Commit graph

903 commits

Author SHA1 Message Date
Mitch Phillips
8fe5127027 Recoverable GWP-ASan: Don't tell ActivityManager
Currently, debuggerd tells the teacher that an app that received a fatal
signal. On the playground, dobbing on a process that doesn't actually
need to be killed is considered a friendship-ending move.

Because recoverable GWP-ASan is *supposed* to not crash your app,
suppress this behaviour and don't let ActivityManager know about the
crash.

Bug: N/A
Test: Run a use-after-free in an app that's using recoverable GWP-ASan,
through the 'libc.debug.gwp_asan.recoverable.<app_name>=1' and
'libc.debug.gwp_asan.process_sampling.<app_name>=1' sysprops.

Change-Id: I033ea67d577573df10936e37db7302d4f4bc0069
2023-02-07 17:06:32 -08:00
Mitch Phillips
6e0eb996b3 Merge "Add recoverable GWP-ASan." 2023-02-03 18:35:08 +00:00
Mitch Phillips
18ce54241c Add recoverable GWP-ASan.
Recoverable GWP-ASan is a mode landed upstream in
https://reviews.llvm.org/D140173. For more information about why/what it
is, see
https://android-review.git.corp.google.com/c/platform/bionic/+/2394588.

This patch makes debuggerd call the required libc callbacks for GWP-ASan
to recover from the memory corruption. It also adds the functionality
that libart/sigchain eventually ends up calling, which dumps a GWP-ASan
report for the first error encountered.

Test: Build the platform, run sanitizer-status in recoverable mode,
asserting that it doesn't crash but we get a debuggerd report.
Bug: 247012630

Change-Id: I27212f7250844c20a8fd1e961417cdb4e5bd3626
2023-02-01 15:25:29 -08:00
Christopher Ferris
22035ccb01 Display offset in backtraces if necessary.
When moving to a proto tombstone, backtraces no longer contain
an offset when a frame is in a shared library from an apk.
Add the offset display again if needed, and add a test to
verify this behavior.

Bug: 267341682

Test: All unit tests pass.
Test: Dumped a process running through an apk to verify the offset
Test: is present.
Change-Id: Ib720ccb5bfcc8531d1e407f3d01817e8a0b9128c
2023-01-31 17:53:45 -08:00
Florian Mayer
1d79a07586 [MTE] add link to SAC docs to tombstones
Test: m, flash, look at tombstone
Change-Id: I091d3dc9207d0ba7e692dcc28adc04aec33cf336
2023-01-26 02:09:57 +00:00
Florian Mayer
8b91862b8f [Refactor] move memory map printing to helper
An early return out of this function makes it harder to add new prints
after the memory maps.

Test: m, flash, look at tombstone
Change-Id: Id06e432918d69ac3307761b244473b6b7ab769e8
2023-01-26 01:39:15 +00:00
Florian Mayer
3d11890797 Merge "[MTE] warn about async crashes being imprecise" 2023-01-20 02:12:42 +00:00
Florian Mayer
5fcdfd2504 [MTE] warn about async crashes being imprecise
Bug: 175335730
Change-Id: If666c98b53dee1c63c48887f4448bc54f78a0a9f
2023-01-20 00:33:29 +00:00
Treehugger Robot
a812f45678 Merge "Pass fault address to GWP-ASan's changed API." 2023-01-17 20:29:46 +00:00
Florian Mayer
30a25286c4 Handle scudo_ring_buffer_size = 0
Bug: 263287052
Change-Id: I0bec3a817d7a16c72d5dfeddd0dcc86830f5a311
2023-01-12 16:06:10 -08:00
Mitch Phillips
8a34b179ad Pass fault address to GWP-ASan's changed API.
GWP-ASan changed one of the APIs upstream to now take the fault address
as well. This is to support the recoverable mode.

Add the fault address as well.

Test: gwp_asan_unittest
Bug: N/A
Change-Id: I8a4edd3fad159d91cc036050d330bbb8f9c8d435
2023-01-12 09:48:11 -08:00
Florian Mayer
fe9d83251b Merge "Use scudo_ring_buffer_size from process_info" 2023-01-10 21:23:33 +00:00
Elliott Hughes
c0748f0276 Merge "debuggerd: show syscall in SYS_SECCOMP one-liners." 2023-01-05 23:30:08 +00:00
Florian Mayer
bd49c387f0 Use scudo_ring_buffer_size from process_info
This is a no-op but will be used in upcoming scudo changes that allow to
change the buffer size at process startup time, and as such we will no
longer be able to call __scudo_get_ring_buffer_size in debuggerd.

Bug: 263287052
Change-Id: I350421d1fcdf22ce3b8b73780b88c1e10fa8a074
2023-01-05 15:14:56 -08:00
Elliott Hughes
d32733dbc7 debuggerd: show syscall in SYS_SECCOMP one-liners.
The current logging...
```
F libc    : Fatal signal 31 (SIGSYS), code 1 (SYS_SECCOMP) in tid 6640 (logcat), pid 6640 (logcat)
```
...isn't super useful if crash_dump then fails, because you have no idea
what syscall caused the problem.

We already include the fault address in this line for relevant cases,
so include the syscall number in this case.

Bug: http://b/262391724
Test: treehugger
Change-Id: I45ad7d99c9904bab32b65efeb19be232e59ab3a4
2023-01-05 00:55:38 +00:00
Florian Mayer
c3a7e4862c Merge "static_assert to catch struct mismatches earlier" 2023-01-04 23:46:59 +00:00
Chih-Hung Hsieh
7e575a07be Disable clang-tidy on crash test.
Bug: 263274255
Test: presubmit; make tidy-system-core-debuggerd_subset
Change-Id: I2eb5dcb87894b3282ff19e006f6a0209c9153519
2023-01-03 15:58:29 -08:00
Florian Mayer
ab644a0e6e static_assert to catch struct mismatches earlier
Change-Id: Ia6294c6f8848d0d3d0d7d901e3b78ac3babdf7ac
2022-12-21 17:39:54 -08:00
Elliott Hughes
a27f23e61e Remove an unnecessary #include.
This confused me while doing a code search.

Test: treehugger
Change-Id: Ic8d63a3f5b8efb8557d0033d458f5265762da716
2022-12-13 17:08:24 +00:00
Chih-Hung Hsieh
3ec1e81425 Suppress clang-tidy on crasher.cpp
* Intentional crash test code with null/free/escape warnings.

Test: make tidy-system-core-debuggerd_subset
Change-Id: Ib1255c17a374729c82aa246c6a59156dbc4e1b77
2022-12-05 11:28:40 -08:00
Elliott Hughes
2f883314b9 riscv64 doesn't require a 32-bit crash dump policy.
Test: `mm -j` in bionic
Change-Id: I6c2e91b540f544b1ca428692ebfb25697b0cb6e4
2022-11-14 20:06:16 +00:00
Treehugger Robot
da644317e3 Merge "Clean up some unneeded non-neon support." 2022-10-31 18:51:46 +00:00
Elliott Hughes
7a30483996 Clean up some unneeded non-neon support.
It's 2022.

Test: treehugger
Change-Id: If7feede199545cf36ae4759b635a56d1421e505f
2022-10-31 15:38:01 +00:00
Treehugger Robot
cb881e7cf0 Merge "Add riscv support for heap_addr_in_register" 2022-10-29 18:23:31 +00:00
haocheng.zy@linux.alibaba.com
3f4d036cb6 Add riscv support for heap_addr_in_register
Change-Id: I42a93a96c8c9c7a32d32674535ff466380e3c2fa
Signed-off-by: haocheng.zy <haocheng.zy@linux.alibaba.com>
2022-10-29 14:57:23 +00:00
Christopher Ferris
fac411d97c Remove unnecessary logging.
Test: Extra logging no longers happens.
Change-Id: Ia179ebe5d16e0bde7d6ec66e39d4484ff18f2b1e
2022-10-27 17:56:27 -07:00
Nikita Ioffe
75be784fba Switch to tombstoned.microdroid
The long term plan is to completely remove tombstoned from microdroid (b/243494912), however it might take time some time to implement it.

In the meantime, we've recently removed cgroups support from the microdroid kernel. This means that starting a tombstoned results in a bunch of non-fatal errors in the logs that are related to the fact that tombstoned service specifies task_profiles.

To get rid of these error messages we temporary add a microdroid variant of the tombstoned (tombstoned.microdroid) that doesn't specify task_profiles.

Bug: 239367015
Test: microdroid presubmit
Change-Id: Ia7d37ede2276790008702e48fdfaf37f4c1fd251
2022-10-24 15:56:33 +00:00
Elliott Hughes
356e83b23f riscv64 has no "other" to need an sepolicy.
Fixes
```
out/soong/installs-aosp_riscv64.mk:56833: error: overriding commands for target `out/target/product/generic_riscv64/system/etc/seccomp_policy/crash_dump.riscv64.policy', previously defined at out/soong/installs-aosp_riscv64.mk:56829
```

Test: m
Change-Id: I78a1c6b10dac2da704515f33b492ff37cc086dd6
2022-10-17 21:42:32 +00:00
Evgenii Stepanov
4a93612db3 Merge "Harden CrasherTest::Trap under sanitizers." 2022-10-17 20:47:31 +00:00
Evgenii Stepanov
361455eb37 Harden CrasherTest::Trap under sanitizers.
The use of __builtin_abort in CrasherTest::Trap breaks with
-ftrap-function=abort, because then the argument of Trap is no longer in
the first argument register at the time of crash.

This flag is added when *any* sanitizer is enabled on the target, even harmless
ones like memtag-heap. See sanitize.go:769.

Fix CrasherTest::Trap to be a little more reliable.

Test: debuggerd_test with SANITIZE_TARGET=memtag_heap
Change-Id: I150f1c0355bd6f2bfabfa5a7bba125acdde1120e
2022-10-13 16:40:05 -07:00
Liu Cunyuan
8c0101b971 Add tomstone proto support for riscv64
Signed-off-by: Liu Cunyuan <liucunyuan.lcy@linux.alibaba.com>
Signed-off-by: Mao Han <han_mao@linux.alibaba.com>
Change-Id: Ie22c2895fc30fab68eddc18713c80e403f44b203
2022-10-12 22:31:45 +00:00
Chen Guoyin
a22af66e4b Add seccomp policy for riscv64 crash_dump
Signed-off-by: Chen Guoyin <chenguoyin.cgy@linux.alibaba.com>
Signed-off-by: Mao Han <han_mao@linux.alibaba.com>
Change-Id: Ie58bd7cf5dde792d8fba78602b5f53471752ab24
2022-10-12 22:31:39 +00:00
Xia Lifang
b13a10bb5d Add riscv64 support for debuggerd/crasher
Signed-off-by: Xia Lifang <lifang_xia@linux.alibaba.com>
Signed-off-by: Mao Han <han_mao@linux.alibaba.com>
Change-Id: I521c6da61cf2f6f67a73febf368068c430d94cdb
2022-10-12 22:30:27 +00:00
Florian Mayer
7a6079000c [MTE] add device config for permissive mode
Change-Id: Ifb16c0f29f07870f59ab50522d010689ee232de8
2022-10-03 09:58:39 -07:00
Florian Mayer
1ee1567b93 Merge "Do not use GetBoolProperty in signal handler" 2022-09-16 21:31:12 +00:00
Florian Mayer
094917deb7 Do not use GetBoolProperty in signal handler
This uses an std::string, which causes a heap allocation, which is not
async-safe.

Test: atest --no-bazel-mode permissive_mte_test
Change-Id: I4bd53d42d9a6a659abe62a964f14c81d9ec059d0
2022-09-16 12:01:40 -07:00
Elliott Hughes
b795d6fa4b Fix the build with a newer LLVM.
Unify all our "noinline" variants to the current most common one, not
least because the new [[noinline]] syntax is fussier about where it goes.

Test: treehugger
Change-Id: Icfcb75c9d687f0f05c19f66ee778fd8962519436
2022-09-14 20:16:25 +00:00
Florian Mayer
565305b852 Merge "[MTE] only upgrade to SYNC mode for MTE crashes" 2022-09-14 01:22:45 +00:00
Florian Mayer
d705c2dbcd [MTE] only upgrade to SYNC mode for MTE crashes
Bug: 244471804
Test: atest mte_ugprade_test on emulator
Change-Id: Ie974cf2dec96267012f1b01b9a40dad86551b1be
2022-09-13 15:35:07 -07:00
Elliott Hughes
df2e7eb3cc Explain how to get a tombstone proto.
There's a link here from the javadoc, but a link to the javadoc from
here seems like a good idea.

Test: N/A
Change-Id: I89a29f72d086d08174e72f7d0aa0421fe417f733
2022-09-12 22:24:18 +00:00
Alessandra Loro
7bd6dca855 Resolve ro.debuggable at build time
Test: n/a
Bug: 243645021

Change-Id: I42c4b1e81383d83c73a565c5e74ac22f17389faf
2022-09-01 13:32:36 +00:00
Jiyong Park
eb769d687a Use liblog_for_runtime_apex instead of liblog
liblog_for_runtime_apex is a static variant of liblog which is
explicitly marked as available to the runtime APEX. Any static
dependency to liblog from inside the runtime APEX is changed from liblog
to liblog_for_runtime_apex.

Previously, to support the need for using liblog inside the runtime
APEX, the entire (i.e. both static and shared variants) liblog module
was marked as available to the runtime APEX, although in reality only
the static variant of the library was needed there. This was not only
looking dirty, but also has caused a problem like b/241259844.

To fix this, liblog is separated into two parts. (1) liblog and (2)
liblog_for_runtime_apex. (1) no longer is available to the runtime APEX
and is intended to be depended on in most cases: either from the
non-updatable platform, or from other APEXes. (2) is a static library
which is explicitly marked as available to the runtime APEX and also
visible to certain modules that are included in the runtime APEX.

Bug: 241259844
Test: m and check that liblog depends on stub library of libc
Change-Id: I10edd4487a6f090ef026acffe1ffbd067387a0d3
2022-08-19 13:21:02 +09:00
Peter Collingbourne
73583331a0 Merge "Fix scudo MTE tests." 2022-07-01 17:09:55 +00:00
Peter Collingbourne
7827991d7f Fix scudo MTE tests.
r.android.com/2108505 was intended to fix a crash in Scudo in
the case where the stack depot, region info or ring buffer were
unreadable. However, it also ended up introducing a number of bugs into
the code. It failed to call __scudo_get_error_info if the page at the
fault address was unreadable. This can happen in legitimate crash cases
if a primary allocation was close to the boundary of a mapped region,
or if the allocation was a secondary allocation with guard pages. It
also used long as the type for tags, whereas Scudo expects it to be
char. In combination this ended up causing most of the MTE tests to
fail. Therefore, mostly revert that change.

Fix the original crash by null checking the pointers returned by
AllocAndReadFully before proceeding with the rest of the function.

Bug: 233720136
Change-Id: I04d70d2abffaa35fe315d15d9224f9b412a9825d
2022-06-30 18:54:19 -07:00
Bob Badour
453d3e4924 [LSC] Add LOCAL_LICENSE_KINDS to system/core
Added SPDX-license-identifier-Apache-2.0 to:
  debuggerd/test_permissive_mte/Android.bp

Bug: 68860345
Bug: 151177513
Bug: 151953481

Test: m all
Change-Id: Ic48cf8a972147eba8a955136be74204c013ca436
2022-06-16 10:01:01 -07:00
Florian Mayer
514c41c6e2 Merge "Add permissive MTE mode." 2022-06-15 16:58:25 +00:00
Christopher Ferris
d17cefe7e4 Merge "Fix scudo fault address processing." 2022-06-01 20:20:09 +00:00
Christopher Ferris
7c2e7e31f6 Fix fallback paths for dumping threads.
In the fallback path, if the non-main thread is the target
to be dumped, then no other threads are dumped when creating
a tombstone. Fix this and add unit tests to verify that
this all threads, including the main thread are dumped.

Bug: 234058038

Test: All unit tests pass.
Test: debuggerd -b media.swcodec process
Test: debuggerd media.swcodec process
Change-Id: Ibb75264f7b3847acdbab939a66902d986c0d0e5c
2022-05-27 13:05:56 -07:00
liyong
381b89c8db Fix scudo fault address processing.
The code doesn't properly check if data is not read properly, so
make it fail if reads fail. Also, change the algorithm so that
first try and read the faulting page then 16 pages before and 16
pages after. Rather than trying to read every one of these pages,
stop as soon as one is unreadable. This means that the total memory
passed to the scudo error function is all valid data, rather than
potentially being some uninitialized memory.

Added new unit tests to cover scudo address processing.

Bug: 233720136

Test: All unit tests pass.
Test: atest CtsIncidentHostTestCases
Change-Id: I18a97bdee9a0c44075c1c31ccd1b546d10895be9
2022-05-26 18:50:52 -07:00
Florian Mayer
a8aa25da01 Add permissive MTE mode.
This is not meant to be enabled long-term, but can be used to assess system
stability with MTE before enabling it.

Bug: 202037138
Change-Id: I9fb9b63ff94da2de0a814fd7150f51559d3af079
2022-05-25 16:25:52 -07:00