__stack_chk_fail问题分析
一、问题
进程收到SIGABRT信号异常退出,异常调用栈显示__stack_chk_fail
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'Pico/A7H10/PICOA7H10:10/5.5.0/smartcm.1676912090:userdebug/dev-keys'
Revision: '0'
ABI: 'arm64'
Timestamp: 2023-02-23 10:39:19+0800
pid: 933, ppid: -1, tid: 5800, name: pvrmanager >>> /system/bin/stationservice <<<
uid: 0
signal 6 (SIGABRT), code -1 (SI_QUEUE), fault addr --------
Abort message: 'stack corruption detected (-fstack-protector)'x0 0000000000000000 x1 00000000000016a8 x2 0000000000000006 x3 000000731f60b4f0x4 0000000000808080 x5 0000000000808080 x6 0000000000808080 x7 0000000000000030x8 00000000000000f0 x9 9c790c62d7456e2d x10 0000000000000001 x11 0000000000000000x12 fffffff0ffffffdf x13 000002bd7a90a09e x14 0031c42fbe3a7800 x15 0000000034155555x16 00000073a2b9fb38 x17 00000073a2b77d40 x18 000000731ea16000 x19 00000000000003a5x20 00000000000016a8 x21 00000000ffffffff x22 00000073a47d949a x23 00000000000003fbx24 000000731f60be20 x25 00000073a47d9000 x26 000000731f60b5b0 x27 00000000000003fcx28 00000000000003fc x29 000000731f60b590sp 000000731f60b4d0 lr 00000073a2b295bc pc 00000073a2b295e8backtrace:#00 pc 00000000000895e8 /apex/com.android.runtime/lib64/bionic/libc.so (abort+160) (BuildId: 02b3bc38eb77bdc99f28c0fc3f17de65)#01 pc 00000000000d7168 /apex/com.android.runtime/lib64/bionic/libc.so (__stack_chk_fail+20) (BuildId: 02b3bc38eb77bdc99f28c0fc3f17de65)#02 pc 0000000000037844 /system/lib64/libstationopticsservice.so (pvr::StationService::StationLogPrint(char*, int)+500) (BuildId: 9943b2f8208bbfbec5bb6dacaab00482)#03 pc 00000000000375a8 /system/lib64/libstationopticsservice.so (pvr::MCULogProcess::MCULogProcessFunc()+168) (BuildId: 9943b2f8208bbfbec5bb6dacaab00482)#04 pc 0000000000048b44 /system/lib64/libstationopticsservice.so (_ZNSt3__114__thread_proxyINS_5tupleIJNS_10unique_ptrINS_15__thread_structENS_14default_deleteIS3_EEEEMN3pvr13MCULogProcessEFvvEPS8_EEEEEPvSD_+60) (BuildId: 9943b2f8208bbfbec5bb6dacaab00482)#05 pc 00000000000ecce4 /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+36) (BuildId: 02b3bc38eb77bdc99f28c0fc3f17de65)#06 pc 000000000008b064 /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: 02b3bc38eb77bdc99f28c0fc3f17de65)
二、分析
原因分析: __stack_chk_fail说明发生了缓冲区溢出,canary被破坏。这说明代码设置GCC编译选项fstack-protector,开启了栈保护机制canary,canary存放位置如下,如果func1函数中有越界操作,很可能会修改到canary,stack_chk_fail检测canary就会失败
反汇编后找到对应函数的汇编代码,定位到+500处
00000000000395f8 <_ZN3pvr14StationService15StationLogPrintEPci@@Base>:395f8: a9ba6ffc stp x28, x27, [sp,#-96]!395fc: a90167fa stp x26, x25, [sp,#16]39600: a9025ff8 stp x24, x23, [sp,#32]39604: a90357f6 stp x22, x21, [sp,#48]39608: a9044ff4 stp x20, x19, [sp,#64]3960c: a9057bfd stp x29, x30, [sp,#80]39610: 910143fd add x29, sp, #0x5039614: d11043ff sub sp, sp, #0x41039618: d53bd058 mrs x24, tpidr_el03961c: f9401708 ldr x8, [x24,#40]39620: b00001f9 adrp x25, 76000 <configServiceClient@@Base>39624: 2a0203f4 mov w20, w239628: aa0103f5 mov x21, x13962c: f81a03a8 stur x8, [x29,#-96]39630: b944a336 ldr w22, [x25,#1184]39634: 0b0202c8 add w8, w22, w239638: 7110051f cmp w8, #0x4013963c: 540001ab b.lt 39670 <_ZN3pvr14StationService15StationLogPrintEPci@@Base+0x78>39640: b00001e0 adrp x0, 76000 <configServiceClient@@Base>39644: 91027800 add x0, x0, #0x9e39648: 321603e2 orr w2, wzr, #0x4003964c: 2a1f03e1 mov w1, wzr39650: 9400cafc bl 6c240 <memset@plt>39654: b0ffff80 adrp x0, 2a000 <gyroLSB@@Base-0x3e4c>39658: 91102000 add x0, x0, #0x4083965c: 2a1603e1 mov w1, w2239660: 2a1403e2 mov w2, w2039664: 9400cacf bl 6c1a0 <_Z8pr_debugPKcz@plt>39668: 2a1f03f6 mov w22, wzr3966c: b904a33f str wzr, [x25,#1184]39670: b00001f3 adrp x19, 76000 <configServiceClient@@Base>39674: 91027a73 add x19, x19, #0x9e39678: 8b36c260 add x0, x19, w22, sxtw3967c: 93407e82 sxtw x2, w2039680: aa1503e1 mov x1, x2139684: 9400cb6f bl 6c440 <memcpy@plt>39688: b944a328 ldr w8, [x25,#1184]3968c: 910003e0 mov x0, sp39690: 321603e2 orr w2, wzr, #0x40039694: 2a1f03e1 mov w1, wzr39698: 0b14011c add w28, w8, w203969c: b904a33c str w28, [x25,#1184]396a0: 910003fa mov x26, sp396a4: 9400cae7 bl 6c240 <memset@plt>396a8: 7100079f cmp w28, #0x1396ac: 5400088b b.lt 397bc <_ZN3pvr14StationService15StationLogPrintEPci@@Base+0x1c4>396b0: 90ffff94 adrp x20, 29000 <gyroLSB@@Base-0x4e4c>396b4: f0ffff75 adrp x21, 28000 <gyroLSB@@Base-0x5e4c>396b8: aa1f03e8 mov x8, xzr396bc: aa1f03fb mov x27, xzr396c0: 91062294 add x20, x20, #0x188396c4: 9108deb5 add x21, x21, #0x237396c8: aa1303f6 mov x22, x19396cc: 8b1b0269 add x9, x19, x27396d0: 3940012a ldrb w10, [x9]396d4: 7100295f cmp w10, #0xa396d8: 54000040 b.eq 396e0 <_ZN3pvr14StationService15StationLogPrintEPci@@Base+0xe8>396dc: 3500038a cbnz w10, 3974c <_ZN3pvr14StationService15StationLogPrintEPci@@Base+0x154>396e0: cb160137 sub x23, x9, x22396e4: f10006ff cmp x23, #0x1396e8: 5400030b b.lt 39748 <_ZN3pvr14StationService15StationLogPrintEPci@@Base+0x150>396ec: 910003e0 mov x0, sp396f0: 321603e2 orr w2, wzr, #0x400396f4: 2a1f03e1 mov w1, wzr396f8: 9400cad2 bl 6c240 <memset@plt>396fc: 910003e0 mov x0, sp39700: 321603e1 orr w1, wzr, #0x40039704: 321603e2 orr w2, wzr, #0x40039708: aa1403e3 mov x3, x203970c: aa1503e4 mov x4, x2139710: 940007d4 bl 3b660 <_ZN3pvr14StationService23set_camerafps_to_configE12camera_fps_t@@Base+0x114>39714: 93407c08 sxtw x8, w039718: 8b0802fc add x28, x23, x83971c: f110039f cmp x28, #0x40039720: 540004ec b.gt 397bc <_ZN3pvr14StationService15StationLogPrintEPci@@Base+0x1c4>39724: 8b080340 add x0, x26, x839728: aa1603e1 mov x1, x223972c: aa1703e2 mov x2, x2339730: 9400cb44 bl 6c440 <memcpy@plt>39734: 910003e1 mov x1, sp39738: aa1403e0 mov x0, x203973c: 383ccb5f strb wzr, [x26,w28,sxtw]39740: 9400cb44 bl 6c450 <_ZN3pvr9pr_keylogEPKcz@plt>39744: b944a33c ldr w28, [x25,#1184]39748: 91000768 add x8, x27, #0x13974c: 9100077b add x27, x27, #0x139750: 93407f89 sxtw x9, w2839754: eb09037f cmp x27, x939758: 8b080276 add x22, x19, x83975c: 54fffb8b b.lt 396cc <_ZN3pvr14StationService15StationLogPrintEPci@@Base+0xd4>39760: b40002e8 cbz x8, 397bc <_ZN3pvr14StationService15StationLogPrintEPci@@Base+0x1c4>39764: eb09011f cmp x8, x939768: 540001ea b.ge 397a4 <_ZN3pvr14StationService15StationLogPrintEPci@@Base+0x1ac>3976c: 4b080388 sub w8, w28, w839770: 93407d02 sxtw x2, w839774: 321603e3 orr w3, wzr, #0x40039778: aa1303e0 mov x0, x193977c: aa1603e1 mov x1, x2239780: b904a328 str w8, [x25,#1184]39784: 321603f4 orr w20, wzr, #0x40039788: 9400cb36 bl 6c460 <__memcpy_chk@plt>3978c: b984a328 ldrsw x8, [x25,#1184]39790: 2a1f03e1 mov w1, wzr39794: 8b080260 add x0, x19, x839798: cb080282 sub x2, x20, x83979c: 9400caa9 bl 6c240 <memset@plt>397a0: 14000007 b 397bc <_ZN3pvr14StationService15StationLogPrintEPci@@Base+0x1c4>397a4: b00001e0 adrp x0, 76000 <configServiceClient@@Base>397a8: 91027800 add x0, x0, #0x9e397ac: 321603e2 orr w2, wzr, #0x400397b0: 2a1f03e1 mov w1, wzr397b4: 9400caa3 bl 6c240 <memset@plt>397b8: b904a33f str wzr, [x25,#1184]397bc: f9401708 ldr x8, [x24,#40]397c0: f85a03a9 ldur x9, [x29,#-96]397c4: eb09011f cmp x8, x9397c8: 54000121 b.ne 397ec <_ZN3pvr14StationService15StationLogPrintEPci@@Base+0x1f4>397cc: 911043ff add sp, sp, #0x410397d0: a9457bfd ldp x29, x30, [sp,#80]397d4: a9444ff4 ldp x20, x19, [sp,#64]397d8: a94357f6 ldp x22, x21, [sp,#48]397dc: a9425ff8 ldp x24, x23, [sp,#32]397e0: a94167fa ldp x26, x25, [sp,#16]397e4: a8c66ffc ldp x28, x27, [sp],#96397e8: d65f03c0 ret397ec: 9400ca75 bl 6c1c0 <__stack_chk_fail@plt>
确实是__stack_chk_fail执行出现了问题
397ec: 9400ca75 bl 6c1c0 <__stack_chk_fail@plt>
再说一下,canary破坏很大可能是memset memcpy越界修改造成的,而且是栈中的变量,如下static概率就比较小,因为static变量不在栈中,所以,大概率是tmp这个数组
void StationService::StationLogPrint(char *buf, int len) {
#define STTAG "STLOG"
#define BUF_MAX_LEN 1024static char stlog[BUF_MAX_LEN] = {0};static int stlen = 0;station_debug_info_t buffer;memset(&buffer, 0, sizeof(buffer));buffer.type = (perf_test_t)STATION_LOG_INFO;if (stlen + len > BUF_MAX_LEN) {memset(stlog, 0, BUF_MAX_LEN);pr_debug("STLOG: stlen:%d, len:%d, err, drop!", stlen, len);stlen = 0;}memcpy(stlog + stlen, buf ,len);stlen += len;char tmp[BUF_MAX_LEN] = {0};char *p1 = stlog;char *p2 = p1;for (int i = 0; i < stlen; i++) {if ('\n' == *(stlog + i) || '\0' == *(stlog + i)) {p2 = stlog + i;if ((p2 - p1) > 0) {memset(tmp, 0, sizeof(tmp));int l = snprintf(tmp, sizeof(tmp), "%s", STTAG);if (l + (p2 - p1) > BUF_MAX_LEN) {return;}// pr_err("01%s, l:%d, len:%d, stlen:%d, (p2 - p1):%d", __FUNCTION__, l, len, stlen, (p2 - p1));memcpy(tmp + l, p1, (p2 - p1));l += p2 - p1;tmp[l] = '\0';pr_keylog("%s", tmp);}p1 = p2 + 1;}}if (p1 == stlog) {return;}if (p1 - stlog >= stlen) {memset(stlog, 0, sizeof(stlog));stlen = 0;} else {stlen -= p1 - stlog;memcpy(stlog, p1, stlen);memset(stlog + stlen, 0, sizeof(stlog) - stlen);}
}所以大概率问题出现在32行的memcpy,p2-p1可能越界了,因为tmp与stlog大小一样,tmp在开头加了一断字符,p2-p1+l
很有可能大于BUF_MAX_LEN,造成越界访问。