如何解决Android二进制的qemu用户仿真中的segfault
我在Ubuntu 18.04 x64主机上运行qemu,并尝试使用Android NDK对为Android(针对aarch64或i386)构建的动态二进制文件进行用户仿真,但是我总是遇到段错误。例如:
建立$ i686-linux-android28-clang hello_world.c -o hello_world
$ file ./hello_world
./hello_world: ELF 32-bit LSB shared object,Intel 80386,version 1 (SYSV),dynamically linked,interpreter /system/bin/linker,not stripped
$ readelf -d ./hello_world
Dynamic section at offset 0xef4 contains 24 entries:
Tag Type Name/Value
0x00000003 (PLTGOT) 0x1fdc
0x00000002 (PLTRELSZ) 48 (bytes)
0x00000017 (JMPREL) 0x318
0x00000014 (PLTREL) REL
0x00000015 (DEBUG) 0x0
0x00000006 (SYMTAB) 0x200
0x0000000b (SYMENT) 16 (bytes)
0x00000005 (STRTAB) 0x270
0x0000000a (STRSZ) 96 (bytes)
0x6ffffef5 (GNU_HASH) 0x2d0
0x00000001 (NEEDED) Shared library: [libdl.so]
0x00000001 (NEEDED) Shared library: [libc.so]
...
$ ls ~/android_28_img/
acct cache d dev init.environ.rc init.usb.rc metadata oem sbin sys vendor
bin charger data etc init.rc init.zygote32.rc mnt proc sdcard system
bugreports config default.prop init init.usb.configfs.rc lost+found odm product storage ueventd.rc
$ sudo cp ./hello_world ~/android_28_img/system/bin
$ sudo cp /usr/bin/qemu-i386-static ~/android_28_img/system/bin
$ sudo chroot /home/user/android_28_img ./system/bin/qemu-i386-static /system/bin/hello_world
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault
$ qemu-i386 -L /home/user/android_38_img ./system/bin/hello_world
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault
$ sudo chroot /home/user/android_28_img ./system/bin/qemu-i386-static -strace /system/bin/hello_world
60785 set_thread_area(0xffffa3f0) = 0
60785 mmap2(NULL,20480,PROT_NONE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0xff6a5000
60785 madvise(-9809920,12,-9809920,-8432404,-23672) = 0
60785 prctl(1398164801,-8681506,-23528) = -1 errno=22 (Invalid argument)
60785 mprotect(0xff6a6000,12288,PROT_READ|PROT_WRITE) = 0
60785 prctl(1398164801,-9805824,-8681440,-23528) = -1 errno=22 (Invalid argument)
60785 set_tid_address(-8432484,-9781248,-8432492,-23480) = 60785
60785 faccessat(AT_FDCWD,"/dev/urandom",R_OK,AT_SYMLINK_NOFOLLOW|0xff7f601c) = -1 errno=2 (No such file or directory)
60785 futex(0xff7f2a44,FUTEX_PRIVATE_FLAG|FUTEX_WAKE,2147483647,NULL,0) = 0
60785 sched_getscheduler(0,-8432496,-23528) = 0
60785 mmap2(NULL,PROT_READ|PROT_WRITE,0) = 0xff6a0000
60785 madvise(-9830400,-9830400,-23688) = 0
60785 mprotect(0xff6a0000,4096,PROT_NONE) = 0
60785 sigaltstack(0xffffa3e8,(nil)) = 0
60785 prctl(1398164801,-9826304,16384,-8681429,-23528) = -1 errno=22 (Invalid argument)
60785 prctl(1398164801,-8681409,-23528) = -1 errno=22 (Invalid argument)
60785 mprotect(0xff7eb000,24576,PROT_READ) = 0
60785 mprotect(0xff7f4000,PROT_READ|PROT_WRITE) = 0
60785 mprotect(0xff7f4000,PROT_READ) = 0
60785 mmap2(NULL,0) = 0xff69f000
60785 madvise(-9834496,-9834496,-23848) = 0
60785 prctl(1398164801,-8680817,-23704) = -1 errno=22 (Invalid argument)
60785 mprotect(0xff69f000,PROT_READ) = 0
60785 mprotect(0xff69f000,PROT_READ|PROT_WRITE) = 0
60785 mprotect(0xff69f000,PROT_READ|PROT_WRITE) = 0
60785 mprotect(0xff69f000,0) = 0xff69e000
60785 madvise(-9838592,-9838592,-24136) = 0
60785 prctl(1398164801,-8693379,-23944) = -1 errno=22 (Invalid argument)
60785 mmap2(NULL,0) = 0xff69d000
60785 madvise(-9842688,-9842688,-24280) = 0
60785 prctl(1398164801,-8693213,-24136) = -1 errno=22 (Invalid argument)
60785 getrandom(-23744,40,1,-23744,-23768) = 40
60785 mmap2(NULL,1096,0) = 0xff69c000
60785 madvise(-9846784,-9846784,-23896) = 0
60785 prctl(1398164801,-8682952,-23752) = -1 errno=22 (Invalid argument)
60785 mmap2(NULL,0) = 0xff69b000
60785 madvise(-9850880,-9850880,-24072) = 0
60785 prctl(1398164801,-23880) = -1 errno=22 (Invalid argument)
60785 mmap2(NULL,0) = 0xff69a000
60785 madvise(-9854976,-9854976,-24216) = 0
60785 prctl(1398164801,-24072) = -1 errno=22 (Invalid argument)
60785 mmap2(NULL,0) = 0xff699000
60785 madvise(-9859072,-9859072,-23640) = 0
60785 prctl(1398164801,-8728674,-23496) = -1 errno=22 (Invalid argument)
60785 mprotect(0xff699000,PROT_READ|PROT_WRITE) = 0
--- SIGSEGV {si_signo=SIGSEGV,si_code=1,si_addr=0x0000014e} ---
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault
$ sudo apport-unpack /var/crash/_usr_bin_qemu-i386.101461.crash ~/crash-unpacked/
$ gdb /usr/bin/qemu-i386 ~/crash-unpacked/CoreDump
$ gdb /usr/bin/qemu-i386 ~/crash-unpacked/CoreDump
GNU gdb (Ubuntu 8.1-0ubuntu3.2) 8.1.0.20180409-git
Copyright (C) 2018 Free Software Foundation,Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY,to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions,please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help,type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 175 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase,$ida gdb functions (can be used with print/break)
Reading symbols from /usr/bin/qemu-i386...(no debugging symbols found)...done.
[New LWP 61385]
[New LWP 61386]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `qemu-i386 -L /home/user/android_28_img ./system/bin/hello_world'.
Program terminated with signal SIGSEGV,Segmentation fault.
#0 0x00007f0853f7b2e6 in __GI___sigsuspend (set=0x7ffdb0445f48) at ../sysdeps/unix/sysv/linux/sigsuspend.c:26
26 ../sysdeps/unix/sysv/linux/sigsuspend.c: No such file or directory.
[Current thread is 1 (Thread 0x7f0855413e00 (LWP 61385))]
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────
RAX 0xfffffffffffffdfe
RBX 0x7ffdb0445f48 ◂— 0xfffffffe7ffffbff
RCX 0x7f0853f7b2e6 (sigsuspend+70) ◂— cmp rax,-0x1000 /* 'H=' */
RDX 0x0
RDI 0x7ffdb0445f48 ◂— 0xfffffffe7ffffbff
RSI 0x8
R8 0x0
R9 0xb
R10 0x8
R11 0x293
R12 0x7ffdb0445f40 ◂— 0x0
R13 0x5581b1e9c210 ◂— 0xefc9
R14 0xb
R15 0x0
RBP 0xb
RSP 0x7ffdb0445f10 ◂— 0xb /* '\x0b' */
RIP 0x7f0853f7b2e6 (sigsuspend+70) ◂— cmp rax,-0x1000 /* 'H=' */
───────────────────────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────────────────────
► 0x7f0853f7b2e6 <sigsuspend+70> cmp rax,-0x1000
0x7f0853f7b2ec <sigsuspend+76> ja sigsuspend+122 <0x7f0853f7b31a>
↓
0x7f0853f7b31a <sigsuspend+122> mov rcx,qword ptr [rip + 0x3abb47]
0x7f0853f7b321 <sigsuspend+129> neg eax
0x7f0853f7b323 <sigsuspend+131> mov dword ptr fs:[rcx],eax
0x7f0853f7b326 <sigsuspend+134> mov eax,0xffffffff
0x7f0853f7b32b <sigsuspend+139> jmp sigsuspend+78 <0x7f0853f7b2ee>
↓
0x7f0853f7b2ee <sigsuspend+78> mov edi,edx
0x7f0853f7b2f0 <sigsuspend+80> mov dword ptr [rsp + 0xc],eax
0x7f0853f7b2f4 <sigsuspend+84> call __libc_disable_asynccancel <0x7f085406c8f0>
0x7f0853f7b2f9 <sigsuspend+89> mov eax,dword ptr [rsp + 0xc]
───────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffdb0445f10 ◂— 0xb /* '\x0b' */
01:0008│ 0x7ffdb0445f18 ◂— 0xdb8b156e6a07500
02:0010│ 0x7ffdb0445f20 —▸ 0x7ffdb0445f48 ◂— 0xfffffffe7ffffbff
03:0018│ 0x7ffdb0445f28 —▸ 0x5581ae7bbb14 ◂— call 0x5581ae770710
04:0020│ 0x7ffdb0445f30 ◂— 0x0
05:0028│ 0x7ffdb0445f38 ◂— 0xffffffffffffffff
06:0030│ r12 0x7ffdb0445f40 ◂— 0x0
07:0038│ rbx rdi 0x7ffdb0445f48 ◂— 0xfffffffe7ffffbff
─────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────
► f 0 7f0853f7b2e6 sigsuspend+70
f 1 5581ae7bbb14
f 2 5581ae7bc6b8
f 3 5581ae7bd4db process_pending_signals+363
f 4 5581ae7a06e8 cpu_loop+504
f 5 5581ae773504 main+1860
f 6 7f0853f5db97 __libc_start_main+231
解决方法
Android二进制文件可能正在尝试使用QEMU未实现的内核功能,否则可能是在做意外的事情-大多数情况下,QEMU的用户仿真模式是在普通Linux用户空间二进制文件(而非Android用户二进制文件)上测试的。例如,您可以在strace()中看到很多失败的prctl()调用:调试这的一个好开始是找出他们要做什么,并检查QEMU是否实现了它们。
您可能还会发现使用QEMU的内置调试存根并将x86感知的gdb附加到它上很有用:然后您可以逐步执行来宾代码,并查看出错时的工作方式。 / p>
最后,您不会提及您正在使用哪个QEMU版本-如果它不是最新版本,则总是值得尝试使用最新版本来检查它是否已得到修复。 (特别是在4.0之前的任何版本的QEMU都存在一些与多线程和用户模式仿真中的信号有关的非常不好的错误。)
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。