| blob | 88efbf58b8bbffaec942084beb673f4afee4f3c3 |
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
3 * You can obtain one at http://mozilla.org/MPL/2.0/. */
5 #include <string>
6 #include <cstring>
7 #include <cstdlib>
8 #include <cstdio>
9 #include <dlfcn.h>
10 #include <link.h>
11 #include <optional>
12 #include <unistd.h>
13 #include <errno.h>
14 #include <algorithm>
15 #include <fcntl.h>
22 #include <inttypes.h>
25 // From Utils.h
28 #if defined(ANDROID)
29 # include <sys/syscall.h>
30 # include <sys/system_properties.h>
31 # include <math.h>
33 # include <android/api-level.h>
35 /**
36 * Return the current Android version, or 0 on failure.
37 */
42 }
48 }
50 }
54 #ifdef __ARM_EABI__
57 #endif
59 /* Pointer to the PT_DYNAMIC section of the executable or library
60 * containing this code. */
63 /**
64 * dlfcn.h replacements functions
65 */
68 #if defined(ANDROID)
71 }
72 #endif
77 }
80 #if defined(ANDROID)
83 }
84 #endif
88 // Return a custom error if available.
90 }
91 // Or fallback to the system error.
93 }
96 #if defined(ANDROID)
99 }
100 #endif
105 }
109 }
113 }
116 #if defined(ANDROID)
119 }
120 #endif
125 }
128 }
131 #if defined(ANDROID)
134 }
135 #endif
141 }
145 }
154 }
163 };
165 // This function is called for each shared library iterated over by
166 // dl_iterate_phdr, and is used to fill a dl_phdr_info which is then
167 // sent through to the dl_iterate_phdr callback.
170 dl_phdr_info info;
176 // Assuming l_addr points to Elf headers (in most cases, this is true),
177 // get the Phdr location from there.
178 // Unfortunately, when l_addr doesn't point to Elf headers, it may point
179 // to unmapped memory, or worse, unreadable memory. The only way to detect
180 // the latter without causing a SIGSEGV is to use the pointer in a system
181 // call that will try to read from there, and return an EFAULT error if
182 // it can't. One such system call is write(). It used to be possible to
183 // use a file descriptor on /dev/null for these kind of things, but recent
184 // Linux kernels never return an EFAULT error when using /dev/null.
185 // So instead, we use a self pipe. We do however need to read() from the
186 // read end of the pipe as well so as to not fill up the pipe buffer and
187 // block on subsequent writes.
188 // In the unlikely event reads from or write to the pipe fail for some
189 // other reason than EFAULT, we don't try any further and just skip setting
190 // the Phdr location for all subsequent libraries, rather than trying to
191 // start over with a new pipe.
198 // writes are atomic when smaller than PIPE_BUF, per POSIX.1-2008.
206 }
210 // Per POSIX.1-2008, interrupted reads can return a length smaller
211 // than the given one instead of failing with errno EINTR.
218 }
219 }
220 }
228 }
229 }
232 }
235 #if defined(ANDROID)
238 }
239 #endif
241 DlIteratePhdrHelper helper;
250 }
252 data);
254 }
256 }
258 #ifdef __ARM_EABI__
265 }
266 #endif
270 /**
271 * Returns the part after the last '/' for the given path
272 */
277 }
279 /**
280 * Run the given lambda while holding the internal lock of the system linker.
281 * To take the lock, we call the system dl_iterate_phdr and invoke the lambda
282 * from the callback, which is called while the lock is held. Return true on
283 * success.
284 */
287 #if defined(ANDROID)
289 // dl_iterate_phdr is _not_ protected by a lock on Android < 23.
290 // Also return false here if we failed to get the version.
292 }
293 #endif
298 // Return 1 to stop iterating.
300 },
303 }
307 /**
308 * LibHandle
309 */
314 }
316 /**
317 * SystemElf
318 */
320 /* The Android linker returns a handle when the file name matches an
321 * already loaded library, even when the full path doesn't exist */
326 }
336 }
338 }
346 }
352 sym);
354 }
356 #ifdef __ARM_EABI__
358 /* TODO: properly implement when ElfLoader::GetHandleByPtr
359 does return SystemElf handles */
362 }
363 #endif
365 /**
366 * ElfLoader
367 */
369 /* Unique ElfLoader instance */
374 /* Ensure logging is initialized or refresh if environment changed. */
377 /* Ensure self_elf initialization. */
382 /* Handle dlopen(nullptr) directly. */
386 }
388 /* TODO: Handle relative paths correctly */
391 /* Search the list of handles we already have for a match. When the given
392 * path is not absolute, compare file names, otherwise compare full paths. */
399 }
406 }
407 }
412 /* When the path is not absolute and the library is being loaded for
413 * another, first try to load the library from the directory containing
414 * that parent library. */
422 }
426 /* Try loading with the custom linker if we have a Mappable */
429 /* Try loading with the system linker if everything above failed */
432 /* If we didn't have an absolute path and haven't been able to load
433 * a library yet, try in the system search path */
442 }
446 /* Scan the list of handles we already have for a match */
451 }
452 }
454 }
458 }
463 }
468 // We could race with the system linker when modifying the debug map, so
469 // only do so while holding the system linker's internal lock.
471 }
472 }
475 /* Ensure logging is initialized or refresh if environment changed. */
488 }
489 }
494 // We could race with the system linker when modifying the debug map, so
495 // only do so while holding the system linker's internal lock.
497 }
498 }
501 Dl_info info;
502 /* On Android < 4.1 can't reenter dl* functions. So when the library
503 * containing this code is dlopen()ed, it can't call dladdr from a
504 * static initializer. */
507 }
508 }
511 LibHandleList list;
515 }
517 /* Release self_elf and libc */
521 /* Build up a list of all library handles with direct (external) references.
522 * We actually skip system library handles because we want to keep at least
523 * some of these open. Most notably, Mozilla codebase keeps a few libgnome
524 * libraries deliberately open because of the mess that libORBit destruction
525 * is. dlclose()ing these libraries actually leads to problems. */
533 }
534 }
535 }
536 /* Force release all external references to the handles collected above */
539 }
540 }
541 /* Remove the remaining system handles. */
556 /* Not removing, since it could have references to other libraries,
557 * destroying them as a side effect, and possibly leaving dangling
558 * pointers in the handle list we're scanning */
559 }
560 }
561 }
563 }
565 #ifdef __ARM_EABI__
571 }
572 #else
578 }
579 #endif
582 /* Call all destructors for the given DSO handle in reverse order they were
583 * registered. */
589 }
590 }
591 }
599 }
600 }
604 /* Find ELF auxiliary vectors.
605 *
606 * The kernel stores the following data on the stack when starting a
607 * program:
608 * argc
609 * argv[0] (pointer into argv strings defined below)
610 * argv[1] (likewise)
611 * ...
612 * argv[argc - 1] (likewise)
613 * nullptr
614 * envp[0] (pointer into environment strings defined below)
615 * envp[1] (likewise)
616 * ...
617 * envp[n] (likewise)
618 * nullptr
619 * ... (more NULLs on some platforms such as Android 4.3)
620 * auxv[0] (first ELF auxiliary vector)
621 * auxv[1] (second ELF auxiliary vector)
622 * ...
623 * auxv[p] (last ELF auxiliary vector)
624 * (AT_NULL, nullptr)
625 * padding
626 * argv strings, separated with '\0'
627 * environment strings, separated with '\0'
628 * nullptr
629 *
630 * What we are after are the auxv values defined by the following struct.
631 */
635 };
637 /* Pointer to the environment variables list */
640 /* The environment may have changed since the program started, in which
641 * case the environ variables list isn't the list the kernel put on stack
642 * anymore. But in this new list, variables that didn't change still point
643 * to the strings the kernel put on stack. It is quite unlikely that two
644 * modified environment variables point to two consecutive strings in memory,
645 * so we assume that if two consecutive environment variables point to two
646 * consecutive strings, we found strings the kernel put on stack. */
652 /* Next, we scan the stack backwards to find a pointer to one of those
653 * strings we found above, which will give us the location of the original
654 * envp list. As we are looking for pointers, we need to look at 32-bits or
655 * 64-bits aligned values, depening on the architecture. */
660 /* Finally, scan forward to find the last environment variable pointer and
661 * thus the first auxiliary vector. */
664 /* Some platforms have more NULLs here, so skip them if we encounter them */
669 /* The two values of interest in the auxiliary vectors are AT_PHDR and
670 * AT_PHNUM, which gives us the the location and size of the ELF program
671 * headers. */
677 /* Assume the base address is the first byte of the same page */
679 }
681 auxv++;
682 }
687 }
689 /* In some cases, the address for the program headers we get from the
690 * auxiliary vectors is not mapped, because of the PT_LOAD segments
691 * definitions in the program executable. Trying to map anonymous memory
692 * with a hint giving the base address will return a different address
693 * if something is mapped there, and the base address otherwise. */
697 /* If program headers aren't mapped, try to map them */
702 }
705 /* If we don't manage to map at the right address, just give up. */
709 }
710 }
711 /* Sanity check: the first bytes at the base address should be an ELF
712 * header. */
716 }
718 /* Search for the program PT_DYNAMIC segment */
722 /* While the program headers are expected within the first mapped page of
723 * the program executable, the executable PT_LOADs may actually make them
724 * loaded at an address that is not the wanted base address of the
725 * library. We thus need to adjust the base address, compensating for the
726 * virtual address of the PT_LOAD segment corresponding to offset 0. */
730 }
734 }
736 /* Search for the DT_DEBUG information */
741 }
742 }
744 }
746 /**
747 * Helper class to ensure the given pointer is writable within the scope of
748 * an instance. Permissions to the memory page where the pointer lies are
749 * restored to their original value when the instance is destroyed.
750 */
772 }
780 }
781 }
788 }
789 }
793 /* The interesting part of the /proc/self/maps format looks like:
794 * startAddr-endAddr rwxp */
799 });
821 }
823 }
829 };
831 /**
832 * The system linker maintains a doubly linked list of library it loads
833 * for use by the debugger. Unfortunately, it also uses the list pointers
834 * in a lot of operations and adding our data in the list is likely to
835 * trigger crashes when the linker tries to use data we don't provide or
836 * that fall off the amount data we allocated. Fortunately, the linker only
837 * traverses the list forward and accesses the head of the list from a
838 * private pointer instead of using the value in the r_debug structure.
839 * This means we can safely add members at the beginning of the list.
840 * Unfortunately, gdb checks the coherency of l_prev values, so we have
841 * to adjust the l_prev value for the first element the system linker
842 * knows about. Fortunately, it doesn't use l_prev, and the first element
843 * is not ever going to be released before our elements, since it is the
844 * program executable, so the system linker should not be changing
845 * r_debug::r_map.
846 */
854 /* When adding a library for the first time, r_map points to data
855 * handled by the system linker, and that data may be read-only */
861 }
874 }
883 /* When removing the first added library, its l_next is going to be
884 * data handled by the system linker, and that data may be read-only */
890 }
896 }
902 }
905 }
907 #if defined(ANDROID) && defined(__NR_sigaction)
908 /* As some system libraries may be calling signal() or sigaction() to
909 * set a SIGSEGV handler, effectively breaking MappableSeekableZStream,
910 * or worse, restore our SIGSEGV handler with wrong flags (which using
911 * signal() will do), we want to hook into the system's sigaction() to
912 * replace it with our own wrapper instead, so that our handler is never
913 * replaced. We used to only do that with libraries this linker loads,
914 * but it turns out at least one system library does call signal() and
915 * breaks us (libsc-a3xx.so on the Samsung Galaxy S4).
916 * As libc's signal (bsd_signal/sysv_signal, really) calls sigaction
917 * under the hood, instead of calling the signal system call directly,
918 * we only need to hook sigaction. This is true for both bionic and
919 * glibc.
920 */
922 /* libc's sigaction */
926 /* Simple reimplementation of sigaction. This is roughly equivalent
927 * to the assembly that comes in bionic, but not quite equivalent to
928 * glibc's implementation, so we only use this on Android. */
932 }
934 /* Replace the first instructions of the given function with a jump
935 * to the given new function. */
941 # if defined(__i386__)
942 // A 32-bit jump is a 5 bytes instruction.
948 # elif defined(__arm__) || defined(__aarch64__)
950 # ifdef __arm__
951 // .thumb
955 // .arm
957 // .word <new_func>
963 // .word <new_func.lo> ; scratch register.
964 // .word <new_func.hi>
965 # endif
966 };
968 # ifdef __arm__
970 /* Function is thumb, the actual address of the code is without the
971 * least significant bit. */
972 addr--;
973 /* The arm part of the trampoline needs to be 32-bit aligned */
976 else
979 /* Function is arm, we only need the arm part of the trampoline */
981 }
984 # endif
993 # else
995 # endif
996 }
997 #else
998 # define sys_sigaction sigaction
1002 }
1003 #endif
1007 /* Clock that only accounts for time spent in the current process. */
1014 }
1018 }
1022 /* Data structure used to pass data to the temporary signal handler,
1023 * as well as triggering a test crash. */
1027 };
1031 /* Ensure logging is initialized before the DEBUG_LOG in the test_handler.
1032 * As this constructor runs before the ElfLoader constructor (by effect
1033 * of ElfLoader inheriting from this class), this also initializes on behalf
1034 * of ElfLoader and DebuggerHelper. */
1037 /* Initialize oldStack.ss_flags to an invalid value when used to set
1038 * an alternative stack, meaning we haven't got information about the
1039 * original alternative stack and thus don't mean to restore it in
1040 * the destructor. */
1043 /* Get the current segfault signal handler. */
1047 /* Some devices have a kernel option enabled that makes SIGSEGV handler
1048 * have an overhead so high that it affects how on-demand decompression
1049 * performs. The handler will set signalHandlingSlow if the triggered
1050 * SIGSEGV took too much time. */
1065 /* Restore the original segfault signal handler. */
1068 }
1071 /* Ideally, we'd need some locking here, but in practice, we're not
1072 * going to race with another thread. */
1077 }
1082 sigaction_func libc_sigaction;
1084 #if defined(ANDROID)
1085 /* Android > 4.4 comes with a sigaction wrapper in a LD_PRELOADed library
1086 * (libsigchain) for ART. That wrapper kind of does the same trick as we
1087 * do, so we need extra care in handling it.
1088 * - Divert the libc's sigaction, assuming the LD_PRELOADed library uses
1089 * it under the hood (which is more or less true according to the source
1090 * of that library, since it's doing a lookup in RTLD_NEXT)
1091 * - With the LD_PRELOADed library in place, all calls to sigaction from
1092 * from system libraries will go to the LD_PRELOADed library.
1093 * - The LD_PRELOADed library calls to sigaction go to our __wrap_sigaction.
1094 * - The calls to sigaction from libraries faulty.lib loads are sent to
1095 * the LD_PRELOADed library.
1096 * In practice, for signal handling, this means:
1097 * - The signal handler registered to the kernel is ours.
1098 * - Our handler redispatches to the LD_PRELOADed library's if there's a
1099 * segfault we don't handle.
1100 * - The LD_PRELOADed library redispatches according to whatever system
1101 * library or faulty.lib-loaded library set with sigaction.
1102 *
1103 * When there is no sigaction wrapper in place:
1104 * - Divert the libc's sigaction.
1105 * - Calls to sigaction from system library and faulty.lib-loaded libraries
1106 * all go to the libc's sigaction, which end up in our __wrap_sigaction.
1107 * - The signal handler registered to the kernel is ours.
1108 * - Our handler redispatches according to whatever system library or
1109 * faulty.lib-loaded library set with sigaction.
1110 */
1113 /*
1114 * Lollipop bionic only has a small trampoline in sigaction, with the real
1115 * work happening in __sigaction. Divert there instead of sigaction if it
1116 * exists. Bug 1154803
1117 */
1118 libc_sigaction =
1122 libc_sigaction =
1124 }
1126 #endif
1127 {
1129 }
1133 /* Setup an alternative stack if the already existing one is not big
1134 * enough, or if there is none. */
1142 stack_t stack;
1147 }
1148 }
1149 /* Register our own handler, and store the already registered one in
1150 * SEGVHandler's struct sigaction member */
1154 }
1157 /* Restore alternative stack for signals */
1159 /* Restore original signal handler */
1161 }
1163 /* Test handler for a deliberately triggered SIGSEGV that determines whether
1164 * the segfault handler is called quickly enough. */
1171 /* See bug 886736 for timings on different devices, 150 µs is reasonably above
1172 * the latency on "working" devices and seems to be short enough to not incur
1173 * a huge overhead to on-demand decompression. */
1175 }
1177 /* TODO: "properly" handle signal masks and flags */
1179 // ASSERT(signum == SIGSEGV);
1182 /* Redispatch to the registered handler */
1190 /* Reset the handler to the default one, and trigger it. */
1199 }
1200 }
1206 /* Use system sigaction() function for all but SIGSEGV signals. */
1213 }