| /* |
| * Copyright (C) 2019 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #include <cstring> |
| #include <iostream> |
| #include <memory> |
| #include <sstream> |
| |
| #include <unistd.h> |
| |
| #include <jni.h> |
| |
| #include <jvmti.h> |
| |
| #include <android-base/file.h> |
| #include <android-base/logging.h> |
| #include <android-base/macros.h> |
| #include <android-base/strings.h> |
| #include <android-base/unique_fd.h> |
| |
| #include <fcntl.h> |
| #include <sys/stat.h> |
| #include <sys/wait.h> |
| |
| #include <nativehelper/scoped_utf_chars.h> |
| |
| // We need dladdr. |
| #if !defined(__APPLE__) && !defined(_WIN32) |
| #ifndef _GNU_SOURCE |
| #define _GNU_SOURCE |
| #define DEFINED_GNU_SOURCE |
| #endif |
| #include <dlfcn.h> |
| #ifdef DEFINED_GNU_SOURCE |
| #undef _GNU_SOURCE |
| #undef DEFINED_GNU_SOURCE |
| #endif |
| #endif |
| |
| // Slicer's headers have code that triggers these warnings. b/65298177 |
| #pragma clang diagnostic push |
| #pragma clang diagnostic ignored "-Wunused-parameter" |
| #pragma clang diagnostic ignored "-Wsign-compare" |
| |
| #include <slicer/dex_ir.h> |
| #include <slicer/code_ir.h> |
| #include <slicer/dex_bytecode.h> |
| #include <slicer/dex_ir_builder.h> |
| #include <slicer/writer.h> |
| #include <slicer/reader.h> |
| |
| #pragma clang diagnostic pop |
| |
| namespace { |
| |
| JavaVM* gJavaVM = nullptr; |
| bool gForkCrash = false; |
| bool gJavaCrash = false; |
| |
| // Converts a class name to a type descriptor |
| // (ex. "java.lang.String" to "Ljava/lang/String;") |
| std::string classNameToDescriptor(const char* className) { |
| std::stringstream ss; |
| ss << "L"; |
| for (auto p = className; *p != '\0'; ++p) { |
| ss << (*p == '.' ? '/' : *p); |
| } |
| ss << ";"; |
| return ss.str(); |
| } |
| |
| using namespace dex; |
| using namespace lir; |
| |
| class Transformer { |
| public: |
| explicit Transformer(std::shared_ptr<ir::DexFile> dexIr) : dexIr_(dexIr) {} |
| |
| bool transform() { |
| bool classModified = false; |
| |
| std::unique_ptr<ir::Builder> builder; |
| |
| for (auto& method : dexIr_->encoded_methods) { |
| // Do not look into abstract/bridge/native/synthetic methods. |
| if ((method->access_flags & (kAccAbstract | kAccBridge | kAccNative | kAccSynthetic)) |
| != 0) { |
| continue; |
| } |
| |
| struct HookVisitor: public Visitor { |
| HookVisitor(Transformer* transformer, CodeIr* c_ir) |
| : transformer(transformer), cIr(c_ir) { |
| } |
| |
| bool Visit(Bytecode* bytecode) override { |
| if (bytecode->opcode == OP_MONITOR_ENTER) { |
| insertHook(bytecode, true, |
| reinterpret_cast<VReg*>(bytecode->operands[0])->reg); |
| return true; |
| } |
| if (bytecode->opcode == OP_MONITOR_EXIT) { |
| insertHook(bytecode, false, |
| reinterpret_cast<VReg*>(bytecode->operands[0])->reg); |
| return true; |
| } |
| return false; |
| } |
| |
| void insertHook(lir::Instruction* before, bool pre, u4 reg) { |
| transformer->preparePrePost(); |
| transformer->addCall(cIr, before, OP_INVOKE_STATIC_RANGE, |
| transformer->hookType_, pre ? "preLock" : "postLock", |
| transformer->voidType_, transformer->objectType_, reg); |
| myModified = true; |
| } |
| |
| Transformer* transformer; |
| CodeIr* cIr; |
| bool myModified = false; |
| }; |
| |
| CodeIr c(method.get(), dexIr_); |
| bool methodModified = false; |
| |
| HookVisitor visitor(this, &c); |
| for (auto it = c.instructions.begin(); it != c.instructions.end(); ++it) { |
| lir::Instruction* fi = *it; |
| fi->Accept(&visitor); |
| } |
| methodModified |= visitor.myModified; |
| |
| if (methodModified) { |
| classModified = true; |
| c.Assemble(); |
| } |
| } |
| |
| return classModified; |
| } |
| |
| private: |
| void preparePrePost() { |
| // Insert "void LockHook.(pre|post)(Object o)." |
| |
| prepareBuilder(); |
| |
| if (voidType_ == nullptr) { |
| voidType_ = builder_->GetType("V"); |
| } |
| if (hookType_ == nullptr) { |
| hookType_ = builder_->GetType("Lcom/android/lock_checker/LockHook;"); |
| } |
| if (objectType_ == nullptr) { |
| objectType_ = builder_->GetType("Ljava/lang/Object;"); |
| } |
| } |
| |
| void prepareBuilder() { |
| if (builder_ == nullptr) { |
| builder_ = std::unique_ptr<ir::Builder>(new ir::Builder(dexIr_)); |
| } |
| } |
| |
| static void addInst(CodeIr* cIr, lir::Instruction* instructionAfter, Opcode opcode, |
| const std::list<Operand*>& operands) { |
| auto instruction = cIr->Alloc<Bytecode>(); |
| |
| instruction->opcode = opcode; |
| |
| for (auto it = operands.begin(); it != operands.end(); it++) { |
| instruction->operands.push_back(*it); |
| } |
| |
| cIr->instructions.InsertBefore(instructionAfter, instruction); |
| } |
| |
| void addCall(CodeIr* cIr, lir::Instruction* instructionAfter, Opcode opcode, ir::Type* type, |
| const char* methodName, ir::Type* returnType, |
| const std::vector<ir::Type*>& types, const std::list<int>& regs) { |
| auto proto = builder_->GetProto(returnType, builder_->GetTypeList(types)); |
| auto method = builder_->GetMethodDecl(builder_->GetAsciiString(methodName), proto, type); |
| |
| VRegList* paramRegs = cIr->Alloc<VRegList>(); |
| for (auto it = regs.begin(); it != regs.end(); it++) { |
| paramRegs->registers.push_back(*it); |
| } |
| |
| addInst(cIr, instructionAfter, opcode, |
| { paramRegs, cIr->Alloc<Method>(method, method->orig_index) }); |
| } |
| |
| void addCall(CodeIr* cIr, lir::Instruction* instructionAfter, Opcode opcode, ir::Type* type, |
| const char* methodName, ir::Type* returnType, ir::Type* paramType, |
| u4 paramVReg) { |
| auto proto = builder_->GetProto(returnType, builder_->GetTypeList( { paramType })); |
| auto method = builder_->GetMethodDecl(builder_->GetAsciiString(methodName), proto, type); |
| |
| VRegRange* args = cIr->Alloc<VRegRange>(paramVReg, 1); |
| |
| addInst(cIr, instructionAfter, opcode, |
| { args, cIr->Alloc<Method>(method, method->orig_index) }); |
| } |
| |
| std::shared_ptr<ir::DexFile> dexIr_; |
| std::unique_ptr<ir::Builder> builder_; |
| |
| ir::Type* voidType_ = nullptr; |
| ir::Type* hookType_ = nullptr; |
| ir::Type* objectType_ = nullptr; |
| }; |
| |
| std::pair<dex::u1*, size_t> maybeTransform(const char* name, size_t classDataLen, |
| const unsigned char* classData, dex::Writer::Allocator* allocator) { |
| // Isolate byte code of class class. This is needed as Android usually gives us more |
| // than the class we need. |
| dex::Reader reader(classData, classDataLen); |
| |
| dex::u4 index = reader.FindClassIndex(classNameToDescriptor(name).c_str()); |
| CHECK_NE(index, kNoIndex); |
| reader.CreateClassIr(index); |
| std::shared_ptr<ir::DexFile> ir = reader.GetIr(); |
| |
| { |
| Transformer transformer(ir); |
| if (!transformer.transform()) { |
| return std::make_pair(nullptr, 0); |
| } |
| } |
| |
| size_t new_size; |
| dex::Writer writer(ir); |
| dex::u1* newClassData = writer.CreateImage(allocator, &new_size); |
| return std::make_pair(newClassData, new_size); |
| } |
| |
| void transformHook(jvmtiEnv* jvmtiEnv, JNIEnv* env ATTRIBUTE_UNUSED, |
| jclass classBeingRedefined ATTRIBUTE_UNUSED, jobject loader, const char* name, |
| jobject protectionDomain ATTRIBUTE_UNUSED, jint classDataLen, |
| const unsigned char* classData, jint* newClassDataLen, unsigned char** newClassData) { |
| // Even reading the classData array is expensive as the data is only generated when the |
| // memory is touched. Hence call JvmtiAgent#shouldTransform to check if we need to transform |
| // the class. |
| |
| // Skip bootclasspath classes. TODO: Make this configurable. |
| if (loader == nullptr) { |
| return; |
| } |
| |
| // Do not look into java.* classes. Should technically be filtered by above, but when that's |
| // configurable have this. |
| if (strncmp("java", name, 4) == 0) { |
| return; |
| } |
| |
| // Do not look into our Java classes. |
| if (strncmp("com/android/lock_checker", name, 24) == 0) { |
| return; |
| } |
| |
| class JvmtiAllocator: public dex::Writer::Allocator { |
| public: |
| explicit JvmtiAllocator(::jvmtiEnv* jvmti) : |
| jvmti_(jvmti) { |
| } |
| |
| void* Allocate(size_t size) override { |
| unsigned char* res = nullptr; |
| jvmti_->Allocate(size, &res); |
| return res; |
| } |
| |
| void Free(void* ptr) override { |
| jvmti_->Deallocate(reinterpret_cast<unsigned char*>(ptr)); |
| } |
| |
| private: |
| ::jvmtiEnv* jvmti_; |
| }; |
| JvmtiAllocator allocator(jvmtiEnv); |
| std::pair<dex::u1*, size_t> result = maybeTransform(name, classDataLen, classData, |
| &allocator); |
| |
| if (result.second > 0) { |
| *newClassData = result.first; |
| *newClassDataLen = static_cast<jint>(result.second); |
| } |
| } |
| |
| void dataDumpRequestHook(jvmtiEnv* jvmtiEnv ATTRIBUTE_UNUSED) { |
| if (gJavaVM == nullptr) { |
| LOG(ERROR) << "No JavaVM for dump"; |
| return; |
| } |
| JNIEnv* env; |
| if (gJavaVM->GetEnv(reinterpret_cast<void**>(&env), JNI_VERSION_1_6) != JNI_OK) { |
| LOG(ERROR) << "Could not get env for dump"; |
| return; |
| } |
| jclass lockHookClass = env->FindClass("com/android/lock_checker/LockHook"); |
| if (lockHookClass == nullptr) { |
| env->ExceptionClear(); |
| LOG(ERROR) << "Could not find LockHook class"; |
| return; |
| } |
| jmethodID dumpId = env->GetStaticMethodID(lockHookClass, "dump", "()V"); |
| if (dumpId == nullptr) { |
| env->ExceptionClear(); |
| LOG(ERROR) << "Could not find LockHook.dump"; |
| return; |
| } |
| env->CallStaticVoidMethod(lockHookClass, dumpId); |
| env->ExceptionClear(); |
| } |
| |
| // A function for dladdr to search. |
| extern "C" __attribute__ ((visibility ("default"))) void lock_agent_tag_fn() { |
| } |
| |
| bool fileExists(const std::string& path) { |
| struct stat statBuf; |
| int rc = stat(path.c_str(), &statBuf); |
| return rc == 0; |
| } |
| |
| std::string findLockAgentJar() { |
| // Check whether the jar is located next to the agent's so. |
| #ifndef __APPLE__ |
| { |
| Dl_info info; |
| if (dladdr(reinterpret_cast<const void*>(&lock_agent_tag_fn), /* out */ &info) != 0) { |
| std::string lockAgentSoPath = info.dli_fname; |
| std::string dir = android::base::Dirname(lockAgentSoPath); |
| std::string lockAgentJarPath = dir + "/" + "lockagent.jar"; |
| if (fileExists(lockAgentJarPath)) { |
| return lockAgentJarPath; |
| } |
| } else { |
| LOG(ERROR) << "dladdr failed"; |
| } |
| } |
| #endif |
| |
| std::string sysFrameworkPath = "/system/framework/lockagent.jar"; |
| if (fileExists(sysFrameworkPath)) { |
| return sysFrameworkPath; |
| } |
| |
| std::string relPath = "lockagent.jar"; |
| if (fileExists(relPath)) { |
| return relPath; |
| } |
| |
| return ""; |
| } |
| |
| void prepareHook(jvmtiEnv* env) { |
| // Inject the agent Java code. |
| { |
| std::string path = findLockAgentJar(); |
| if (path.empty()) { |
| LOG(FATAL) << "Could not find lockagent.jar"; |
| } |
| LOG(INFO) << "Will load Java parts from " << path; |
| jvmtiError res = env->AddToBootstrapClassLoaderSearch(path.c_str()); |
| if (res != JVMTI_ERROR_NONE) { |
| LOG(FATAL) << "Could not add lockagent from " << path << " to boot classpath: " << res; |
| } |
| } |
| |
| jvmtiCapabilities caps; |
| memset(&caps, 0, sizeof(caps)); |
| caps.can_retransform_classes = 1; |
| |
| if (env->AddCapabilities(&caps) != JVMTI_ERROR_NONE) { |
| LOG(FATAL) << "Could not add caps"; |
| } |
| |
| jvmtiEventCallbacks cb; |
| memset(&cb, 0, sizeof(cb)); |
| cb.ClassFileLoadHook = transformHook; |
| cb.DataDumpRequest = dataDumpRequestHook; |
| |
| if (env->SetEventCallbacks(&cb, sizeof(cb)) != JVMTI_ERROR_NONE) { |
| LOG(FATAL) << "Could not set cb"; |
| } |
| |
| if (env->SetEventNotificationMode(JVMTI_ENABLE, JVMTI_EVENT_CLASS_FILE_LOAD_HOOK, nullptr) |
| != JVMTI_ERROR_NONE) { |
| LOG(FATAL) << "Could not enable events"; |
| } |
| if (env->SetEventNotificationMode(JVMTI_ENABLE, JVMTI_EVENT_DATA_DUMP_REQUEST, nullptr) |
| != JVMTI_ERROR_NONE) { |
| LOG(FATAL) << "Could not enable events"; |
| } |
| } |
| |
| jint attach(JavaVM* vm, char* options, void* reserved ATTRIBUTE_UNUSED) { |
| gJavaVM = vm; |
| |
| jvmtiEnv* env; |
| jint jvmError = vm->GetEnv(reinterpret_cast<void**>(&env), JVMTI_VERSION_1_2); |
| if (jvmError != JNI_OK) { |
| return jvmError; |
| } |
| |
| prepareHook(env); |
| |
| std::vector<std::string> config = android::base::Split(options, ","); |
| for (const std::string& c : config) { |
| if (c == "native_crash") { |
| gForkCrash = true; |
| } else if (c == "java_crash") { |
| gJavaCrash = true; |
| } |
| } |
| |
| return JVMTI_ERROR_NONE; |
| } |
| |
| extern "C" JNIEXPORT |
| jboolean JNICALL Java_com_android_lock_1checker_LockHook_getNativeHandlingConfig(JNIEnv*, jclass) { |
| return gForkCrash ? JNI_TRUE : JNI_FALSE; |
| } |
| |
| extern "C" JNIEXPORT jboolean JNICALL |
| Java_com_android_lock_1checker_LockHook_getSimulateCrashConfig(JNIEnv*, jclass) { |
| return gJavaCrash ? JNI_TRUE : JNI_FALSE; |
| } |
| |
| extern "C" JNIEXPORT void JNICALL Java_com_android_lock_1checker_LockHook_nWtf(JNIEnv* env, jclass, |
| jstring msg) { |
| if (!gForkCrash || msg == nullptr) { |
| return; |
| } |
| |
| // Create a native crash with the given message. Decouple from the current crash to create a |
| // tombstone but continue on. |
| // |
| // TODO: Once there are not so many reports, consider making this fatal for the calling process. |
| ScopedUtfChars utf(env, msg); |
| if (utf.c_str() == nullptr) { |
| return; |
| } |
| const char* args[] = { |
| "/system/bin/lockagent_crasher", |
| utf.c_str(), |
| nullptr |
| }; |
| pid_t pid = fork(); |
| if (pid < 0) { |
| return; |
| } |
| if (pid == 0) { |
| // Double fork so we return quickly. Leave init to deal with the zombie. |
| pid_t pid2 = fork(); |
| if (pid2 == 0) { |
| execv(args[0], const_cast<char* const*>(args)); |
| _exit(1); |
| __builtin_unreachable(); |
| } |
| _exit(0); |
| __builtin_unreachable(); |
| } |
| int status; |
| waitpid(pid, &status, 0); // Ignore any results. |
| } |
| |
| extern "C" JNIEXPORT jint JNICALL Agent_OnAttach(JavaVM* vm, char* options, void* reserved) { |
| return attach(vm, options, reserved); |
| } |
| |
| extern "C" JNIEXPORT jint JNICALL Agent_OnLoad(JavaVM* vm, char* options, void* reserved) { |
| return attach(vm, options, reserved); |
| } |
| |
| int locktest_main(int argc, char *argv[]) { |
| if (argc != 3) { |
| LOG(FATAL) << "Need two arguments: dex-file class-name"; |
| } |
| struct stat statBuf; |
| int rc = stat(argv[1], &statBuf); |
| if (rc != 0) { |
| PLOG(FATAL) << "Could not get file size for " << argv[1]; |
| } |
| std::unique_ptr<char[]> data(new char[statBuf.st_size]); |
| { |
| android::base::unique_fd fd(open(argv[1], O_RDONLY)); |
| if (fd.get() == -1) { |
| PLOG(FATAL) << "Could not open file " << argv[1]; |
| } |
| if (!android::base::ReadFully(fd.get(), data.get(), statBuf.st_size)) { |
| PLOG(FATAL) << "Could not read file " << argv[1]; |
| } |
| } |
| |
| class NewDeleteAllocator: public dex::Writer::Allocator { |
| public: |
| explicit NewDeleteAllocator() { |
| } |
| |
| void* Allocate(size_t size) override { |
| return new char[size]; |
| } |
| |
| void Free(void* ptr) override { |
| delete[] reinterpret_cast<char*>(ptr); |
| } |
| }; |
| NewDeleteAllocator allocator; |
| |
| std::pair<dex::u1*, size_t> result = maybeTransform(argv[2], statBuf.st_size, |
| reinterpret_cast<unsigned char*>(data.get()), &allocator); |
| |
| if (result.second == 0) { |
| LOG(INFO) << "No transformation"; |
| return 0; |
| } |
| |
| std::string newName(argv[1]); |
| newName.append(".new"); |
| |
| { |
| android::base::unique_fd fd( |
| open(newName.c_str(), O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR)); |
| if (fd.get() == -1) { |
| PLOG(FATAL) << "Could not open file " << newName; |
| } |
| if (!android::base::WriteFully(fd.get(), result.first, result.second)) { |
| PLOG(FATAL) << "Could not write file " << newName; |
| } |
| } |
| LOG(INFO) << "Transformed file written to " << newName; |
| |
| return 0; |
| } |
| |
| } // namespace |
| |
| int main(int argc, char *argv[]) { |
| return locktest_main(argc, argv); |
| } |