Android二进制的qemu用户仿真中的segfault

问题描述

我在Ubuntu 18.04 x64主机上运行qemu，并尝试使用Android NDK对为Android（针对aarch64或i386）构建的动态二进制文件进行用户仿真，但是我总是遇到段错误。例如：

建立

$ i686-linux-android28-clang hello_world.c -o hello_world

检查依赖关系和路径

$ file ./hello_world

./hello_world: ELF 32-bit LSB shared object,Intel 80386,version 1 (SYSV),dynamically linked,interpreter /system/bin/linker,not stripped

$ readelf -d ./hello_world

Dynamic section at offset 0xef4 contains 24 entries:
  Tag        Type                         Name/Value
 0x00000003 (PLTGOT)                     0x1fdc
 0x00000002 (PLTRELSZ)                   48 (bytes)
 0x00000017 (JMPREL)                     0x318
 0x00000014 (PLTREL)                     REL
 0x00000015 (DEBUG)                      0x0
 0x00000006 (SYMTAB)                     0x200
 0x0000000b (SYMENT)                     16 (bytes)
 0x00000005 (STRTAB)                     0x270
 0x0000000a (STRSZ)                      96 (bytes)
 0x6ffffef5 (GNU_HASH)                   0x2d0
 0x00000001 (NEEDED)                     Shared library: [libdl.so]
 0x00000001 (NEEDED)                     Shared library: [libc.so]
 ...

复制到Pixel 2 Android 9 i386的解压缩Android模拟器映像中。

$ ls ~/android_28_img/
acct        cache    d             dev   init.environ.rc       init.usb.rc       metadata  oem      sbin     sys         vendor
bin         charger  data          etc   init.rc               init.zygote32.rc  mnt       proc     sdcard   system
bugreports  config   default.prop  init  init.usb.configfs.rc  lost+found        odm       product  storage  ueventd.rc

$ sudo cp ./hello_world ~/android_28_img/system/bin

也将静态qemu复制到那里

$ sudo cp /usr/bin/qemu-i386-static ~/android_28_img/system/bin

各种方式运行模拟器

$ sudo chroot /home/user/android_28_img ./system/bin/qemu-i386-static /system/bin/hello_world
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault

$ qemu-i386 -L /home/user/android_38_img ./system/bin/hello_world
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault

痕迹

$ sudo chroot /home/user/android_28_img ./system/bin/qemu-i386-static -strace /system/bin/hello_world
60785 set_thread_area(0xffffa3f0) = 0
60785 mmap2(NULL,20480,PROT_NONE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0xff6a5000
60785 madvise(-9809920,12,-9809920,-8432404,-23672) = 0
60785 prctl(1398164801,-8681506,-23528) = -1 errno=22 (Invalid argument)
60785 mprotect(0xff6a6000,12288,PROT_READ|PROT_WRITE) = 0
60785 prctl(1398164801,-9805824,-8681440,-23528) = -1 errno=22 (Invalid argument)
60785 set_tid_address(-8432484,-9781248,-8432492,-23480) = 60785
60785 faccessat(AT_FDCWD,"/dev/urandom",R_OK,AT_SYMLINK_NOFOLLOW|0xff7f601c) = -1 errno=2 (No such file or directory)
60785 futex(0xff7f2a44,FUTEX_PRIVATE_FLAG|FUTEX_WAKE,2147483647,NULL,0) = 0
60785 sched_getscheduler(0,-8432496,-23528) = 0
60785 mmap2(NULL,PROT_READ|PROT_WRITE,0) = 0xff6a0000
60785 madvise(-9830400,-9830400,-23688) = 0
60785 mprotect(0xff6a0000,4096,PROT_NONE) = 0
60785 sigaltstack(0xffffa3e8,(nil)) = 0
60785 prctl(1398164801,-9826304,16384,-8681429,-23528) = -1 errno=22 (Invalid argument)
60785 prctl(1398164801,-8681409,-23528) = -1 errno=22 (Invalid argument)
60785 mprotect(0xff7eb000,24576,PROT_READ) = 0
60785 mprotect(0xff7f4000,PROT_READ|PROT_WRITE) = 0
60785 mprotect(0xff7f4000,PROT_READ) = 0
60785 mmap2(NULL,0) = 0xff69f000
60785 madvise(-9834496,-9834496,-23848) = 0
60785 prctl(1398164801,-8680817,-23704) = -1 errno=22 (Invalid argument)
60785 mprotect(0xff69f000,PROT_READ) = 0
60785 mprotect(0xff69f000,PROT_READ|PROT_WRITE) = 0
60785 mprotect(0xff69f000,PROT_READ|PROT_WRITE) = 0

60785 mprotect(0xff69f000,0) = 0xff69e000
60785 madvise(-9838592,-9838592,-24136) = 0
60785 prctl(1398164801,-8693379,-23944) = -1 errno=22 (Invalid argument)
60785 mmap2(NULL,0) = 0xff69d000
60785 madvise(-9842688,-9842688,-24280) = 0
60785 prctl(1398164801,-8693213,-24136) = -1 errno=22 (Invalid argument)
60785 getrandom(-23744,40,1,-23744,-23768) = 40
60785 mmap2(NULL,1096,0) = 0xff69c000
60785 madvise(-9846784,-9846784,-23896) = 0
60785 prctl(1398164801,-8682952,-23752) = -1 errno=22 (Invalid argument)
60785 mmap2(NULL,0) = 0xff69b000
60785 madvise(-9850880,-9850880,-24072) = 0
60785 prctl(1398164801,-23880) = -1 errno=22 (Invalid argument)
60785 mmap2(NULL,0) = 0xff69a000
60785 madvise(-9854976,-9854976,-24216) = 0
60785 prctl(1398164801,-24072) = -1 errno=22 (Invalid argument)
60785 mmap2(NULL,0) = 0xff699000
60785 madvise(-9859072,-9859072,-23640) = 0
60785 prctl(1398164801,-8728674,-23496) = -1 errno=22 (Invalid argument)
60785 mprotect(0xff699000,PROT_READ|PROT_WRITE) = 0
--- SIGSEGV {si_signo=SIGSEGV,si_code=1,si_addr=0x0000014e} ---
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault

看着崩溃转储

$ sudo apport-unpack /var/crash/_usr_bin_qemu-i386.101461.crash ~/crash-unpacked/
$ gdb /usr/bin/qemu-i386 ~/crash-unpacked/CoreDump

$ gdb /usr/bin/qemu-i386 ~/crash-unpacked/CoreDump
GNU gdb (Ubuntu 8.1-0ubuntu3.2) 8.1.0.20180409-git
Copyright (C) 2018 Free Software Foundation,Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY,to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions,please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help,type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 175 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase,$ida gdb functions (can be used with print/break)
Reading symbols from /usr/bin/qemu-i386...(no debugging symbols found)...done.
[New LWP 61385]
[New LWP 61386]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `qemu-i386 -L /home/user/android_28_img ./system/bin/hello_world'.
Program terminated with signal SIGSEGV,Segmentation fault.
#0  0x00007f0853f7b2e6 in __GI___sigsuspend (set=0x7ffdb0445f48) at ../sysdeps/unix/sysv/linux/sigsuspend.c:26
26  ../sysdeps/unix/sysv/linux/sigsuspend.c: No such file or directory.
[Current thread is 1 (Thread 0x7f0855413e00 (LWP 61385))]
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────
 RAX  0xfffffffffffffdfe
 RBX  0x7ffdb0445f48 ◂— 0xfffffffe7ffffbff
 RCX  0x7f0853f7b2e6 (sigsuspend+70) ◂— cmp    rax,-0x1000 /* 'H=' */
 RDX  0x0
 RDI  0x7ffdb0445f48 ◂— 0xfffffffe7ffffbff
 RSI  0x8
 R8   0x0
 R9   0xb
 R10  0x8
 R11  0x293
 R12  0x7ffdb0445f40 ◂— 0x0
 R13  0x5581b1e9c210 ◂— 0xefc9
 R14  0xb
 R15  0x0
 RBP  0xb
 RSP  0x7ffdb0445f10 ◂— 0xb /* '\x0b' */
 RIP  0x7f0853f7b2e6 (sigsuspend+70) ◂— cmp    rax,-0x1000 /* 'H=' */
───────────────────────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────────────────────
 ► 0x7f0853f7b2e6 <sigsuspend+70>     cmp    rax,-0x1000
   0x7f0853f7b2ec <sigsuspend+76>     ja     sigsuspend+122 <0x7f0853f7b31a>
    ↓
   0x7f0853f7b31a <sigsuspend+122>    mov    rcx,qword ptr [rip + 0x3abb47]
   0x7f0853f7b321 <sigsuspend+129>    neg    eax
   0x7f0853f7b323 <sigsuspend+131>    mov    dword ptr fs:[rcx],eax
   0x7f0853f7b326 <sigsuspend+134>    mov    eax,0xffffffff
   0x7f0853f7b32b <sigsuspend+139>    jmp    sigsuspend+78 <0x7f0853f7b2ee>
    ↓
   0x7f0853f7b2ee <sigsuspend+78>     mov    edi,edx
   0x7f0853f7b2f0 <sigsuspend+80>     mov    dword ptr [rsp + 0xc],eax
   0x7f0853f7b2f4 <sigsuspend+84>     call   __libc_disable_asynccancel <0x7f085406c8f0>
 
   0x7f0853f7b2f9 <sigsuspend+89>     mov    eax,dword ptr [rsp + 0xc]
───────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────
00:0000│ rsp      0x7ffdb0445f10 ◂— 0xb /* '\x0b' */
01:0008│          0x7ffdb0445f18 ◂— 0xdb8b156e6a07500
02:0010│          0x7ffdb0445f20 —▸ 0x7ffdb0445f48 ◂— 0xfffffffe7ffffbff
03:0018│          0x7ffdb0445f28 —▸ 0x5581ae7bbb14 ◂— call   0x5581ae770710
04:0020│          0x7ffdb0445f30 ◂— 0x0
05:0028│          0x7ffdb0445f38 ◂— 0xffffffffffffffff
06:0030│ r12      0x7ffdb0445f40 ◂— 0x0
07:0038│ rbx rdi  0x7ffdb0445f48 ◂— 0xfffffffe7ffffbff
─────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────
 ► f 0     7f0853f7b2e6 sigsuspend+70
   f 1     5581ae7bbb14
   f 2     5581ae7bc6b8
   f 3     5581ae7bd4db process_pending_signals+363
   f 4     5581ae7a06e8 cpu_loop+504
   f 5     5581ae773504 main+1860
   f 6     7f0853f5db97 __libc_start_main+231

我得到了与aarch64相同的行为，并进行了仿真，并使用了未包装的Galaxy S9映像中的库。

解决方法

Android二进制文件可能正在尝试使用QEMU未实现的内核功能，否则可能是在做意外的事情-大多数情况下，QEMU的用户仿真模式是在普通Linux用户空间二进制文件（而非Android用户二进制文件）上测试的。例如，您可以在strace（）中看到很多失败的prctl（）调用：调试这的一个好开始是找出他们要做什么，并检查QEMU是否实现了它们。

您可能还会发现使用QEMU的内置调试存根并将x86感知的gdb附加到它上很有用：然后您可以逐步执行来宾代码，并查看出错时的工作方式。 / p>

最后，您不会提及您正在使用哪个QEMU版本-如果它不是最新版本，则总是值得尝试使用最新版本来检查它是否已得到修复。（特别是在4.0之前的任何版本的QEMU都存在一些与多线程和用户模式仿真中的信号有关的非常不好的错误。）

android android emulation segmentation-fault

Android二进制的qemu用户仿真中的segfault

问题描述

解决方法

相关问答