1/*
2 * Copyright (C) 2008 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include <errno.h>
18#include <stdio.h>
19#include <sys/socket.h>
20#include <sys/un.h>
21#include <unistd.h>
22
23#include "base/logging.h"
24#include "base/stringprintf.h"
25#include "jdwp/jdwp_priv.h"
26
27#ifdef __ANDROID__
28#include "cutils/sockets.h"
29#endif
30
31/*
32 * The JDWP <-> ADB transport protocol is explained in detail
33 * in system/core/adb/jdwp_service.c. Here's a summary.
34 *
35 * 1/ when the JDWP thread starts, it tries to connect to a Unix
36 *    domain stream socket (@jdwp-control) that is opened by the
37 *    ADB daemon.
38 *
39 * 2/ it then sends the current process PID as a string of 4 hexadecimal
40 *    chars (no terminating zero)
41 *
42 * 3/ then, it uses recvmsg to receive file descriptors from the
43 *    daemon. each incoming file descriptor is a pass-through to
44 *    a given JDWP debugger, that can be used to read the usual
45 *    JDWP-handshake, etc...
46 */
47
48#define kJdwpControlName    "\0jdwp-control"
49#define kJdwpControlNameLen (sizeof(kJdwpControlName)-1)
50
51namespace art {
52
53namespace JDWP {
54
55struct JdwpAdbState : public JdwpNetStateBase {
56 public:
57  explicit JdwpAdbState(JdwpState* state) : JdwpNetStateBase(state) {
58    control_sock_ = -1;
59    shutting_down_ = false;
60
61    control_addr_.controlAddrUn.sun_family = AF_UNIX;
62    control_addr_len_ = sizeof(control_addr_.controlAddrUn.sun_family) + kJdwpControlNameLen;
63    memcpy(control_addr_.controlAddrUn.sun_path, kJdwpControlName, kJdwpControlNameLen);
64  }
65
66  ~JdwpAdbState() {
67    if (clientSock != -1) {
68      shutdown(clientSock, SHUT_RDWR);
69      close(clientSock);
70    }
71    if (control_sock_ != -1) {
72      shutdown(control_sock_, SHUT_RDWR);
73      close(control_sock_);
74    }
75  }
76
77  virtual bool Accept();
78
79  virtual bool Establish(const JdwpOptions*) {
80    return false;
81  }
82
83  virtual void Shutdown() {
84    shutting_down_ = true;
85
86    int control_sock = this->control_sock_;
87    int local_clientSock = this->clientSock;
88
89    /* clear these out so it doesn't wake up and try to reuse them */
90    this->control_sock_ = this->clientSock = -1;
91
92    if (local_clientSock != -1) {
93      shutdown(local_clientSock, SHUT_RDWR);
94    }
95
96    if (control_sock != -1) {
97      shutdown(control_sock, SHUT_RDWR);
98    }
99
100    WakePipe();
101  }
102
103  virtual bool ProcessIncoming();
104
105 private:
106  int ReceiveClientFd();
107
108  int control_sock_;
109  bool shutting_down_;
110
111  socklen_t control_addr_len_;
112  union {
113    sockaddr_un controlAddrUn;
114    sockaddr controlAddrPlain;
115  } control_addr_;
116};
117
118/*
119 * Do initial prep work, e.g. binding to ports and opening files.  This
120 * runs in the main thread, before the JDWP thread starts, so it shouldn't
121 * do anything that might block forever.
122 */
123bool InitAdbTransport(JdwpState* state, const JdwpOptions*) {
124  VLOG(jdwp) << "ADB transport startup";
125  state->netState = new JdwpAdbState(state);
126  return (state->netState != nullptr);
127}
128
129/*
130 * Receive a file descriptor from ADB.  The fd can be used to communicate
131 * directly with a debugger or DDMS.
132 *
133 * Returns the file descriptor on success.  On failure, returns -1 and
134 * closes netState->control_sock_.
135 */
136int JdwpAdbState::ReceiveClientFd() {
137  char dummy = '!';
138  union {
139    cmsghdr cm;
140    char buffer[CMSG_SPACE(sizeof(int))];
141  } cm_un;
142
143  iovec iov;
144  iov.iov_base       = &dummy;
145  iov.iov_len        = 1;
146
147  msghdr msg;
148  msg.msg_name       = nullptr;
149  msg.msg_namelen    = 0;
150  msg.msg_iov        = &iov;
151  msg.msg_iovlen     = 1;
152  msg.msg_flags      = 0;
153  msg.msg_control    = cm_un.buffer;
154  msg.msg_controllen = sizeof(cm_un.buffer);
155
156  cmsghdr* cmsg = CMSG_FIRSTHDR(&msg);
157  cmsg->cmsg_len   = msg.msg_controllen;
158  cmsg->cmsg_level = SOL_SOCKET;
159  cmsg->cmsg_type  = SCM_RIGHTS;
160  (reinterpret_cast<int*>(CMSG_DATA(cmsg)))[0] = -1;
161
162  int rc = TEMP_FAILURE_RETRY(recvmsg(control_sock_, &msg, 0));
163
164  if (rc <= 0) {
165    if (rc == -1) {
166      PLOG(WARNING) << "Receiving file descriptor from ADB failed (socket " << control_sock_ << ")";
167    }
168    close(control_sock_);
169    control_sock_ = -1;
170    return -1;
171  }
172
173  return (reinterpret_cast<int*>(CMSG_DATA(cmsg)))[0];
174}
175
176/*
177 * Block forever, waiting for a debugger to connect to us.  Called from the
178 * JDWP thread.
179 *
180 * This needs to un-block and return "false" if the VM is shutting down.  It
181 * should return "true" when it successfully accepts a connection.
182 */
183bool JdwpAdbState::Accept() {
184  int retryCount = 0;
185
186  /* first, ensure that we get a connection to the ADB daemon */
187
188 retry:
189  if (shutting_down_) {
190    return false;
191  }
192
193  if (control_sock_ == -1) {
194    int        sleep_ms     = 500;
195    const int  sleep_max_ms = 2*1000;
196    char       buff[5];
197
198    control_sock_ = socket(PF_UNIX, SOCK_STREAM, 0);
199    if (control_sock_ < 0) {
200      PLOG(ERROR) << "Could not create ADB control socket";
201      return false;
202    }
203
204    if (!MakePipe()) {
205      return false;
206    }
207
208    snprintf(buff, sizeof(buff), "%04x", getpid());
209    buff[4] = 0;
210
211    for (;;) {
212      /*
213       * If adbd isn't running, because USB debugging was disabled or
214       * perhaps the system is restarting it for "adb root", the
215       * connect() will fail.  We loop here forever waiting for it
216       * to come back.
217       *
218       * Waking up and polling every couple of seconds is generally a
219       * bad thing to do, but we only do this if the application is
220       * debuggable *and* adbd isn't running.  Still, for the sake
221       * of battery life, we should consider timing out and giving
222       * up after a few minutes in case somebody ships an app with
223       * the debuggable flag set.
224       */
225      int  ret = connect(control_sock_, &control_addr_.controlAddrPlain, control_addr_len_);
226      if (!ret) {
227#ifdef __ANDROID__
228        if (!socket_peer_is_trusted(control_sock_)) {
229          if (shutdown(control_sock_, SHUT_RDWR)) {
230            PLOG(ERROR) << "trouble shutting down socket";
231          }
232          return false;
233        }
234#endif
235
236        /* now try to send our pid to the ADB daemon */
237        ret = TEMP_FAILURE_RETRY(send(control_sock_, buff, 4, 0));
238        if (ret >= 0) {
239          VLOG(jdwp) << StringPrintf("PID sent as '%.*s' to ADB", 4, buff);
240          break;
241        }
242
243        PLOG(ERROR) << "Weird, can't send JDWP process pid to ADB";
244        return false;
245      }
246      if (VLOG_IS_ON(jdwp)) {
247        PLOG(ERROR) << "Can't connect to ADB control socket";
248      }
249
250      usleep(sleep_ms * 1000);
251
252      sleep_ms += (sleep_ms >> 1);
253      if (sleep_ms > sleep_max_ms) {
254        sleep_ms = sleep_max_ms;
255      }
256      if (shutting_down_) {
257        return false;
258      }
259    }
260  }
261
262  VLOG(jdwp) << "trying to receive file descriptor from ADB";
263  /* now we can receive a client file descriptor */
264  clientSock = ReceiveClientFd();
265  if (shutting_down_) {
266    return false;       // suppress logs and additional activity
267  }
268  if (clientSock == -1) {
269    if (++retryCount > 5) {
270      LOG(ERROR) << "adb connection max retries exceeded";
271      return false;
272    }
273    goto retry;
274  } else {
275    VLOG(jdwp) << "received file descriptor " << clientSock << " from ADB";
276    SetAwaitingHandshake(true);
277    input_count_ = 0;
278    return true;
279  }
280}
281
282/*
283 * Process incoming data.  If no data is available, this will block until
284 * some arrives.
285 *
286 * If we get a full packet, handle it.
287 *
288 * To take some of the mystery out of life, we want to reject incoming
289 * connections if we already have a debugger attached.  If we don't, the
290 * debugger will just mysteriously hang until it times out.  We could just
291 * close the listen socket, but there's a good chance we won't be able to
292 * bind to the same port again, which would confuse utilities.
293 *
294 * Returns "false" on error (indicating that the connection has been severed),
295 * "true" if things are still okay.
296 */
297bool JdwpAdbState::ProcessIncoming() {
298  int readCount;
299
300  CHECK_NE(clientSock, -1);
301
302  if (!HaveFullPacket()) {
303    /* read some more, looping until we have data */
304    errno = 0;
305    while (1) {
306      int selCount;
307      fd_set readfds;
308      int maxfd = -1;
309      int fd;
310
311      FD_ZERO(&readfds);
312
313      /* configure fds; note these may get zapped by another thread */
314      fd = control_sock_;
315      if (fd >= 0) {
316        FD_SET(fd, &readfds);
317        if (maxfd < fd) {
318          maxfd = fd;
319        }
320      }
321      fd = clientSock;
322      if (fd >= 0) {
323        FD_SET(fd, &readfds);
324        if (maxfd < fd) {
325          maxfd = fd;
326        }
327      }
328      fd = wake_pipe_[0];
329      if (fd >= 0) {
330        FD_SET(fd, &readfds);
331        if (maxfd < fd) {
332          maxfd = fd;
333        }
334      } else {
335        LOG(INFO) << "NOTE: entering select w/o wakepipe";
336      }
337
338      if (maxfd < 0) {
339        VLOG(jdwp) << "+++ all fds are closed";
340        return false;
341      }
342
343      /*
344       * Select blocks until it sees activity on the file descriptors.
345       * Closing the local file descriptor does not count as activity,
346       * so we can't rely on that to wake us up (it works for read()
347       * and accept(), but not select()).
348       *
349       * We can do one of three things: (1) send a signal and catch
350       * EINTR, (2) open an additional fd ("wake pipe") and write to
351       * it when it's time to exit, or (3) time out periodically and
352       * re-issue the select.  We're currently using #2, as it's more
353       * reliable than #1 and generally better than #3.  Wastes two fds.
354       */
355      selCount = select(maxfd + 1, &readfds, nullptr, nullptr, nullptr);
356      if (selCount < 0) {
357        if (errno == EINTR) {
358          continue;
359        }
360        PLOG(ERROR) << "select failed";
361        goto fail;
362      }
363
364      if (wake_pipe_[0] >= 0 && FD_ISSET(wake_pipe_[0], &readfds)) {
365        VLOG(jdwp) << "Got wake-up signal, bailing out of select";
366        goto fail;
367      }
368      if (control_sock_ >= 0 && FD_ISSET(control_sock_, &readfds)) {
369        int  sock = ReceiveClientFd();
370        if (sock >= 0) {
371          LOG(INFO) << "Ignoring second debugger -- accepting and dropping";
372          close(sock);
373        } else {
374          CHECK_EQ(control_sock_, -1);
375          /*
376           * Remote side most likely went away, so our next read
377           * on clientSock will fail and throw us out of the loop.
378           */
379        }
380      }
381      if (clientSock >= 0 && FD_ISSET(clientSock, &readfds)) {
382        readCount = read(clientSock, input_buffer_ + input_count_, sizeof(input_buffer_) - input_count_);
383        if (readCount < 0) {
384          /* read failed */
385          if (errno != EINTR) {
386            goto fail;
387          }
388          VLOG(jdwp) << "+++ EINTR hit";
389          return true;
390        } else if (readCount == 0) {
391          /* EOF hit -- far end went away */
392          VLOG(jdwp) << "+++ peer disconnected";
393          goto fail;
394        } else {
395          break;
396        }
397      }
398    }
399
400    input_count_ += readCount;
401    if (!HaveFullPacket()) {
402      return true;        /* still not there yet */
403    }
404  }
405
406  /*
407   * Special-case the initial handshake.  For some bizarre reason we're
408   * expected to emulate bad tty settings by echoing the request back
409   * exactly as it was sent.  Note the handshake is always initiated by
410   * the debugger, no matter who connects to whom.
411   *
412   * Other than this one case, the protocol [claims to be] stateless.
413   */
414  if (IsAwaitingHandshake()) {
415    if (memcmp(input_buffer_, kMagicHandshake, kMagicHandshakeLen) != 0) {
416      LOG(ERROR) << StringPrintf("ERROR: bad handshake '%.14s'", input_buffer_);
417      goto fail;
418    }
419
420    errno = 0;
421    int cc = TEMP_FAILURE_RETRY(write(clientSock, input_buffer_, kMagicHandshakeLen));
422    if (cc != kMagicHandshakeLen) {
423      PLOG(ERROR) << "Failed writing handshake bytes (" << cc << " of " << kMagicHandshakeLen << ")";
424      goto fail;
425    }
426
427    ConsumeBytes(kMagicHandshakeLen);
428    SetAwaitingHandshake(false);
429    VLOG(jdwp) << "+++ handshake complete";
430    return true;
431  }
432
433  /*
434   * Handle this packet.
435   */
436  return state_->HandlePacket();
437
438 fail:
439  Close();
440  return false;
441}
442
443}  // namespace JDWP
444
445}  // namespace art
446