id: Iacaa796f79037aa1585f3f2159abe45ef0069311
ptrace(PTRACE_ATTACH) does not immediately put the traced process in a
stopped state. If we manage to call PTRACE_CONT on it before it
finishes, we'll fail. Switch to using PTRACE_SEIZE and PTRACE_INTERRUPT
to guarantee that the target stops immediately.
This also has the advantage of never putting the process in group-stop
state, which means if we exit prematurely (e.g. if we crash during
stack unwinding), the target process will be resumed without any
intervention needed.
Bug: http://b/34472671
Test: while true; do debuggerd -b `pidof audioserver`; done
Change-Id: I7549f67489646cf300b8c9aa8c735e5e897806ef
crash_dump is a dynamic executable that gets the default crash dumping
handlers set by the linker. Turn them off to prevent crash_dump from
dumping itself.
Bug: http://b/34472671
Test: inserted an abort into crash_dump
Change-Id: Ic9d708805ad47afbb2a9ff37e2ca059f23f421de
Occasionally, the pseudothread wouldn't exit in time after unlocking
the mutex to get crash_dump to proceed, resulting in spurious error
messages. Instead of using a mutex to emulate pthread_join, just
implement it correctly.
Bug: http://b/34472671
Test: debuggerd_test
Change-Id: I5c2658a84e9407ed8cc0ef2ad0fb648c388b7ad1
When vold mounts the encrypted /data partition, it first checks for and
kills processes that have open fds to the tmpfs placeholder at /data.
This resulted in a 20 second boot-time regression (vold's timeout period)
when tombstoned was started before vold.
Bug: http://b/34461270
Test: boot is faster, no messages from vold in console spew
Test: tombstoned still started by init
Change-Id: Ib5e9ddb05f40c9da852f00e103861c6ff2d94888
A TOCTOU race can occur between listing threads and attaching them.
Don't abort and leave the process in a stopped state when this happens.
Bug: http://b/34472671
Test: while true; do debuggerd -b `pidof audioserver`; done
Change-Id: Ib1632c3423fddf506b5c7874223c82fada78a85e
Remove debuggerd in favor of a helper process that gets execed by
crashing processes.
Bug: http://b/30705528
Test: debuggerd_test
Change-Id: I9906c69473989cbf7fe5ea6cccf9a9c563d75906
Make it behave better in our typical use cases and support more of the kinds
of crash we want to document.
Bug: http://b/28746168
Test: crasher
Change-Id: Ifbc3dfb042f6055568244c921f4abe1ea554cec4
NULL represents system default. In the future, NULL could represent
static and dynamic tags, which can come from multiple files based on
implementation details in the liblog library.
Test: gTest logd-unit-tests & liblog-unit-tests
Bug: 31456426
Change-Id: I0e3d296de81ca299ae63d7b83781639ee67ec298
Test: Open a bunch of files, wait for the process to crash, verify dubuggerd
includes the list of open files the tombstone it generates.
Test: Added OpenFilesListTest to debuggerd_test.
Bug: 32013594
Change-Id: I6f939ae1d04dc58dc99abff0ed930da9e0ef0d1c
This will be useful for tests that want to do things with crasher's pid
before it crashes.
Bug: http://b/30705528
Test: crasher wait-abort; crasher wait-thread-abort
Change-Id: I8ba826094dc304d6cd0e6ab088e5cfdb35d2007b
Commit 807e40ecc9 'liblog: logd: Add
android_lookupEventTag_len()' which addressed a Dirty Shared memory
leak resulted in a regression. Most notably logcat <tag> stopped
working for the events log buffer.
AndroidLogEntry::tag also requires callers to check out
AndroidLogEntry::tagLen as tag is no longer guaranteed to be
nul terminated.
Test: logcat-unit-tests --gtest_filter=logcat.event_tag_filter
Bug: 31456426
Change-Id: Ibe5236131b640eb5b7e3df0ab4b5f3e25b85ad45
Point to log/log.h where necessary, define LOG_TAG where necessary.
Accept that private/android_logger.h is suitable replacement for
log/logger.h and android/log.h.
Correct liblog/README
Effectively a cleanup and controlled select revert of
'system/core: drop or replace log/logger.h' and
'system/core: Replace log/log.h with android/log.h'.
Test: compile
Bug: 30465923
Change-Id: Ic2ad157bad6f5efe2c6af293a73bb753300b17a2
Use nasty clone hacks to let us close random file descriptors to be
able to connect to debuggerd when the fd table is full.
Bug: http://b/32013594
Test: crasher exhaustfd-SIGSEGV
Change-Id: I47772e9a5994da4473bd935b105d9c36827c017a
debuggerd does not require log/logger.h, can use android/log.h
In some cases, mark why log/logger.h was required.
Test: Compile and boot smoke test
Bug: 26552300
Bug: 31289077
Bug: 31456426
Change-Id: Ia34987e25a01d81971ec8d785415f732b8376c4f
Should use android/log.h instead of log/log.h as a good example
to all others. Adjust header order to comply with Android Coding
standards.
Test: Compile
Bug: 26552300
Bug: 31289077
Change-Id: I33a8fb4e754d2dc4754d335660c450e0a67190fc
Should use android/log.h instead of cutils/log.h as a good example
to all others. Adjust header order to comply with Android Coding
standards.
Test: Compile
Bug: 26552300
Bug: 31289077
Change-Id: I2c9cbbbd64d8dccf2d44356361d9742e4a9b9031
We weren't detecting incorrect input before. Also clean up the help output
to match the style of all the toybox output. Also flush stdout so that we
don't report failure before even saying that we're going to try to contact
debuggerd...
Change-Id: I9e4bfa878f270fe46c3c210c7a7138959a108d67
The new uapi kernel headers added a new SEGV reason code, so
add it to the tombstone code.
Update sync.c to include the needed data structures itself. Someone
else will be fixing this to work on old versus new kernels.
Change-Id: Icb27713ea38a20003c7671a9bca262eebd96099b
- check hdr_size to make sure it is in the expected range
from sizeof entry_v1 to entry (entry_v4).
- alter msg() method to report NULL on invalid hdr_size
- alter all users of msg() method.
Bug: 30947841
Change-Id: I9bc1740d7aa9f37df5be966c18de1fb9de63d5dd
These were previously required when bionic used tgkill to reraise
signals, but now that we use rt_tgsigqueueinfo to reraise signals, they
are no longer necessary.
Change-Id: I46ba9f14039a727d0a2c4c3a9d93a3532ba8f263
This is needed to connect to the right debuggerd server for the crashing
process. Without this change, the following errors are observed, because a
32-bit process is trying to connect to the 64-bit debuggerd (as opposed to
debuggerd32):
Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 14153 (static_crasher)
debuggerd: handling request: pid=14153 uid=0 gid=0 tid=14153
debuggerd: Not allowed to redirect action 0 to 32 bit debuggerd
Bug: 24414818
Change-Id: I2f275fbc804b0abc6e876a743e51dd8494817103
http://b/28149048http://b/29823425
Disable -Wvarargs that gets triggered in
system/core/debuggerd/test/ptrace_fake.cpp:ptrace_fake. The second bug
above tracks that this warning gets re-enabled.
Test: Tested build, boot and common usage for Arm, Arm64, x86, x86_64,
Mips images in AOSP and internal branch.
Change-Id: Ife68675a77431bcc4717b4da297c14dc486d1413
Fix two races in debuggerd's PTRACE_ATTACH logic:
1. The target thread in a crash dump request could exit between the
/proc/<pid>/task/<tid> check and the PTRACE_ATTACH.
2. Sibling threads could exit between listing /proc/<pid>/task and the
PTRACE_ATTACH.
Bug: http://b/29555636
Change-Id: I4dfe1ea30e2c211d2389321bd66e3684dd757591
Soong is always on now, so we don't have to distinguish between
makefiles that should be ignored because Soong is handling them with an
Android.bp file, and makefiles that are still needed with Soong. All
obsolete Android.mk files have been removed, rename all Android.soong.mk
files to Android.mk.
Change-Id: Iabbddcbfb2c837cfd4556241b570474452cc5d4d
If the underlying local map changes, it's possible for multiple
threads to try and modify the map data associated with the UnwindLocalMap
object. Add a lock when generating the local map to avoid this problem.
In addition, add a read lock whenever any caller gets the maps iterator.
Updated all iterator callers to make this lock.
Bug: 29387050
Change-Id: Ie34822c3d8fd3bdb3dd126aeeb399969c36508c1
am: 4434b42cd0
* commit '4434b42cd0bd36be4ca7702e840886f67daaff2d':
Add a fortify test to crasher.
Change-Id: I3b8b473aa256b7de7ca5e50e14b32d0c3b0565e1
The code for dumping tombstones tries to read the log data. This was
silently failing after the change to drop root privileges. Fix this
by explicitly setting the groups allowed before dropping privileges.
Bug: 28590884
(cherry picked from commit edc2380109)
Change-Id: I225365edccb11f8752027566fd42f3b10ce10260
am: fd1eee58f9
* commit 'fd1eee58f985b3d528ca352ff278d7b200390ab2':
Set groups before dropping privileges.
Change-Id: I85c98abb0e7cc3b36ec714899540d65e6ca908c7
In the function dump_thread_info, if /proc/<PID>/comm is unreadable, then
threadname will be used in a strncmp causing a crash. The fix is to
avoid the check if threadname is null.
Bug: 28615417
(cherry picked from commit 039976e553)
Change-Id: I1e61431b1549ecfdc49a72cbf193a364069cda79
In the function dump_thread_info, if /proc/<PID>/comm is unreadable, then
threadname will be used in a strncmp causing a crash. The fix is to
avoid the check if threadname is null.
Bug: 28615417
Change-Id: I54eda86404c927dbf5a987f5dd2108487df9f16c
The code for dumping tombstones tries to read the log data. This was
silently failing after the change to drop root privileges. Fix this
by explicitly setting the groups allowed before dropping privileges.
Bug: 28590884
Change-Id: Iaccb1d2928268fc9fc855f6e3814c31ce019badf
When someone enables wait_for_gdb, activity manager will kill the
stopped process before a developer can attach to the process. To
allow debugging in this case, change the code to only contact the
activity manager right before continuing the process that is
crashing.
Also, modify the conditions under which to do a gdb attach. The previous
code did a partial attach if perform_dump failed. The new version simply
allows an attach regardless of whether perform_dump passes or fails.
Bug: 28409358
(cherry picked from commit 9818bd2bbe)
Change-Id: I42f464b69332748e16b07d9d00f44b3aa26ce8b7
When someone enables wait_for_gdb, activity manager will kill the
stopped process before a developer can attach to the process. To
allow debugging in this case, change the code to only contact the
activity manager right before continuing the process that is
crashing.
Also, modify the conditions under which to do a gdb attach. The previous
code did a partial attach if perform_dump failed. The new version simply
allows an attach regardless of whether perform_dump passes or fails.
Bug: 28409358
Change-Id: I4fe8d390c212d47e007cbe6543c2d114c3c7aeff
Before dropping root privileges, connect to the activity manager.
Also, only connect to the activity manager if this is a crash.
Bug: 28210681
(cherry picked from commit 0fc89f34b9)
Change-Id: Id25b92e550d71ffe1b9eafe43976ef514a83714b
Before dropping root privileges, connect to the activity manager.
Also, only connect to the activity manager if this is a crash.
Bug: 28210681
Change-Id: Ie266031910519fa2aa6835644a95c1fc56e24d8d
am: 437911e
* commit '437911ec87fe471a4cbe7e3dfa722e11d3187805':
debuggerd: set the name of the signal sender.
Change-Id: I23723649fcc33a624f4aba80cde81f1bbb71fc3b
Processes using seccomp will get SIGSYS when attempting to use a
disallowed syscall. We're currently not handling SIGSYS in bionic's
signal handler, but this change will let us dump a backtrace pointing at
rt_tgsigqueueinfo in our signal handler if seccomp policies block it
during a real crash.
Bug: http://b/27853687
Change-Id: I4e4aacc95eeef7249d895e19dc4ccd77a51c7a17
This was actually nonfunctional until f5e8f0b, because it was using kill
after privileges were dropped. This doesn't seem necessary after the
changes to the sibling thread ptrace logic, though.
Bug: http://b/27427439
Change-Id: I6bffbc14e0cf5e377bbfa39c945518e0d436c223
(cherry picked from commit b17f228ff6)
This was actually nonfunctional until f5e8f0b, because it was using kill
after privileges were dropped. This doesn't seem necessary after the
changes to the sibling thread ptrace logic, though.
Bug: http://b/27427439
Change-Id: I6bffbc14e0cf5e377bbfa39c945518e0d436c223
Use sigtimedwait on SIGCHLD to watch our forked worker processes for
failure, so that we can guarantee that we always resume/kill the target
process if libunwind crashes.
Bug: http://b/27427439
Change-Id: I5a5da1f1abd7dc9d01223f5b3778e946e2d47d20
(cherry picked from commit 630bc80e18)
system/core/debuggerd/debuggerd.cpp:683:5: warning: Value stored to 'logsocket' is never read
logsocket = -1;
^ ~~
Bug: http://b/27264392
Change-Id: I8eab8a02b67f219c32aea49e4d4957e5642df38f
(cherry picked from commit 6da1353863)
Use sigtimedwait on SIGCHLD to watch our forked worker processes for
failure, so that we can guarantee that we always resume/kill the target
process if libunwind crashes.
Bug: http://b/27427439
Change-Id: I5a5da1f1abd7dc9d01223f5b3778e946e2d47d20
Remove the logging of an error if a thread disappears before the unwind
can begin. This can happen, so allow the caller to determine if this
is really a problem worth logging.
Bug: 27449879
(cherry picked from commit 206a3b9798)
Change-Id: If9e7cfeb6eb7b122679a734c1a9eacee8354ef18
Remove the logging of an error if a thread disappears before the unwind
can begin. This can happen, so allow the caller to determine if this
is really a problem worth logging.
Bug: 27449879
Change-Id: Ie81718d53fb0e519fa0a7db9fd5f314b72bfa431
system/core/debuggerd/debuggerd.cpp:683:5: warning: Value stored to 'logsocket' is never read
logsocket = -1;
^ ~~
Bug: http://b/27264392
Change-Id: I8eab8a02b67f219c32aea49e4d4957e5642df38f
Previously, we weren't PTRACE_ATTACHing to all of the threads of a
process, and we were also trying to do it after forking and dropping
privileges. This patch ensures that all ptrace attaching/detaching
happens in one place, before forking/exiting respectively.
Bug: http://b/26443860
Bug: http://b/26436605
Bug: http://b/26436486
Change-Id: Id94e0c1d9d56c051d0dd281d895aaa3285079198
debuggerd_test stubs out the selinux/android.h interface, but was
relying on copied selinux headers to declare the interface. Create a
stub selinux/android.h header included by the test to declare the
interface.
Change-Id: I6a2d402dda1797deb2515f10b663b1a84d498eac
Use ScopedFd and unique_ptr to manage resources, so that we can early
exit instead of having 9 levels of indentation.
Change-Id: Ia5fed76c7d959f1f198ea540c56c508f7e1585c4
Add the following mount options to the /proc filesystem:
hidepid=2,gid=3009
This change blocks /proc access unless you're in group 3009
(aka AID_READPROC).
Please see
https://github.com/torvalds/linux/blob/master/Documentation/filesystems/proc.txt
for documentation on the hidepid option.
hidepid=2 is preferred over hidepid=1 since it leaks less information
and doesn't generate SELinux ptrace denials when trying to access
/proc without being in the proper group.
Add AID_READPROC to processes which need to access /proc entries for
other UIDs.
Bug: 23310674
Change-Id: I22bb55ff7b80ff722945e224845215196f09dafa
This is an optional diagnostic tool where it's useful to know if you are
running the version that you just built. Allow the use of __TIME__
without a warning or error.
Bug: 24204119
Change-Id: I78063c2694b80ccaf5891d1cd649ea17eda978cb
Keeping these means that every build has different init and debuggerd
binaries, even if the source was the same. So OTAs that don't touch
these sources would still need to update the binaries.
Both of these messages are only informational, so can be safely removed.
Bootchart already encodes build-specific information from the system
properties.
Bug: 24204119
Change-Id: I7ebd65a20a3e031e7528c9f741616e20b3cd7446
* commit '2fb90dc8b2b590e674c5e433e8bf3d3f08a887c8':
debuggerd: audit pid, uid and gid on SE Linux denial
property_service: log pid,uid and gid of setprop client
When debugging SE Linux audit messages from debuggerd, its
unclear what process is triggering the access violation. To
assist in debugging, we also log pid, uid and gid.
Before:
avc: denied { dump_backtrace } for scontext=u:r:dumpstate:s0 ...
After:
avc: denied { dump_backtrace } for pid=198 uid=1019 gid=1019 ..
Change-Id: I8263e6f5e77917139b73c3e84b76f7f97fd98003
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Clang 3.8 warns against this now, and it is tripping up part of a test.
We suppress the warning, since we are trying to actually test that this
behavior is properly handled.
Change-Id: I8705900572e1a6704bbdc001fece3e2d16c7077c
