Open summershrimp opened 5 years ago
Your analysis and the relevant DR code, suggests the newer bionic file size and/or its sections' sizes probably result in loading/mapping error(s). Can you run with -debug -loglevel 3
and attach the resulting log files please?
-rw------- 1 u0_a160 u0_a160 462.1K Jun 17 09:54 hello_pie.0.12639.html
-rw------- 1 u0_a160 u0_a160 44.9M Jun 17 09:54 log.0.12639.html
Hmm.. maybe too large.
Does it work with no client?
No, it doesn't work with no client.
$ ./bin64/drrun -- ls
Stuck...
$ strace -f ./bin64/drrun -- ls
...........
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
[pid 19956] gettid() = 19956
^C[pid 19956] --- SIGINT {si_signo=SIGINT, si_code=SI_KERNEL} ---
strace: Process 19732 detached
strace: Process 19794 detached
strace: Process 19798 detached
strace: Process 19831 detached
strace: Process 19854 detached
strace: Process 19896 detached
strace: Process 19899 detached
strace: Process 19955 detached
strace: Process 19956 detached
$ ./bin64/drrun -debug -- ls
<Starting application /data/data/com.termux/files/usr/bin/busybox (23390)>
<Initial options = -no_dynamic_options -code_api -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >
<Paste into GDB to debug DynamoRIO clients:
set confirm off
add-symbol-file '/data/data/com.termux/files/home/DynamoRIO-Linux-7.91.18058-0/lib64/debug/libdynamorio.so' 0x00000073061d81e0
>
<get_memory_info mismatch! (can happen if os combines entries in /proc/pid/maps)
os says: 0x00000073069e6000-0x00000073069f0000 prot=0x00000003
cache says: 0x00000073069ed000-0x00000073069ee000 prot=0x00000003
>
<(1+x) Handling our fault in a TRY at 0x00000073062918a8>
<Application /data/data/com.termux/files/usr/bin/busybox (23390). Internal Error: DynamoRIO debug check failure: /home/xm1994/Projects/dynamorio/core/vmareas.c:8175 is_readable_without_exception_try(pc, 1)
(Error occurred @4307 frags)
version 7.91.18058, custom build
-no_dynamic_options -code_api -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
0x00000072421ac5f0 0x000000730628ab34
0x00000072421ac790 0x0000007306352590
0x00000072421ac9d0 0x000000730648a81c
0x00000072421acb30 0x000000730648ef44
0x00000072421acb70 0x0000007306496f40
0x00000072421acd80 0x000000730626ff34
0x00000072421acf40 0x0000007306926b6c
0x0000007ffbfff600 0x0000007306926d88
0x0000007ffbfff680 0x0000007306926c94
0x0000007ffbfff700 0x0000007306926c94
0x0000007ffbfff780 0x0000007306922d68
0x0000007ffc000920 0x0000007306921f38
0x0000007ffc000c10 0x00000073069291d8>
Update: this may caused by Android 10 XoM enabled, but it disabled after android 11.
Workaround at #3543 not work anymore. This time seems some bug DR dealing with bionic libc. After diffing bionic between P and Q beta, It seems that TLS structure is changed. I'm not sure this is the problem. Firstly I think it is the issue of the newer kernel
Linux localhost 4.14.69 #1 SMP PREEMPT Wed Jun 5 23:46:39 CST 2019 aarch64 Android
But I tried DR with Linux 4.19 and glibc, it works fine. So it might be the bionic libc.The target behavior: Static link glibc no-pie running under Android Q: OK Static link glibc pie running under Android Q: OK Static link bionic no-pie running under Android Q: OK Static link bionic pie running under Android Q: Not compiling Dynamic link bionic no-pie running under Android Q: OK (Not sure why DR bypass linker PIE checking) Dynamic link bionic pie running under Android Q: Stuck at some point
And I strace the DR and target with
strace -f ./bin64/drrun -c ./samples/bin64/libinscount.so -- ../hello_pie
, DR clone it self and creates a lot of subprocess as the same args as it self.Debug mode would trigger ASSERT