1 /*
2 * Copyright (C) 2020 The Android Open Source Project
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in
12 * the documentation and/or other materials provided with the
13 * distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29 #if defined(LIBC_STATIC)
30 #error This file should not be compiled for static targets.
31 #endif
32
33 #include <fcntl.h>
34 #include <signal.h>
35 #include <string.h>
36 #include <sys/prctl.h>
37 #include <sys/socket.h>
38 #include <sys/stat.h>
39 #include <sys/types.h>
40 #include <sys/ucontext.h>
41 #include <sys/un.h>
42
43 #include <async_safe/log.h>
44 #include <platform/bionic/malloc.h>
45 #include <platform/bionic/reserved_signals.h>
46 #include <private/ErrnoRestorer.h>
47 #include <private/ScopedFd.h>
48
49 #include "malloc_heapprofd.h"
50
51 // This file defines the handler for the reserved signal sent by the Android
52 // platform's profilers. The accompanying signal value discriminates between
53 // specific requestors:
54 // 0: heapprofd heap profiler.
55 // 1: traced_perf perf profiler.
56 static constexpr int kHeapprofdSignalValue = 0;
57 static constexpr int kTracedPerfSignalValue = 1;
58
59 static void HandleProfilingSignal(int, siginfo_t*, void*);
60
61 // Called during dynamic libc preinit.
__libc_init_profiling_handlers()62 __LIBC_HIDDEN__ void __libc_init_profiling_handlers() {
63 struct sigaction action = {};
64 action.sa_flags = SA_SIGINFO | SA_RESTART;
65 action.sa_sigaction = HandleProfilingSignal;
66 sigaction(BIONIC_SIGNAL_PROFILER, &action, nullptr);
67
68 // The perfetto_hprof ART plugin installs a signal handler to handle this signal. That plugin
69 // does not get loaded for a) non-apps, b) non-profilable apps on user. The default signal
70 // disposition is to crash. We do not want the target to crash if we accidentally target a
71 // non-app or non-profilable process.
72 signal(BIONIC_SIGNAL_ART_PROFILER, SIG_IGN);
73 }
74
75 static void HandleSigsysSeccompOverride(int, siginfo_t*, void*);
76 static void HandleTracedPerfSignal();
77
HandleProfilingSignal(int,siginfo_t * info,void *)78 static void HandleProfilingSignal(int /*signal_number*/, siginfo_t* info, void* /*ucontext*/) {
79 ErrnoRestorer errno_restorer;
80
81 if (info->si_code != SI_QUEUE) {
82 return;
83 }
84
85 int signal_value = info->si_value.sival_int;
86 async_safe_format_log(ANDROID_LOG_INFO, "libc", "%s: received profiling signal with si_value: %d",
87 getprogname(), signal_value);
88
89 // Proceed only if the process is considered profileable.
90 bool profileable = false;
91 android_mallopt(M_GET_PROCESS_PROFILEABLE, &profileable, sizeof(profileable));
92 if (!profileable) {
93 async_safe_write_log(ANDROID_LOG_ERROR, "libc", "profiling signal rejected (not profileable)");
94 return;
95 }
96
97 // Temporarily override SIGSYS handling, in a best-effort attempt at not
98 // crashing if we happen to be running in a process with a seccomp filter that
99 // disallows some of the syscalls done by this signal handler. This protects
100 // against SECCOMP_RET_TRAP with a crashing SIGSYS handler (typical of android
101 // minijails). Won't help if the filter is using SECCOMP_RET_KILL_*.
102 // Note: the override is process-wide, but short-lived. The syscalls are still
103 // blocked, but the overridden handler recovers from SIGSYS, and fakes the
104 // syscall return value as ENOSYS.
105 struct sigaction sigsys_override = {};
106 sigsys_override.sa_sigaction = &HandleSigsysSeccompOverride;
107 sigsys_override.sa_flags = SA_SIGINFO;
108
109 struct sigaction old_act = {};
110 sigaction(SIGSYS, &sigsys_override, &old_act);
111
112 if (signal_value == kHeapprofdSignalValue) {
113 HandleHeapprofdSignal();
114 } else if (signal_value == kTracedPerfSignalValue) {
115 HandleTracedPerfSignal();
116 } else {
117 async_safe_format_log(ANDROID_LOG_ERROR, "libc", "unrecognized profiling signal si_value: %d",
118 signal_value);
119 }
120 sigaction(SIGSYS, &old_act, nullptr);
121 }
122
123 // Open /proc/self/{maps,mem}, connect to traced_perf, send the fds over the
124 // socket. Everything happens synchronously within the signal handler. Socket
125 // is made non-blocking, and we do not retry.
HandleTracedPerfSignal()126 static void HandleTracedPerfSignal() {
127 ScopedFd sock_fd{ socket(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK | SOCK_CLOEXEC, 0 /*protocol*/) };
128 if (sock_fd.get() == -1) {
129 async_safe_format_log(ANDROID_LOG_ERROR, "libc", "failed to create socket: %m");
130 return;
131 }
132
133 sockaddr_un saddr{ AF_UNIX, "/dev/socket/traced_perf" };
134 size_t addrlen = sizeof(sockaddr_un);
135 if (connect(sock_fd.get(), reinterpret_cast<const struct sockaddr*>(&saddr), addrlen) == -1) {
136 async_safe_format_log(ANDROID_LOG_ERROR, "libc", "failed to connect to traced_perf socket: %m");
137 return;
138 }
139
140 // If the process is undumpable, /proc/self/mem will be owned by root:root, and therefore
141 // inaccessible to the process itself (see man 5 proc). We temporarily mark the process as
142 // dumpable to allow for the open. Note: prctl is not async signal safe per posix, but bionic's
143 // implementation is. Error checking on prctls is omitted due to them being trivial.
144 int orig_dumpable = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0);
145 if (!orig_dumpable) {
146 prctl(PR_SET_DUMPABLE, 1, 0, 0, 0);
147 }
148 ScopedFd maps_fd{ open("/proc/self/maps", O_RDONLY | O_CLOEXEC) };
149 ScopedFd mem_fd{ open("/proc/self/mem", O_RDONLY | O_CLOEXEC) };
150 if (!orig_dumpable) {
151 prctl(PR_SET_DUMPABLE, orig_dumpable, 0, 0, 0);
152 }
153
154 if (maps_fd.get() == -1) {
155 async_safe_format_log(ANDROID_LOG_ERROR, "libc", "failed to open /proc/self/maps: %m");
156 return;
157 }
158 if (mem_fd.get() == -1) {
159 async_safe_format_log(ANDROID_LOG_ERROR, "libc", "failed to open /proc/self/mem: %m");
160 return;
161 }
162
163 // Send 1 byte with auxiliary data carrying two fds.
164 int send_fds[2] = { maps_fd.get(), mem_fd.get() };
165 int num_fds = 2;
166 char iobuf[1] = {};
167 msghdr msg_hdr = {};
168 iovec iov = { reinterpret_cast<void*>(iobuf), sizeof(iobuf) };
169 msg_hdr.msg_iov = &iov;
170 msg_hdr.msg_iovlen = 1;
171 alignas(cmsghdr) char control_buf[256] = {};
172 const auto raw_ctl_data_sz = num_fds * sizeof(int);
173 const size_t control_buf_len = static_cast<size_t>(CMSG_SPACE(raw_ctl_data_sz));
174 msg_hdr.msg_control = control_buf;
175 msg_hdr.msg_controllen = control_buf_len; // used by CMSG_FIRSTHDR
176 struct cmsghdr* cmsg = CMSG_FIRSTHDR(&msg_hdr);
177 cmsg->cmsg_level = SOL_SOCKET;
178 cmsg->cmsg_type = SCM_RIGHTS;
179 cmsg->cmsg_len = static_cast<size_t>(CMSG_LEN(raw_ctl_data_sz));
180 memcpy(CMSG_DATA(cmsg), send_fds, num_fds * sizeof(int));
181
182 if (sendmsg(sock_fd.get(), &msg_hdr, 0) == -1) {
183 async_safe_format_log(ANDROID_LOG_ERROR, "libc", "failed to sendmsg: %m");
184 }
185 }
186
HandleSigsysSeccompOverride(int,siginfo_t * info,void * void_context)187 static void HandleSigsysSeccompOverride(int /*signal_number*/, siginfo_t* info,
188 void* void_context) {
189 ErrnoRestorer errno_restorer;
190 if (info->si_code != SYS_SECCOMP) {
191 return;
192 }
193
194 async_safe_format_log(
195 ANDROID_LOG_WARN, "libc",
196 "Profiling setup: trapped seccomp SIGSYS for syscall %d. Returning ENOSYS to caller.",
197 info->si_syscall);
198
199 // The handler is responsible for setting the return value as if the system
200 // call happened (which is arch-specific). Use a plausible unsuccessful value.
201 auto ret = -ENOSYS;
202 ucontext_t* ctx = reinterpret_cast<ucontext_t*>(void_context);
203
204 #if defined(__aarch64__)
205 ctx->uc_mcontext.regs[0] = ret;
206 #elif defined(__arm__)
207 ctx->uc_mcontext.arm_r0 = ret;
208 #elif defined(__i386__)
209 ctx->uc_mcontext.gregs[REG_EAX] = ret;
210 #elif defined(__riscv)
211 ctx->uc_mcontext.__gregs[REG_A0] = ret;
212 #elif defined(__x86_64__)
213 ctx->uc_mcontext.gregs[REG_RAX] = ret;
214 #else
215 #error "unsupported architecture"
216 #endif
217 }
218