1#include <assert.h> 2#include <errno.h> 3#include <pthread.h> 4#include <sched.h> 5#include <signal.h> 6#include <stdio.h> 7#include <stdlib.h> 8#include <string.h> 9#include <sys/cdefs.h> 10#include <sys/mman.h> 11#include <sys/ptrace.h> 12#include <sys/socket.h> 13#include <sys/wait.h> 14#include <unistd.h> 15 16#include <cutils/sockets.h> 17#include <log/log.h> 18 19#ifndef __unused 20#define __unused __attribute__((__unused__)) 21#endif 22 23extern const char* __progname; 24 25void crash1(void); 26void crashnostack(void); 27static int do_action(const char* arg); 28 29static void maybe_abort() { 30 if (time(0) != 42) { 31 abort(); 32 } 33} 34 35static char* smash_stack_dummy_buf; 36__attribute__ ((noinline)) static void smash_stack_dummy_function(volatile int* plen) { 37 smash_stack_dummy_buf[*plen] = 0; 38} 39 40// This must be marked with "__attribute__ ((noinline))", to ensure the 41// compiler generates the proper stack guards around this function. 42// Assign local array address to global variable to force stack guards. 43// Use another noinline function to corrupt the stack. 44__attribute__ ((noinline)) static int smash_stack(volatile int* plen) { 45 printf("crasher: deliberately corrupting stack...\n"); 46 47 char buf[128]; 48 smash_stack_dummy_buf = buf; 49 // This should corrupt stack guards and make process abort. 50 smash_stack_dummy_function(plen); 51 return 0; 52} 53 54static void* global = 0; // So GCC doesn't optimize the tail recursion out of overflow_stack. 55 56__attribute__((noinline)) static void overflow_stack(void* p) { 57 void* buf[1]; 58 buf[0] = p; 59 global = buf; 60 overflow_stack(&buf); 61} 62 63static void *noisy(void *x) 64{ 65 char c = (uintptr_t) x; 66 for(;;) { 67 usleep(250*1000); 68 write(2, &c, 1); 69 if(c == 'C') *((volatile unsigned*) 0) = 42; 70 } 71 return NULL; 72} 73 74static int ctest() 75{ 76 pthread_t thr; 77 pthread_attr_t attr; 78 pthread_attr_init(&attr); 79 pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED); 80 pthread_create(&thr, &attr, noisy, (void*) 'A'); 81 pthread_create(&thr, &attr, noisy, (void*) 'B'); 82 pthread_create(&thr, &attr, noisy, (void*) 'C'); 83 for(;;) ; 84 return 0; 85} 86 87static void* thread_callback(void* raw_arg) 88{ 89 return (void*) (uintptr_t) do_action((const char*) raw_arg); 90} 91 92static int do_action_on_thread(const char* arg) 93{ 94 pthread_t t; 95 pthread_create(&t, NULL, thread_callback, (void*) arg); 96 void* result = NULL; 97 pthread_join(t, &result); 98 return (int) (uintptr_t) result; 99} 100 101__attribute__((noinline)) static int crash3(int a) { 102 *((int*) 0xdead) = a; 103 return a*4; 104} 105 106__attribute__((noinline)) static int crash2(int a) { 107 a = crash3(a) + 2; 108 return a*3; 109} 110 111__attribute__((noinline)) static int crash(int a) { 112 a = crash2(a) + 1; 113 return a*2; 114} 115 116static void abuse_heap() { 117 char buf[16]; 118 free((void*) buf); // GCC is smart enough to warn about this, but we're doing it deliberately. 119} 120 121static void sigsegv_non_null() { 122 int* a = (int *)(&do_action); 123 *a = 42; 124} 125 126static int do_action(const char* arg) 127{ 128 fprintf(stderr,"crasher: init pid=%d tid=%d\n", getpid(), gettid()); 129 130 if (!strncmp(arg, "thread-", strlen("thread-"))) { 131 return do_action_on_thread(arg + strlen("thread-")); 132 } else if (!strcmp(arg, "SIGSEGV-non-null")) { 133 sigsegv_non_null(); 134 } else if (!strcmp(arg, "smash-stack")) { 135 volatile int len = 128; 136 return smash_stack(&len); 137 } else if (!strcmp(arg, "stack-overflow")) { 138 overflow_stack(NULL); 139 } else if (!strcmp(arg, "nostack")) { 140 crashnostack(); 141 } else if (!strcmp(arg, "ctest")) { 142 return ctest(); 143 } else if (!strcmp(arg, "exit")) { 144 exit(1); 145 } else if (!strcmp(arg, "crash") || !strcmp(arg, "SIGSEGV")) { 146 return crash(42); 147 } else if (!strcmp(arg, "abort")) { 148 maybe_abort(); 149 } else if (!strcmp(arg, "assert")) { 150 __assert("some_file.c", 123, "false"); 151 } else if (!strcmp(arg, "assert2")) { 152 __assert2("some_file.c", 123, "some_function", "false"); 153 } else if (!strcmp(arg, "LOG_ALWAYS_FATAL")) { 154 LOG_ALWAYS_FATAL("hello %s", "world"); 155 } else if (!strcmp(arg, "LOG_ALWAYS_FATAL_IF")) { 156 LOG_ALWAYS_FATAL_IF(true, "hello %s", "world"); 157 } else if (!strcmp(arg, "SIGFPE")) { 158 raise(SIGFPE); 159 return EXIT_SUCCESS; 160 } else if (!strcmp(arg, "SIGPIPE")) { 161 int pipe_fds[2]; 162 pipe(pipe_fds); 163 close(pipe_fds[0]); 164 write(pipe_fds[1], "oops", 4); 165 return EXIT_SUCCESS; 166 } else if (!strcmp(arg, "SIGTRAP")) { 167 raise(SIGTRAP); 168 return EXIT_SUCCESS; 169 } else if (!strcmp(arg, "heap-usage")) { 170 abuse_heap(); 171 } else if (!strcmp(arg, "SIGSEGV-unmapped")) { 172 char* map = mmap(NULL, sizeof(int), PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); 173 munmap(map, sizeof(int)); 174 map[0] = '8'; 175 } 176 177 fprintf(stderr, "%s OP\n", __progname); 178 fprintf(stderr, "where OP is:\n"); 179 fprintf(stderr, " smash-stack overwrite a stack-guard canary\n"); 180 fprintf(stderr, " stack-overflow recurse until the stack overflows\n"); 181 fprintf(stderr, " heap-corruption cause a libc abort by corrupting the heap\n"); 182 fprintf(stderr, " heap-usage cause a libc abort by abusing a heap function\n"); 183 fprintf(stderr, " nostack crash with a NULL stack pointer\n"); 184 fprintf(stderr, " ctest (obsoleted by thread-crash?)\n"); 185 fprintf(stderr, " exit call exit(1)\n"); 186 fprintf(stderr, " abort call abort()\n"); 187 fprintf(stderr, " assert call assert() without a function\n"); 188 fprintf(stderr, " assert2 call assert() with a function\n"); 189 fprintf(stderr, " LOG_ALWAYS_FATAL call LOG_ALWAYS_FATAL\n"); 190 fprintf(stderr, " LOG_ALWAYS_FATAL_IF call LOG_ALWAYS_FATAL\n"); 191 fprintf(stderr, " SIGFPE cause a SIGFPE\n"); 192 fprintf(stderr, " SIGPIPE cause a SIGPIPE\n"); 193 fprintf(stderr, " SIGSEGV cause a SIGSEGV at address 0x0 (synonym: crash)\n"); 194 fprintf(stderr, " SIGSEGV-non-null cause a SIGSEGV at a non-zero address\n"); 195 fprintf(stderr, " SIGSEGV-unmapped mmap/munmap a region of memory and then attempt to access it\n"); 196 fprintf(stderr, " SIGTRAP cause a SIGTRAP\n"); 197 fprintf(stderr, "prefix any of the above with 'thread-' to not run\n"); 198 fprintf(stderr, "on the process' main thread.\n"); 199 return EXIT_SUCCESS; 200} 201 202int main(int argc, char **argv) 203{ 204 fprintf(stderr,"crasher: built at " __TIME__ "!@\n"); 205 206 if(argc > 1) { 207 return do_action(argv[1]); 208 } else { 209 crash1(); 210 } 211 212 return 0; 213} 214