Use debugger rendez-vous to obtain memory mappings

Author: marti4d

Cargo.lock

@@ -28,6 +28,7 @@ thiserror = "2.0"
 libc = "0.2"
 goblin = "0.9.2"
 memmap2 = "0.9"
+plain = { version = "0.2.3", default-features = false }
 
 [target.'cfg(any(target_os = "linux", target_os = "android"))'.dependencies]
 nix = { version = "0.29", default-features = false, features = [

Cargo.toml

@@ -28,5 +28,6 @@ failspot::failspot_name! {
         ThreadName,
         SuspendThreads,
         CpuInfoFileOpen,
+        EnumerateMappingsFromProc,
     }
 }

src/lib.rs

@@ -114,10 +114,10 @@ pub enum AndroidError {
 }
 
 #[derive(Debug, Error, serde::Serialize)]
-#[error("Copy from process {child} failed (source {src}, offset: {offset}, length: {length})")]
+#[error("Copy from process {child} failed (address {address}, offset: {offset}, length: {length})")]
 pub struct CopyFromProcessError {
     pub child: Pid,
-    pub src: usize,
+    pub address: usize,
     pub offset: usize,
     pub length: usize,
     #[serde(serialize_with = "serialize_nix_error")]

src/linux/errors.rs

@@ -1,8 +1,19 @@
+#[cfg(not(target_pointer_width = "64"))]
+use goblin::elf32 as elf;
+#[cfg(target_pointer_width = "64")]
+use goblin::elf64 as elf;
+
 use {
-    crate::{auxv::AuxvType, errors::MapsReaderError},
+    super::mem_reader::MemReader,
+    crate::{auxv::AuxvType, errors::MapsReaderError, linux::Pid, serializers::*},
     byteorder::{NativeEndian, ReadBytesExt},
-    goblin::elf,
+    elf::{
+        dynamic::{Dyn, DT_DEBUG},
+        header::Header as ElfHeader,
+        program_header::{ProgramHeader, PF_R, PF_W, PF_X, PT_DYNAMIC, PT_LOAD, PT_PHDR},
+    },
     memmap2::{Mmap, MmapOptions},
+    plain::Plain,
     procfs_core::process::{MMPermissions, MMapPath, MemoryMaps},
     std::{
         ffi::{OsStr, OsString},
@@ -61,6 +72,72 @@ pub enum MappingInfoParsingResult {
     Success(MappingInfo),
 }
 
+#[allow(non_camel_case_types)]
+#[repr(C)]
+#[derive(Debug)]
+struct r_debug {
+    r_version: std::ffi::c_int,
+    r_map: usize,
+    r_brk: usize,
+    r_state: u8,
+    r_ldbase: usize,
+}
+
+unsafe impl Plain for r_debug {}
+
+#[allow(non_camel_case_types)]
+#[repr(C)]
+#[derive(Debug)]
+struct link_map {
+    l_addr: usize,
+    l_name: usize,
+    l_ld: usize,
+    l_next: usize,
+    l_prev: usize,
+}
+
+unsafe impl Plain for link_map {}
+
+#[derive(Debug, thiserror::Error, serde::Serialize)]
+pub enum FromDebuggerRendezvousError {
+    #[error("failed to read program header table")]
+    #[serde(serialize_with = "serialize_io_error")]
+    ReadProgramHeaderTableFailed(#[source] std::io::Error),
+    #[error("program header table missing self-pointer")]
+    ProgramHeaderTableNoSelf,
+    #[error("program header table missing dynamic section")]
+    ProgramHeaderTableNoDynamic,
+    #[error("failed to read ELF header")]
+    #[serde(serialize_with = "serialize_io_error")]
+    ReadElfHeaderFailed(#[source] std::io::Error),
+    #[error("ELF header had invalid identifer bytes: `{0:?}`")]
+    InvalidElfSignature([u8; 4]),
+    #[error("unexpected size for dynamic section `{0}`")]
+    InvalidDynamicSectionSize(usize),
+    #[error("dynamic section missing NULL entry")]
+    DynamicSectionMissingTerminator,
+    #[error("failed to read dynamic section")]
+    #[serde(serialize_with = "serialize_io_error")]
+    ReadDynamicSectionFailed(#[source] std::io::Error),
+    #[error("failed to find DT_DEBUG entry in dynamic section")]
+    MissingDebugEntry,
+    #[error("failed to read debugger rendezvous address")]
+    #[serde(serialize_with = "serialize_io_error")]
+    ReadDebuggerRendezvousAddressFailed(#[source] std::io::Error),
+    #[error("unexpected debugger rendezvous version '{0}'")]
+    UnexpectedDebuggerRendezvousVersion(i32),
+    #[error("an error occurred iterating the link_map linked list")]
+    IterateLinkMapFailed(#[source] Box<FromDebuggerRendezvousError>),
+    #[error("failed reading link_map entry")]
+    #[serde(serialize_with = "serialize_io_error")]
+    ReadLinkMapEntryFailed(#[source] std::io::Error),
+    #[error("invalid link entry")]
+    InvalidLinkEntry,
+    #[error("failed reading module name")]
+    #[serde(serialize_with = "serialize_io_error")]
+    ReadModuleNameFailed(#[source] std::io::Error),
+}
+
 fn is_mapping_a_path(pathname: Option<&OsStr>) -> bool {
     match pathname {
         Some(x) => x.as_bytes().contains(&b'/'),
@@ -93,6 +170,187 @@ impl MappingInfo {
         self.start_address + self.size
     }
 
+    pub fn from_debugger_rendezvous(
+        pid: Pid,
+        program_header_table_address: usize,
+        program_header_count: usize,
+    ) -> std::result::Result<Vec<Self>, FromDebuggerRendezvousError> {
+        use FromDebuggerRendezvousError as E;
+
+        let mut memory_reader = MemReader::new(pid);
+
+        let program_headers: Vec<ProgramHeader> = memory_reader
+            .read_pod_vec(program_header_table_address, program_header_count)
+            .map_err(E::ReadProgramHeaderTableFailed)?;
+
+        let program_header_table_virtual_address = program_headers
+            .iter()
+            .find_map(|hdr| (hdr.p_type == PT_PHDR).then_some(hdr.p_vaddr))
+            .map(|a| usize::try_from(a).unwrap())
+            .ok_or(E::ProgramHeaderTableNoSelf)?;
+
+        let (dynamic_segment_virtual_address, dynamic_segment_size) = program_headers
+            .iter()
+            .find_map(|hdr| (hdr.p_type == PT_DYNAMIC).then_some((hdr.p_vaddr, hdr.p_memsz)))
+            .map(|(a, b)| (usize::try_from(a).unwrap(), usize::try_from(b).unwrap()))
+            .ok_or(E::ProgramHeaderTableNoDynamic)?;
+
+        let elf_header_address =
+            program_header_table_address - program_header_table_virtual_address;
+        let dynamic_segment_address = elf_header_address + dynamic_segment_virtual_address;
+
+        // Let's make sure we can locate and parse the ELF header to ensure we didn't somehow read garbage.
+        let elf_header: ElfHeader = memory_reader
+            .read_pod(elf_header_address)
+            .map_err(E::ReadElfHeaderFailed)?;
+
+        validate_elf_signature(&elf_header)?;
+
+        // Check that the dynamic section size is a multiple of the size of a dynamic entry
+        if dynamic_segment_size % std::mem::size_of::<Dyn>() != 0 {
+            return Err(E::InvalidDynamicSectionSize(dynamic_segment_size));
+        }
+
+        let dynamic_section: Vec<Dyn> = memory_reader
+            .read_pod_vec(
+                dynamic_segment_address,
+                dynamic_segment_size / std::mem::size_of::<Dyn>(),
+            )
+            .map_err(E::ReadDynamicSectionFailed)?;
+
+        if dynamic_section.last() != Some(&Dyn::default()) {
+            return Err(E::DynamicSectionMissingTerminator);
+        }
+
+        let debugger_rendezvous_address = dynamic_section
+            .iter()
+            .find_map(|d| (d.d_tag == DT_DEBUG).then_some(d.d_val))
+            .map(|a| usize::try_from(a).unwrap())
+            .ok_or(E::MissingDebugEntry)?;
+
+        let debugger_rendezvous: r_debug = memory_reader
+            .read_pod(debugger_rendezvous_address)
+            .map_err(E::ReadDebuggerRendezvousAddressFailed)?;
+
+        if debugger_rendezvous.r_version != 1 {
+            return Err(E::UnexpectedDebuggerRendezvousVersion(
+                debugger_rendezvous.r_version,
+            ));
+        }
+
+        Self::read_link_map(&mut memory_reader, debugger_rendezvous.r_map)
+            .map_err(|e| E::IterateLinkMapFailed(Box::new(e)))
+    }
+
+    fn read_link_map(
+        memory_reader: &mut MemReader,
+        link_map_address: usize,
+    ) -> std::result::Result<Vec<MappingInfo>, FromDebuggerRendezvousError> {
+        use FromDebuggerRendezvousError as E;
+
+        let mut link: link_map = memory_reader
+            .read_pod(link_map_address)
+            .map_err(E::ReadLinkMapEntryFailed)?;
+
+        if link.l_prev != 0 {
+            return Err(E::InvalidLinkEntry);
+        }
+
+        let mut result: Vec<MappingInfo> = Vec::new();
+
+        loop {
+            let name = {
+                let mut buf = Vec::new();
+                memory_reader
+                    .read_until(link.l_name, 0, &mut buf)
+                    .map_err(E::ReadModuleNameFailed)?;
+                buf.pop();
+                OsString::from(String::from_utf8(buf).unwrap())
+            };
+
+            let module_elf_header_address = link.l_addr;
+            let module_elf_header: ElfHeader = memory_reader
+                .read_pod(module_elf_header_address)
+                .map_err(E::ReadElfHeaderFailed)?;
+            validate_elf_signature(&module_elf_header)?;
+
+            let module_program_header_virtual_address =
+                usize::try_from(module_elf_header.e_phoff).unwrap();
+            let module_program_header_address =
+                module_elf_header_address + module_program_header_virtual_address;
+            let module_program_header_len = usize::from(module_elf_header.e_phnum);
+            let module_program_headers: Vec<ProgramHeader> = memory_reader
+                .read_pod_vec(module_program_header_address, module_program_header_len)
+                .map_err(E::ReadProgramHeaderTableFailed)?;
+
+            for module_program_header in module_program_headers
+                .iter()
+                .filter(|x| x.p_type == PT_LOAD)
+            {
+                let segment_virtual_address =
+                    usize::try_from(module_program_header.p_vaddr).unwrap();
+                let segment_address = module_elf_header_address + segment_virtual_address;
+                let segment_len = usize::try_from(module_program_header.p_memsz).unwrap();
+                let segment_end_address = segment_address + segment_len;
+                let segment_offset = usize::try_from(module_program_header.p_offset).unwrap();
+
+                // Round each of these down or up to the nearest page
+                let segment_address = segment_address / 4096 * 4096;
+                let segment_offset = segment_offset / 4096 * 4096;
+                let segment_end_address = segment_end_address.div_ceil(4096) * 4096;
+                let segment_len = segment_end_address - segment_address;
+
+                let mut permissions = MMPermissions::empty();
+                if module_program_header.p_flags & PF_R != 0 {
+                    permissions.insert(MMPermissions::READ);
+                }
+                if module_program_header.p_flags & PF_W != 0 {
+                    permissions.insert(MMPermissions::WRITE);
+                }
+                if module_program_header.p_flags & PF_X != 0 {
+                    permissions.insert(MMPermissions::EXECUTE);
+                }
+
+                if let Some(prev_mapping) = result.last_mut() {
+                    if prev_mapping.end_address() == segment_address
+                        && prev_mapping.name.is_some()
+                        && prev_mapping.name.as_deref() == Some(&name)
+                    {
+                        prev_mapping.system_mapping_info.end_address = segment_end_address;
+                        prev_mapping.size = segment_end_address - prev_mapping.start_address;
+                        prev_mapping.permissions |= permissions;
+                        continue;
+                    }
+                }
+
+                let mapping_info = MappingInfo {
+                    start_address: segment_address,
+                    size: segment_len,
+                    // When Android relocation packing causes |start_addr| and |size| to
+                    // be modified with a load bias, we need to remember the unbiased
+                    // address range. The following structure holds the original mapping
+                    // address range as reported by the operating system.
+                    system_mapping_info: SystemMappingInfo {
+                        start_address: segment_address,
+                        end_address: segment_end_address,
+                    },
+                    offset: segment_offset,
+                    permissions,
+                    name: Some(name.clone()),
+                };
+                result.push(mapping_info);
+            }
+
+            if link.l_next == 0 {
+                break;
+            }
+            link = memory_reader
+                .read_pod(link.l_next)
+                .map_err(E::ReadLinkMapEntryFailed)?;
+        }
+        Ok(result)
+    }
+
     pub fn aggregate(
         memory_maps: MemoryMaps,
         linux_gate_loc: Option<AuxvType>,
@@ -211,7 +469,7 @@ impl MappingInfo {
                 .map(&File::open(filename)?)?
         };
 
-        if mapped_file.is_empty() || mapped_file.len() < elf::header::SELFMAG {
+        if mapped_file.is_empty() || mapped_file.len() < goblin::elf::header::SELFMAG {
             return Err(MapsReaderError::MmapSanityCheckFailed);
         }
         Ok(mapped_file)
@@ -452,6 +710,18 @@ impl PartialEq<(u32, u32, u32, u32)> for SoVersion {
     }
 }
 
+fn validate_elf_signature(
+    elf_header: &ElfHeader,
+) -> std::result::Result<(), FromDebuggerRendezvousError> {
+    if elf_header.e_ident[0..4] == [0x7f, 0x45, 0x4c, 0x46] {
+        Ok(())
+    } else {
+        Err(FromDebuggerRendezvousError::InvalidElfSignature(
+            elf_header.e_ident[0..4].try_into().unwrap(),
+        ))
+    }
+}
+
 #[cfg(test)]
 #[cfg(target_pointer_width = "64")] // All addresses are 64 bit and I'm currently too lazy to adjust it to work for both
 mod tests {