search

DynamoRIO / dynamorio

Dynamic Instrumentation Tool Platform
Other
2.67k stars 562 forks source link

Android application launch fail #3820

Open qwerty62 opened 5 years ago

qwerty62 commented 5 years ago

I'm trying to launch a 32-bit application on an Android device using drrun from DynamoRIO-ARM-Android-EABI-7.1.0-1, but it failed every time. Part of the log I pulled goes like this:

09-09 21:26:24.431 19333 19333 I wrap_test_wuba.sh: <Starting application /system/bin/app_process32 (19334)>
09-09 21:26:24.426 19334 19334 I drrun   : type=1400 audit(0.0:94048): avc: denied { open } for dsm=1 path="/data/DynamoRIO_32/lib32/debug/libdynamorio.so" dev="sdd67" ino=8916 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=1
09-09 21:26:24.429   777   785 E selinux_dmd: audit(1568035584.426:94047): avc:  denied  { execute } for  dsm=1 pid=19334 comm="drrun" name="libdynamorio.so" dev="sdd67" ino=8916 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=1 CMD=(null)
09-09 21:26:24.429   777   785 I iMonitor: send: 940000012
09-09 21:26:24.431   777   785 E selinux_dmd: audit(1568035584.426:94048): avc:  denied  { open } for  dsm=1 pid=19334 comm="drrun" path="/data/DynamoRIO_32/lib32/debug/libdynamorio.so" dev="sdd67" ino=8916 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=1 CMD=/system/bin/app_process32
09-09 21:26:24.431   777   785 I iMonitor: send: 940000012
09-09 21:26:24.431 19333 19333 I wrap_test_wuba.sh: <Starting application /system/bin/app_process32 (19334)>
09-09 21:26:24.433   777   785 E selinux_dmd: audit(1568035584.426:94049): avc:  denied  { execute_no_trans } for  dsm=1 pid=19334 comm="drrun" path="/data/DynamoRIO_32/lib32/debug/libdynamorio.so" dev="sdd67" ino=8916 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=1 CMD=/system/bin/app_process32
09-09 21:26:24.433   777   785 I iMonitor: send: 940000012
09-09 21:26:24.433   777   785 E selinux_dmd: audit(1568035584.430:94053): avc:  denied  { read } for  dsm=1 pid=19334 comm="app_process32" name="version" dev="proc" ino=4026532056 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:proc_version:s0 tclass=file permissive=1 CMD=/system/bin/app_process32
09-09 21:26:24.430 19334 19334 I app_process32: type=1400 audit(0.0:94053): avc: denied { read } for dsm=1 name="version" dev="proc" ino=4026532056 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:proc_version:s0 tclass=file permissive=1
09-09 21:26:24.434   777   785 E selinux_dmd: audit(1568035584.430:94054): avc:  denied  { open } for  dsm=1 pid=19334 comm="app_process32" path="/proc/version" dev="proc" ino=4026532056 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:proc_version:s0 tclass=file permissive=1 CMD=/system/bin/app_process32
09-09 21:26:24.430 19334 19334 I app_process32: type=1400 audit(0.0:94054): avc: denied { open } for dsm=1 path="/proc/version" dev="proc" ino=4026532056 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:proc_version:s0 tclass=file permissive=1
09-09 21:26:24.431   777   785 E selinux_dmd: audit(1568035584.426:94048): avc:  denied  { open } for  dsm=1 pid=19334 comm="drrun" path="/data/DynamoRIO_32/lib32/debug/libdynamorio.so" dev="sdd67" ino=8916 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=1 CMD=/system/bin/app_process32
09-09 21:26:24.431   777   785 I iMonitor: send: 940000012
09-09 21:26:24.431 19333 19333 I wrap_test_wuba.sh: <Starting application /system/bin/app_process32 (19334)>
09-09 21:26:24.433   777   785 E selinux_dmd: audit(1568035584.426:94049): avc:  denied  { execute_no_trans } for  dsm=1 pid=19334 comm="drrun" path="/data/DynamoRIO_32/lib32/debug/libdynamorio.so" dev="sdd67" ino=8916 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=1 CMD=/system/bin/app_process32
09-09 21:26:24.433   777   785 I iMonitor: send: 940000012
09-09 21:26:24.433   777   785 E selinux_dmd: audit(1568035584.430:94053): avc:  denied  { read } for  dsm=1 pid=19334 comm="app_process32" name="version" dev="proc" ino=4026532056 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:proc_version:s0 tclass=file permissive=1 CMD=/system/bin/app_process32
09-09 21:26:24.434   777   785 E selinux_dmd: audit(1568035584.430:94054): avc:  denied  { open } for  dsm=1 pid=19334 comm="app_process32" path="/proc/version" dev="proc" ino=4026532056 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:proc_version:s0 tclass=file permissive=1 CMD=/system/bin/app_process32
09-09 21:26:24.440   833  1338 I System.out.cpp: getFinalPath finalPath=event_id
09-09 21:26:24.440 19333 19333 I wrap_test_wuba.sh: <Initial options = -no_dynamic_options -code_api -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >
09-09 21:26:24.441 19333 19333 I wrap_test_wuba.sh: <Paste into GDB to debug DynamoRIO clients:
09-09 21:26:24.441 19333 19333 I wrap_test_wuba.sh: set confirm off
09-09 21:26:24.441 19333 19333 I wrap_test_wuba.sh: add-symbol-file '/data/DynamoRIO_32/lib32/debug/libdynamorio.so' 0xf4ead798
09-09 21:26:24.441 19333 19333 I wrap_test_wuba.sh: >
09-09 21:26:24.446   833  1338 I System.out.cpp: getFinalPath finalPath=event_id
09-09 21:26:24.450   833  1338 I System.out.cpp: getFinalPath finalPath=event_id
09-09 21:26:24.487 17247 17836 D HwRecentsTaskUtils: refreshToCache
09-09 21:26:24.487 17247 17836 D HwRecentsTaskUtils: searchFromDate
09-09 21:26:24.489  2112  3875 E HsmCoreServiceImpl: onTransact in code is: 103
09-09 21:26:24.489  2112  3875 I MediaProcessHandler: playingUids: 
09-09 21:26:24.493 17247 17836 I RecentsTaskLoadPlan: to show tasks size is 0
09-09 21:26:24.517 19333 19333 I wrap_test_wuba.sh: <get_memory_info mismatch! (can happen if os combines entries in /proc/pid/maps)
09-09 21:26:24.517 19333 19333 I wrap_test_wuba.sh:     os says: 0xf4e81000-0xf4e8a000 prot=0x00000003
09-09 21:26:24.517 19333 19333 I wrap_test_wuba.sh:     cache says: 0xf4e83000-0xf4e84000 prot=0x00000003
09-09 21:26:24.517 19333 19333 I wrap_test_wuba.sh: >

......

09-09 21:26:30.972 19333 19333 I wrap_test_wuba.sh: <Application /system/bin/app_process32 (19334).  Internal Error: DynamoRIO debug check failure: /home/x00430135/dynamoRIO/dynamorio-master/core/vmareas.c:1487 start < end || end == NULL
09-09 21:26:30.972 19333 19333 I wrap_test_wuba.sh: (Error occurred @7701 frags)
09-09 21:26:30.972 19333 19333 I wrap_test_wuba.sh: version 7.91.0, custom build
09-09 21:26:30.972 19333 19333 I wrap_test_wuba.sh: -no_dynamic_options -code_api -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct 
09-09 21:26:30.972 19333 19333 I wrap_test_wuba.sh: 0xf4f1998d 0x78af04b0>
09-09 21:26:30.974 19333 19333 I wrap_test_wuba.sh: wrap_test_wuba.sh terminated by exit(255)
09-09 21:26:31.031   623   623 I Zygote  : Process 19321 exited cleanly (255)
09-09 21:26:31.032   623   623 W Zygote  : Error reading pid from wrapped process, child may have died

Hope that someone can give some insight on what's going on and some instructions on how to solve this. Thanks a lot.

derekbruening commented 5 years ago

What Android version is this? Xref #3683 and #3543, though it looks like you have no client here.

So you are hitting this assert:

<Application /system/bin/app_process32 (19334).  Internal Error: DynamoRIO debug check failure: /home/x00430135/dynamoRIO/dynamorio-master/core/vmareas.c:1487 start < end || end == NULL

I would want to know the callstack there.

What happens in release build?

qwerty62 commented 5 years ago

@derekbruening 1.It's Android 9, and yes, I ran the app without any client.

2.The file wrap_test_wuba.sh goes as follows: #!/system/bin/sh export TMPDIR=/data/data/com.wuba exec /data/DynamoRIO_32/bin32/drrun -- $@ I assume it is release build.

3.According to https://github.com/DynamoRIO/dynamorio/issues/3543, I made the change in privload_call_lib_func, compiled and ran in the same way, the log changed and showed: 09-11 11:53:25.435 20408 20408 I wrap_test_wuba.sh: wrap_test_wuba.sh terminated by signal 31

4.I don't know how to get the callstack, maybe you can give some further instructions?

Thanks.