1 /*
2 * Copyright (C) 2008 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <errno.h>
18 #include <stdio.h>
19 #include <sys/socket.h>
20 #include <sys/un.h>
21 #include <unistd.h>
22
23 #include "android-base/stringprintf.h"
24
25 #include "base/logging.h" // For VLOG.
26 #include "base/socket_peer_is_trusted.h"
27 #include "jdwp/jdwp_priv.h"
28 #include "thread-current-inl.h"
29
30 /*
31 * The JDWP <-> ADB transport protocol is explained in detail
32 * in system/core/adb/jdwp_service.c. Here's a summary.
33 *
34 * 1/ when the JDWP thread starts, it tries to connect to a Unix
35 * domain stream socket (@jdwp-control) that is opened by the
36 * ADB daemon.
37 *
38 * 2/ it then sends the current process PID as an int32_t.
39 *
40 * 3/ then, it uses recvmsg to receive file descriptors from the
41 * daemon. each incoming file descriptor is a pass-through to
42 * a given JDWP debugger, that can be used to read the usual
43 * JDWP-handshake, etc...
44 */
45
46 static constexpr char kJdwpControlName[] = "\0jdwp-control";
47 static constexpr size_t kJdwpControlNameLen = sizeof(kJdwpControlName) - 1;
48 /* This timeout is for connect/send with control socket. In practice, the
49 * connect should never timeout since it's just connect to a local unix domain
50 * socket. But in case adb is buggy and doesn't respond to any connection, the
51 * connect will block. For send, actually it would never block since we only send
52 * several bytes and the kernel buffer is big enough to accept it. 10 seconds
53 * should be far enough.
54 */
55 static constexpr int kControlSockSendTimeout = 10;
56
57 namespace art {
58
59 namespace JDWP {
60
61 using android::base::StringPrintf;
62
63 struct JdwpAdbState : public JdwpNetStateBase {
64 public:
JdwpAdbStateart::JDWP::JdwpAdbState65 explicit JdwpAdbState(JdwpState* state)
66 : JdwpNetStateBase(state),
67 state_lock_("JdwpAdbState lock", kJdwpAdbStateLock) {
68 control_sock_ = -1;
69 shutting_down_ = false;
70
71 control_addr_.controlAddrUn.sun_family = AF_UNIX;
72 control_addr_len_ = sizeof(control_addr_.controlAddrUn.sun_family) + kJdwpControlNameLen;
73 memcpy(control_addr_.controlAddrUn.sun_path, kJdwpControlName, kJdwpControlNameLen);
74 }
75
~JdwpAdbStateart::JDWP::JdwpAdbState76 ~JdwpAdbState() {
77 if (clientSock != -1) {
78 shutdown(clientSock, SHUT_RDWR);
79 close(clientSock);
80 }
81 if (control_sock_ != -1) {
82 shutdown(control_sock_, SHUT_RDWR);
83 close(control_sock_);
84 }
85 }
86
87 bool Accept() override REQUIRES(!state_lock_);
88
Establishart::JDWP::JdwpAdbState89 bool Establish(const JdwpOptions*) override {
90 return false;
91 }
92
Shutdownart::JDWP::JdwpAdbState93 void Shutdown() override REQUIRES(!state_lock_) {
94 int control_sock;
95 int local_clientSock;
96 {
97 MutexLock mu(Thread::Current(), state_lock_);
98 shutting_down_ = true;
99 control_sock = this->control_sock_;
100 local_clientSock = this->clientSock;
101 /* clear these out so it doesn't wake up and try to reuse them */
102 this->control_sock_ = this->clientSock = -1;
103 }
104
105 if (local_clientSock != -1) {
106 shutdown(local_clientSock, SHUT_RDWR);
107 }
108
109 if (control_sock != -1) {
110 shutdown(control_sock, SHUT_RDWR);
111 }
112
113 WakePipe();
114 }
115
116 bool ProcessIncoming() override REQUIRES(!state_lock_);
117
118 private:
119 int ReceiveClientFd() REQUIRES(!state_lock_);
120
IsDownart::JDWP::JdwpAdbState121 bool IsDown() REQUIRES(!state_lock_) {
122 MutexLock mu(Thread::Current(), state_lock_);
123 return shutting_down_;
124 }
125
ControlSockart::JDWP::JdwpAdbState126 int ControlSock() REQUIRES(!state_lock_) {
127 MutexLock mu(Thread::Current(), state_lock_);
128 if (shutting_down_) {
129 CHECK_EQ(control_sock_, -1);
130 }
131 return control_sock_;
132 }
133
134 int control_sock_ GUARDED_BY(state_lock_);
135 bool shutting_down_ GUARDED_BY(state_lock_);
136 Mutex state_lock_;
137
138 socklen_t control_addr_len_;
139 union {
140 sockaddr_un controlAddrUn;
141 sockaddr controlAddrPlain;
142 } control_addr_;
143 };
144
145 /*
146 * Do initial prep work, e.g. binding to ports and opening files. This
147 * runs in the main thread, before the JDWP thread starts, so it shouldn't
148 * do anything that might block forever.
149 */
InitAdbTransport(JdwpState * state,const JdwpOptions *)150 bool InitAdbTransport(JdwpState* state, const JdwpOptions*) {
151 VLOG(jdwp) << "ADB transport startup";
152 state->netState = new JdwpAdbState(state);
153 return (state->netState != nullptr);
154 }
155
156 /*
157 * Receive a file descriptor from ADB. The fd can be used to communicate
158 * directly with a debugger or DDMS.
159 *
160 * Returns the file descriptor on success. On failure, returns -1 and
161 * closes netState->control_sock_.
162 */
ReceiveClientFd()163 int JdwpAdbState::ReceiveClientFd() {
164 char dummy = '!';
165 union {
166 cmsghdr cm;
167 char buffer[CMSG_SPACE(sizeof(int))];
168 } cm_un;
169
170 iovec iov;
171 iov.iov_base = &dummy;
172 iov.iov_len = 1;
173
174 msghdr msg;
175 msg.msg_name = nullptr;
176 msg.msg_namelen = 0;
177 msg.msg_iov = &iov;
178 msg.msg_iovlen = 1;
179 msg.msg_flags = 0;
180 msg.msg_control = cm_un.buffer;
181 msg.msg_controllen = sizeof(cm_un.buffer);
182
183 cmsghdr* cmsg = CMSG_FIRSTHDR(&msg);
184 cmsg->cmsg_len = msg.msg_controllen;
185 cmsg->cmsg_level = SOL_SOCKET;
186 cmsg->cmsg_type = SCM_RIGHTS;
187 (reinterpret_cast<int*>(CMSG_DATA(cmsg)))[0] = -1;
188
189 int rc = TEMP_FAILURE_RETRY(recvmsg(ControlSock(), &msg, 0));
190
191 if (rc <= 0) {
192 if (rc == -1) {
193 PLOG(WARNING) << "Receiving file descriptor from ADB failed (socket " << ControlSock() << ")";
194 }
195 MutexLock mu(Thread::Current(), state_lock_);
196 close(control_sock_);
197 control_sock_ = -1;
198 return -1;
199 }
200
201 return (reinterpret_cast<int*>(CMSG_DATA(cmsg)))[0];
202 }
203
204 /*
205 * Block forever, waiting for a debugger to connect to us. Called from the
206 * JDWP thread.
207 *
208 * This needs to un-block and return "false" if the VM is shutting down. It
209 * should return "true" when it successfully accepts a connection.
210 */
Accept()211 bool JdwpAdbState::Accept() {
212 int retryCount = 0;
213
214 /* first, ensure that we get a connection to the ADB daemon */
215
216 retry:
217 if (IsDown()) {
218 return false;
219 }
220
221 if (ControlSock() == -1) {
222 int sleep_ms = 500;
223 const int sleep_max_ms = 2*1000;
224
225 int sock = socket(AF_UNIX, SOCK_SEQPACKET, 0);
226 if (sock < 0) {
227 PLOG(ERROR) << "Could not create ADB control socket";
228 return false;
229 }
230 struct timeval timeout;
231 timeout.tv_sec = kControlSockSendTimeout;
232 timeout.tv_usec = 0;
233 setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout));
234 {
235 MutexLock mu(Thread::Current(), state_lock_);
236 control_sock_ = sock;
237 if (shutting_down_) {
238 return false;
239 }
240 if (!MakePipe()) {
241 return false;
242 }
243 }
244
245 int32_t pid = getpid();
246
247 for (;;) {
248 /*
249 * If adbd isn't running, because USB debugging was disabled or
250 * perhaps the system is restarting it for "adb root", the
251 * connect() will fail. We loop here forever waiting for it
252 * to come back.
253 *
254 * Waking up and polling every couple of seconds is generally a
255 * bad thing to do, but we only do this if the application is
256 * debuggable *and* adbd isn't running. Still, for the sake
257 * of battery life, we should consider timing out and giving
258 * up after a few minutes in case somebody ships an app with
259 * the debuggable flag set.
260 */
261 int ret = connect(ControlSock(), &control_addr_.controlAddrPlain, control_addr_len_);
262 if (!ret) {
263 int control_sock = ControlSock();
264 #ifdef ART_TARGET_ANDROID
265 if (control_sock < 0 || !art::SocketPeerIsTrusted(control_sock)) {
266 if (control_sock >= 0 && shutdown(control_sock, SHUT_RDWR)) {
267 PLOG(ERROR) << "trouble shutting down socket";
268 }
269 return false;
270 }
271 #endif
272
273 /* now try to send our pid to the ADB daemon */
274 ret = TEMP_FAILURE_RETRY(send(control_sock, &pid, sizeof(pid), 0));
275 if (ret == sizeof(pid)) {
276 VLOG(jdwp) << "PID " << pid << " sent to ADB";
277 break;
278 }
279
280 PLOG(ERROR) << "Weird, can't send JDWP process pid to ADB";
281 return false;
282 }
283 if (VLOG_IS_ON(jdwp)) {
284 PLOG(ERROR) << "Can't connect to ADB control socket";
285 }
286
287 usleep(sleep_ms * 1000);
288
289 sleep_ms += (sleep_ms >> 1);
290 if (sleep_ms > sleep_max_ms) {
291 sleep_ms = sleep_max_ms;
292 }
293 if (IsDown()) {
294 return false;
295 }
296 }
297 }
298
299 VLOG(jdwp) << "trying to receive file descriptor from ADB";
300 /* now we can receive a client file descriptor */
301 int sock = ReceiveClientFd();
302 {
303 MutexLock mu(Thread::Current(), state_lock_);
304 clientSock = sock;
305 if (shutting_down_) {
306 return false; // suppress logs and additional activity
307 }
308 }
309 if (clientSock == -1) {
310 if (++retryCount > 5) {
311 LOG(ERROR) << "adb connection max retries exceeded";
312 return false;
313 }
314 goto retry;
315 } else {
316 VLOG(jdwp) << "received file descriptor " << clientSock << " from ADB";
317 SetAwaitingHandshake(true);
318 input_count_ = 0;
319 return true;
320 }
321 }
322
323 /*
324 * Process incoming data. If no data is available, this will block until
325 * some arrives.
326 *
327 * If we get a full packet, handle it.
328 *
329 * To take some of the mystery out of life, we want to reject incoming
330 * connections if we already have a debugger attached. If we don't, the
331 * debugger will just mysteriously hang until it times out. We could just
332 * close the listen socket, but there's a good chance we won't be able to
333 * bind to the same port again, which would confuse utilities.
334 *
335 * Returns "false" on error (indicating that the connection has been severed),
336 * "true" if things are still okay.
337 */
ProcessIncoming()338 bool JdwpAdbState::ProcessIncoming() {
339 int readCount;
340
341 CHECK_NE(clientSock, -1);
342
343 if (!HaveFullPacket()) {
344 /* read some more, looping until we have data */
345 errno = 0;
346 while (true) {
347 int selCount;
348 fd_set readfds;
349 int maxfd = -1;
350 int fd;
351
352 FD_ZERO(&readfds);
353
354 /* configure fds; note these may get zapped by another thread */
355 fd = ControlSock();
356 if (fd >= 0) {
357 FD_SET(fd, &readfds);
358 if (maxfd < fd) {
359 maxfd = fd;
360 }
361 }
362 fd = clientSock;
363 if (fd >= 0) {
364 FD_SET(fd, &readfds);
365 if (maxfd < fd) {
366 maxfd = fd;
367 }
368 }
369 fd = wake_pipe_[0];
370 if (fd >= 0) {
371 FD_SET(fd, &readfds);
372 if (maxfd < fd) {
373 maxfd = fd;
374 }
375 } else {
376 LOG(INFO) << "NOTE: entering select w/o wakepipe";
377 }
378
379 if (maxfd < 0) {
380 VLOG(jdwp) << "+++ all fds are closed";
381 return false;
382 }
383
384 /*
385 * Select blocks until it sees activity on the file descriptors.
386 * Closing the local file descriptor does not count as activity,
387 * so we can't rely on that to wake us up (it works for read()
388 * and accept(), but not select()).
389 *
390 * We can do one of three things: (1) send a signal and catch
391 * EINTR, (2) open an additional fd ("wake pipe") and write to
392 * it when it's time to exit, or (3) time out periodically and
393 * re-issue the select. We're currently using #2, as it's more
394 * reliable than #1 and generally better than #3. Wastes two fds.
395 */
396 selCount = select(maxfd + 1, &readfds, nullptr, nullptr, nullptr);
397 if (selCount < 0) {
398 if (errno == EINTR) {
399 continue;
400 }
401 PLOG(ERROR) << "select failed";
402 goto fail;
403 }
404
405 if (wake_pipe_[0] >= 0 && FD_ISSET(wake_pipe_[0], &readfds)) {
406 VLOG(jdwp) << "Got wake-up signal, bailing out of select";
407 goto fail;
408 }
409 int control_sock = ControlSock();
410 if (control_sock >= 0 && FD_ISSET(control_sock, &readfds)) {
411 int sock = ReceiveClientFd();
412 if (sock >= 0) {
413 LOG(INFO) << "Ignoring second debugger -- accepting and dropping";
414 close(sock);
415 } else {
416 CHECK_EQ(ControlSock(), -1);
417 /*
418 * Remote side most likely went away, so our next read
419 * on clientSock will fail and throw us out of the loop.
420 */
421 }
422 }
423 if (clientSock >= 0 && FD_ISSET(clientSock, &readfds)) {
424 readCount = read(clientSock, input_buffer_ + input_count_, sizeof(input_buffer_) - input_count_);
425 if (readCount < 0) {
426 /* read failed */
427 if (errno != EINTR) {
428 goto fail;
429 }
430 VLOG(jdwp) << "+++ EINTR hit";
431 return true;
432 } else if (readCount == 0) {
433 /* EOF hit -- far end went away */
434 VLOG(jdwp) << "+++ peer disconnected";
435 goto fail;
436 } else {
437 break;
438 }
439 }
440 }
441
442 input_count_ += readCount;
443 if (!HaveFullPacket()) {
444 return true; /* still not there yet */
445 }
446 }
447
448 /*
449 * Special-case the initial handshake. For some bizarre reason we're
450 * expected to emulate bad tty settings by echoing the request back
451 * exactly as it was sent. Note the handshake is always initiated by
452 * the debugger, no matter who connects to whom.
453 *
454 * Other than this one case, the protocol [claims to be] stateless.
455 */
456 if (IsAwaitingHandshake()) {
457 if (memcmp(input_buffer_, kMagicHandshake, kMagicHandshakeLen) != 0) {
458 LOG(ERROR) << StringPrintf("ERROR: bad handshake '%.14s'", input_buffer_);
459 goto fail;
460 }
461
462 errno = 0;
463 int cc = TEMP_FAILURE_RETRY(write(clientSock, input_buffer_, kMagicHandshakeLen));
464 if (cc != kMagicHandshakeLen) {
465 PLOG(ERROR) << "Failed writing handshake bytes (" << cc << " of " << kMagicHandshakeLen << ")";
466 goto fail;
467 }
468
469 ConsumeBytes(kMagicHandshakeLen);
470 SetAwaitingHandshake(false);
471 VLOG(jdwp) << "+++ handshake complete";
472 return true;
473 }
474
475 /*
476 * Handle this packet.
477 */
478 return state_->HandlePacket();
479
480 fail:
481 Close();
482 return false;
483 }
484
485 } // namespace JDWP
486
487 } // namespace art
488