The program runs up to the getsockname where the return is -1 and errno is 9 (EBADF, bad file descriptor). However, the code instrumented in Android app goes well.
void sysLibCSendHookHandler(CPUState* env, int isStart){
if(isStart){
int fd = env->regs[0];
int buf = env->regs[1];
int len = env->regs[2];
int flags = env->regs[3];
DECAF_printf("xxxxx send(%d, %p, %d, %d)\n", fd, buf, len, flags);
extern int errno;
struct sockaddr_un sock_addr;
socklen_t sock_addr_len;
sock_addr_len = sizeof(sock_addr);
int t = getsockname(fd, (struct sockaddr*)&sock_addr, &sock_addr_len);
DECAF_printf("fd:%d",fd);}
This code results in undefined behavior:
extern int errno;
Per 7.5 Errors <errno.h> of the C Standard (note the bolded part):
The header defines several macros, all relating to
the reporting of error conditions.
The macros are
EDOM
EILSEQ
ERANGE
which expand to integer constant expressions with type int, distinct
positive values, and which are suitable for use in #if preprocessing
directives; and
errno
which expands to a modifiable lvalue that has type int and
thread local storage duration, the value of which is set to a
positive error number by several library functions. If a macro
definition is suppressed in order to access an actual object,
or a program defines an identifier with the name errno, the
behavior is undefined.
According to the Google Android source code, errno is a macro defined as
extern int *__geterrno(void);
#define errno (*__geterrno())
That being the case, the value you see in your extern int errno is meaningless.
Related
I am using JNI with Android Studio 1.5.1 targeting Android API 18 and my question is:
Q) Without using a tool or changing/modifying the Dalvik VM source code, how can I find the memory address of a Java local variable on the Dalvik Stack from native code?
For example, I try to use the following code (adapted from the Internet) to find the memory address of a Java local variable magicNumber = 0x23420023 but I am getting segmentation fault errors.
public class MainActivity extends AppCompatActivity {
static {
System.loadLibrary("MyLibrary");
}
public native boolean findMagicNumber(int pid, int tid);
#Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
int magicNumber = 0x23420023 ;
int pid = android.os.Process.myPid();
int tid = android.os.Process.myTid();
findMagicNumber(pid, tid);
}
}
#include <jni.h>
#include <android/log.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <sys/mman.h>
#include <stdlib.h>
#include "com_example_magicnumber2_MainActivity.h"
#include <unistd.h>
#include <memory.h>
#define ENOENT 2 /* No such file or directory */
#define ENOMEM 12 /* Out of memory */
#define EACCES 13 /* Permission denied */
#define EFAULT 14 /* Bad address */
#define EINVAL 22 /* Invalid argument */
jboolean validAddress(char* address)
{
if ((access(address, F_OK)==-1) && !(errno == ENOENT) && !(errno == ENAMETOOLONG))
return JNI_FALSE;
else if ((access(address, F_OK)==-1) && (errno == ENOMEM) ||
(access(address, F_OK)==-1) && (errno == EACCES) ||
(access(address, F_OK)==-1) && (errno == EFAULT) ||
(access(address, F_OK)==-1) && (errno == EINVAL))
return JNI_FALSE;
else if (address == NULL)
return JNI_FALSE;
else
return JNI_TRUE;
}
JNIEXPORT jboolean JNICALL Java_com_example_magicnumber2_MainActivity_findMagicNumber(JNIEnv *env, jobject obj, jint pid, jint tid) {
long long startaddr, endaddr, size, offset, inode;
char permissions[8], device[8], filename[200], line[250];
char *start, *end, *candidate;
int result, i = 0;
char filepath[100];
sprintf(filepath,"/proc/%d/task/%d", pid, tid);
FILE* file = fopen(filepath, "r");
jboolean found = JNI_FALSE;
while (fgets(line, sizeof(line), file) && !found) {
sscanf(line,"%llx-%llx %s %llx %s %llx", &startaddr, &endaddr, permissions, &offset, device, &inode);
start = startaddr;
end = endaddr;
mprotect( (void*)start , (end-start), PROT_READ);
candidate = memchr( start, 0x14, (end-start));
while( validAddress(candidate) && !found){
if ((validAddress(candidate[2]) && (candidate[2]== 0x23)) &&
(validAddress(candidate[3]) && (candidate[3] == 0x00)) &&
(validAddress(candidate[4]) && (candidate[4] == 0x42)) &&
(validAddress(candidate[5]) && (candidate[5] == 0x23))){
__android_log_print(ANDROID_LOG_DEBUG,"***","Location=%p WE FOUND IT!", candidate);
found = JNI_TRUE;
break;
return JNI_TRUE;
}
else if ((validAddress(candidate)) &&
validAddress(candidate=memchr(candidate+1, 0x14, (end-candidate)))){;
}
}
}
}
This is an update:
The previous code that I posted was not the latest one, here is the latest one:
The Java Code:
public class MainActivity extends AppCompatActivity {
static {
System.loadLibrary("MyLibrary");
}
public native boolean findMagicNumber(int pid, int tid);
#Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
int magicNumber = 0x23420023 ;
int pid = android.os.Process.myPid();
int tid = android.os.Process.myTid();
findMagicNumber(pid, tid);
System.out.println("magicNumber = " + magicNumber );
}
}
The native Code:
JNIEXPORT jboolean JNICALL Java_com_example_magicnumber2_MainActivity_findMagicNumber(JNIEnv *env, jobject obj, jint pid, jint tid) {
long long startaddr, endaddr, size, offset, inode;
char permissions[8], device[8], filename[200], line[250];
char *start, *end, *candidate;
int result, i = 0;
char filepath[100];
sprintf(filepath,"/proc/%d/task/%d/maps", pid, tid);
FILE* file = fopen(filepath, "r");
jboolean found = JNI_FALSE;
while (fgets(line, sizeof(line), file) && !found) {
sscanf(line,"%llx-%llx %s %llx %s %llx %s", &startaddr, &endaddr, permissions, &offset, device, &inode, filename);
if (((strstr(filename, "apk#classes.dex")))==NULL) {
continue;
}
__android_log_print(ANDROID_LOG_DEBUG, "*****************", "%llx-%llx %s %llx %s %llx %s",
startaddr, endaddr, permissions, offset, device, inode, filename);
start = startaddr;
end = endaddr;
candidate = memchr( start, 0x14, (end-start));
while( candidate !=0 && !found){
if ((candidate[2]== 0x23) &&
(candidate[3] == 0x00) &&
(candidate[4] == 0x42) &&
(candidate[5] == 0x23)){
__android_log_print(ANDROID_LOG_DEBUG,"********************************************************************","WE FOUND IT at %p!!!", candidate);
found = JNI_TRUE;
break;
}
else
candidate=memchr(candidate+1, 0x14, (end-candidate));
}
}
}
This code is working and it can find the magic number but it finds it in the memory region mapped to /data/dalvik-cache/data#app#com.example.magicnumber2-1.apk#classes.dex which is not the Dalvik stack.
However, by running the above code and by looking at these two papers : paper1 (appendix B, only the egg-hunting code, I do not need to change any Dalvik code, so skip the code changing part) and paper2, we can notice the following (also to comments on fadden's remarks below):
(1) It seems that the int value magicNumber is stored in one Dalvik register. Also it seems that it is stored in the Dalvik stack and it is not on the native code stack because the int variable magicNumber is declared and assigned a value in the Java code section.
(2) According to the paper1, this answer and as evidence by running the attached latest code, we are not searching for 0x14 using the memchr function but we want to make sure we are at the beginning of a memory cell that store the int in ARM CPUs.
(3) I do not need to call the findMagicNumber function again. I just need to find the memory address of the magic number in the Dalvik stack
(4) I do not need to find nearby variables to the MagicNumber, so this is not a problem in my case.
(5) The project is targeting only Dalvik, so ART is not a problem
(6) I agree, using mprotect() is not a good idea and was not necessary in my case.
(7) If you refer to paper2, you can see that access() can be used for something that it is not designed for, checking if a virtual memory address is valid or not. I’m not using access() for any file related operations, although it was written for that purpose
(8) I do not need to change the variable. I just need the address of the variable magicNumber on the Dalvik stack programmatically without using any tool or changing the Dalvik source code
I want to know which of the memory regions of /proc/pid/task/tid/maps Dalvik uses to store its stack.
As you can see in paper1, the authors in section B.2, line #4, did not explain which memory region from procs/maps they used to assign the start and end variables their values.
It looks like you're trying to open /proc/[pid]/task/[tid]/maps, walk through the map, and manually scan through every address range for a magic number. Setting aside the fact that you're opening the task directory rather than the maps magic file in that directory, this approach has a few problems:
You're not guaranteed that the value is unique. If it appears somewhere else in memory -- perhaps because the value was stored in two different Dalvik registers -- you'll be in the wrong place. If the JIT compiler has compiled this stretch of code, you don't know if the "active" value will be on the managed stack or in a spilled register on the native stack.
You're searching for 0x14, which isn't part of your magic number.
You're scanning for the local variable on the thread that created it. Even if you find it and can change it, once the findMagicNumber method returns, the stack-allocated variable will disappear. It's not guaranteed to be in the same place if the method is called again.
If you were hoping to find related variables nearby, you will again have trouble if the JIT compiler rearranges things.
ART compiles almost everything ahead of time, so this is even less likely to be useful there.
I'm also not sure why you're calling mprotect(), rather than simply skipping the segments that aren't readable. You're forcing the permissions to read-only, disabling write and execute permission, which will cause you to crash when execute permission is disabled for the chunk of code that's executing, or when a thread tries to execute and touches its stack.
The access() system call takes a filename, not a memory address, and reports file permissions. I don't think there's an "is this address valid" call, but since you just sscanf'ed the map entry you shouldn't need one.
The only reliable way to find and change the value of a local variable is to use the JDWP debug interface. The compiler and debugger support work together to make reliable read-write access to local variables possible.
To sum up: the code is seriously broken, the approach is unsound. What problem are you trying to solve?
I am trying to compile the code in the 2nd paragraph as a device driver, and I get the following errors. Any ideas why I get this error and how to fix it please?
drivers/char/tbt/tbt.c:61:1: error: unknown field 'ioctl' specified in initializer
drivers/char/tbt/tbt.c:61:1: warning: initialization from incompatible pointer type [enabled by default]
#include <linux/module.h>
#include <linux/fs.h>
#define HELLO_MAJOR 234
static int debug_enable = 0;
module_param(debug_enable, int, 0);
MODULE_PARM_DESC(debug_enable, "Enable module debug mode.");
struct file_operations hello_fops;
static int hello_open(struct inode *inode, struct file *file)
{
printk("hello_open: successful\n");
return 0;
}
static int hello_release(struct inode *inode, struct file *file)
{
printk("hello_release: successful\n");
return 0;
}
static ssize_t hello_read(struct file *file, char *buf, size_t count,
loff_t *ptr)
{
printk("hello_read: returning zero bytes\n");
return 0;
}
static ssize_t hello_write(struct file *file, const char *buf,
size_t count, loff_t * ppos)
{
printk("hello_read: accepting zero bytes\n");
return 0;
}
static long hello_ioctl(struct file *filep,
unsigned int cmd, unsigned long arg)
{
printk("hello_ioctl: cmd=%ld, arg=%ld\n", cmd, arg);
return 0;
}
static int __init hello_init(void)
{
int ret;
printk("Hello Example Init - debug mode is %s\n",
debug_enable ? "enabled" : "disabled");
ret = register_chrdev(HELLO_MAJOR, "hello1", &hello_fops);
if (ret < 0) {
printk("Error registering hello device\n");
goto hello_fail1;
}
printk("Hello: registered module successfully!\n");
/* Init processing here... */
return 0;
hello_fail1:
return ret;
}
static void __exit hello_exit(void)
{
printk("Hello Example Exit\n");
}
struct file_operations hello_fops = {
owner: THIS_MODULE,
read: hello_read,
write: hello_write,
unloced_ioctl: hello_ioctl,
open: hello_open,
release: hello_release,
};
...
This is a sample code for a loadable module. I have already loaded a smaller version of it. This one is supposed to have more functionality. It comes with another file, which is supposed to run from the user space. Any hints on where I can put that code within the project is greatly appreciated.
I found another link about this issue. The problem and the solution are described here I made the modifications they suggested in the above file, but now I get a different error about the updated lines as follows:
drivers/char/tos/tos.c:34:1: warning: format '%ld' expects argument of type 'long int', but argument 2 has type 'unsigned int' [-Wformat]
error, forbidden warning: tbt.c:34
make[3]: *** [drivers/char/tbt/tbt.o] Error 1
make[2]: *** [drivers/char/tbt] Error 2
make[1]: *** [drivers/char] Error 2
make: *** [drivers] Error 2
So I changed the following procedure as follow:
static long hello_ioctl(struct file *filep,
unsigned long cmd, unsigned long arg)
{
printk("hello_ioctl: cmd=%ld, arg=%ld\n", cmd, arg);
return 0;
}
# nsilent - I was up for a very long time and was not thinking clearly. I see now, it only makes sense to change the print type to be the same as the variable you are printing. Thanks for catching the misspelling also.
When compiling the LG stock kernel from source I get an "Initialization from incompatible pointer type" error on the following line:
.detect = mmc_detect
found within this declaration:
static const struct mmc_bus_ops mmc_ops = {
.awake = mmc_awake,
.sleep = mmc_sleep,
.remove = mmc_remove,
.detect = mmc_detect,
.suspend = NULL,
.resume = NULL,
.power_restore = mmc_power_restore,
.alive = mmc_alive,
.change_bus_speed = mmc_change_bus_speed,
};
mmc_bus_ops is declared like this:
struct mmc_bus_ops {
int (*awake)(struct mmc_host *);
int (*sleep)(struct mmc_host *);
void (*remove)(struct mmc_host *);
#ifdef CONFIG_MACH_LGE
int (*detect)(struct mmc_host *);
#else
void (*detect)(struct mmc_host *);
#endif
int (*suspend)(struct mmc_host *);
int (*resume)(struct mmc_host *);
int (*power_save)(struct mmc_host *);
int (*power_restore)(struct mmc_host *);
int (*alive)(struct mmc_host *);
int (*change_bus_speed)(struct mmc_host *, unsigned long *);
};
and mmc_detect like this:
static int mmc_detect(struct mmc_host *host)
{
int err;
BUG_ON(!host);
BUG_ON(!host->card);
mmc_rpm_hold(host, &host->card->dev);
mmc_claim_host(host);
/*
* Just check if our card has been removed.
*/
err = _mmc_detect_card_removed(host);
mmc_release_host(host);
/*
* if detect fails, the device would be removed anyway;
* the rpm framework would mark the device state suspended.
*/
if (!err)
mmc_rpm_release(host, &host->card->dev);
if (err) {
mmc_remove(host);
mmc_claim_host(host);
mmc_detach_bus(host);
mmc_power_off(host);
mmc_release_host(host);
}
return 0;
}
My guess is that the problem here is that mmc_bus_ops.detect is declared as a pointer, but mmc_detect as a normal int. However, as far as I can tell this is also true for mmc_bus_ops.awake and mmc_awake, but that doesn't create any errors. The question is how to fix this and how come I get these errors in the stock kernel? If LG can compile the kernel in this state, why do I have to edit everything first? Any help and explanation is greatly appreciated!
void (*detect)(struct mmc_host *) is a pointer to a function declared as void func( struct mmc_host* arg). Notice the void return type.
int mmc_detect(struct mmc_host *host) has an int return type and is therefore incompatible.
Since mmc_detect only ever returns 0, and hence the return value is irrelevant, the pointer assignment may be logically acceptable, but may break the compiled code.
If LG can compile this code, then maybe they are using some other compiler flags, allowing warnings to be issued instead of errors. See for example -pedantic-errors for gcc; there are a bunch of other options to set to more or less strictly enforce or forbid certain code structures.
I have strange problems with thread affinity. I have created a program in C:
#define _GNU_SOURCE
#include<stdio.h>
#include <sys/syscall.h>
#include<string.h>
#include<pthread.h>
#include<stdlib.h>
#include<unistd.h>
#include <time.h>
#include <errno.h>
#define handle_error_en(en, msg) \
do { errno = en; perror(msg); exit(EXIT_FAILURE); } while (0)
#define NANOS 1000000000LL
#define SIZE 1000
void* mesaureTime(void *cpu)
{
unsigned long i = 0;
int s;
cpu_set_t cpuset;
struct timespec start, end;
long elapsed;
pthread_t id = pthread_self();
CPU_ZERO(&cpuset);
CPU_SET(*(int *) cpu, &cpuset);
s = pthread_setaffinity_np(id, sizeof(cpu_set_t), &cpuset);
if (s != 0)
handle_error_en(s, "pthread_setaffinity_np");
if(pthread_equal(id,tid[0]))
printf("Realizando test...\n");
while(i<SIZE){
clock_gettime(CLOCK_MONOTONIC, &start);
// Do some calculation.
factorial(150000);
clock_gettime(CLOCK_MONOTONIC, &end);
arrayTimes[i] = elapsed;
elapsed = end.tv_nsec - start.tv_nsec + (end.tv_sec - start.tv_sec)*NANOS;
i++;
}
printf("Finished\n");
return 0;
}
int factorial(int a){
if (a==1){
return 1;
}else{
a=a*factorial(a-1);
}
return a;
}
int main(int argc, char *argv[])
{
int i = 0;
int err, result;
int *cpu_pointer;
int cpu = atoi(argv[1]);
cpu_pointer = &cpu;
err = pthread_create(&tid[i], NULL, mesaureTime, (void *) cpu_pointer);
if (err != 0)
printf("can't create thread :[%s]", strerror(err));
else
printf("Hilo de test creado satisfactoriamente\n");
pthread_join(tid[0], NULL);
printf("\n Finalizado el test\n");
return 0;
}
This code works well in a Dual Core Intel CPU with Ubuntu, but when I have compiled it with arm-linux-gnueabi-gcc and I have executed in my Android devices (Nexus 4, Nexus 5 and S4), the program can't assign the thread in CPU 2, CPU 3 or CPU 4, it has only worked in CPU 1. The pthread_setaffinity_np function always returns an error (invalid argument) with CPU 2, 3 or 4.
I have read some questions here Is it possible to set affinity with sched_setaffinity in Android? and Android set thread affinity. I have tried it but I have obtain the same result.
The following description from the manual about this error:
EINVAL (pthread_setaffinity_np()) cpuset specified a CPU that was
outside the set supported by the kernel. (The kernel
configuration option CONFIG_NR_CPUS defines the range of the
set supported by the kernel data type used to represent CPU
sets.)
So it looks like your current kernel has been configured/built with CONFIG_NR_CPUS = 1. This seems to be reason your program is not able to set affinity to your threads to run on other core of your machine.
You may have recompile your kernel to achieve this.
I am writting an application for Android which passes a JAVA fd taken from ParcelFileDescriptor.getFd() which according to [1] states that the int I get back is a native fd.
Now, with this fd, I am trying to write it over a unix domain socket to the existing process which is listening. To do this, I am using JNI and I pass the int received above to the JNI function as an argument named fdToSend.
When my JNI code attempts to call sendmsg(), an error occurs stating "Bad file number".
With some help from google, It seems like the socket connection might be closed when I call sendmsg(), but I cannot see how this would be the case.
The sendfd() method is exactly as found in [2].
Below is my bridging JNI function:
JNIEXPORT jint JNICALL Java_com_example_myapp_AppManager_bridgeSendFd(JNIEnv *env, jint fdToSend) {
int fd;
struct sockaddr_un addr;
if ( (fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
__android_log_print(ANDROID_LOG_ERROR, APPNAME, "socket() failed: %s (socket fd = %d)\n", strerror(errno), fd);
return (jint)-1;
}
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_UNIX;
strncpy(addr.sun_path, "/data/data/com.example.myapp/sock_path", sizeof(addr.sun_path)-1);
if (connect(fd, (struct sockaddr*)&addr, sizeof(addr)) == -1) {
__android_log_print(ANDROID_LOG_ERROR, APPNAME, "connect() failed: %s (fd = %d)\n", strerror(errno), fd);
return (jint)-1;
}
return (jint)sendfd(fd, (int)fdToSend);
}
[1] http://developer.android.com/reference/android/os/ParcelFileDescriptor.html#getFd()
[2] https://stackoverflow.com/a/4491203/2796346
Turns out the issue was the JNI function declaration.
The first arg is JNIEnv, the second is jclass THEN it's the values passed in from Java (i.e. for me, fdToSend).
So, my guess is that since I was using the second arg (supposed to be a jclass), then I'm probably getting a memory reference or something weird like that.
As seen here: https://stackoverflow.com/a/10743451/2796346