// Copyright (c) 2009 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include #include #include #include #include #include "base/command_line.h" #include "base/eintr_wrapper.h" #include "base/file_version_info_linux.h" #include "base/global_descriptors_posix.h" #include "base/path_service.h" #include "base/rand_util.h" #include "breakpad/linux/directory_reader.h" #include "breakpad/linux/exception_handler.h" #include "breakpad/linux/linux_libc_support.h" #include "breakpad/linux/linux_syscall_support.h" #include "breakpad/linux/memory.h" #include "chrome/common/chrome_switches.h" #include "chrome/common/chrome_descriptors.h" #include "chrome/installer/util/google_update_settings.h" static const char kUploadURL[] = "https://clients2.google.com/cr/report"; // Writes the value |v| as 16 hex characters to the memory pointed at by // |output|. static void write_uint64_hex(char* output, uint64_t v) { static const char hextable[] = "0123456789abcdef"; for (int i = 15; i >= 0; --i) { output[i] = hextable[v & 15]; v >>= 4; } } pid_t UploadCrashDump(const char* filename, const char* process_type, unsigned process_type_length, const char* crash_url, unsigned crash_url_length, const char* guid, unsigned guid_length) { // WARNING: this code runs in a compromised context. It may not call into // libc nor allocate memory normally. const int dumpfd = sys_open(filename, O_RDONLY, 0); if (dumpfd < 0) { static const char msg[] = "Cannot upload crash dump: failed to open\n"; sys_write(2, msg, sizeof(msg)); return -1; } struct kernel_stat st; if (sys_fstat(dumpfd, &st) != 0) { static const char msg[] = "Cannot upload crash dump: stat failed\n"; sys_write(2, msg, sizeof(msg)); sys_close(dumpfd); return -1; } google_breakpad::PageAllocator allocator; uint8_t* dump_data = reinterpret_cast(allocator.Alloc(st.st_size)); if (!dump_data) { static const char msg[] = "Cannot upload crash dump: cannot alloc\n"; sys_write(2, msg, sizeof(msg)); sys_close(dumpfd); return -1; } sys_read(dumpfd, dump_data, st.st_size); sys_close(dumpfd); // We need to build a MIME block for uploading to the server. Since we are // going to fork and run wget, it needs to be written to a temp file. const int ufd = sys_open("/dev/urandom", O_RDONLY, 0); if (ufd < 0) { static const char msg[] = "Cannot upload crash dump because /dev/urandom" " is missing\n"; sys_write(2, msg, sizeof(msg) - 1); return -1; } static const char temp_file_template[] = "/tmp/chromium-upload-XXXXXXXXXXXXXXXX"; char buf[sizeof(temp_file_template)]; memcpy(buf, temp_file_template, sizeof(temp_file_template)); int fd = -1; for (unsigned i = 0; i < 10; ++i) { uint64_t t; read(ufd, &t, sizeof(t)); write_uint64_hex(buf + sizeof(buf) - (16 + 1), t); fd = sys_open(buf, O_WRONLY | O_CREAT | O_EXCL, 0600); if (fd >= 0) break; } if (fd == -1) { static const char msg[] = "Failed to create temporary file in /tmp: cannot " "upload crash dump\n"; sys_write(2, msg, sizeof(msg) - 1); sys_close(ufd); return -1; } // The MIME boundary is 28 hypens, followed by a 64-bit nonce and a NUL. char mime_boundary[28 + 16 + 1]; my_memset(mime_boundary, '-', 28); uint64_t boundary_rand; sys_read(ufd, &boundary_rand, sizeof(boundary_rand)); write_uint64_hex(mime_boundary + 28, boundary_rand); mime_boundary[28 + 16] = 0; sys_close(ufd); // The define for the product version is a wide string, so we need to // downconvert it. static const wchar_t version[] = PRODUCT_VERSION; static const unsigned version_len = sizeof(version) / sizeof(wchar_t); char version_msg[version_len]; for (unsigned i = 0; i < version_len; ++i) version_msg[i] = static_cast(version[i]); // The MIME block looks like this: // BOUNDARY \r\n (0, 1) // Content-Disposition: form-data; name="prod" \r\n \r\n (2..6) // Chrome_Linux \r\n (7, 8) // BOUNDARY \r\n (9, 10) // Content-Disposition: form-data; name="ver" \r\n \r\n (11..15) // 1.2.3.4 \r\n (16, 17) // BOUNDARY \r\n (18, 19) // Content-Disposition: form-data; name="guid" \r\n \r\n (20..24) // 1.2.3.4 \r\n (25, 26) // BOUNDARY \r\n (27, 28) // // zero or more: // Content-Disposition: form-data; name="url-chunk-1" \r\n \r\n (0..5) // abcdef \r\n (6, 7) // BOUNDARY \r\n (8, 9) // // Content-Disposition: form-data; name="dump"; filename="dump" \r\n (0,1,2) // Content-Type: application/octet-stream \r\n \r\n (3,4,5) // (6) // \r\n BOUNDARY -- \r\n (7,8,9,10) static const char rn[] = {'\r', '\n'}; static const char form_data_msg[] = "Content-Disposition: form-data; name=\""; static const char prod_msg[] = "prod"; static const char quote_msg[] = {'"'}; static const char chrome_linux_msg[] = "Chrome_Linux"; static const char ver_msg[] = "ver"; static const char guid_msg[] = "guid"; static const char dashdash_msg[] = {'-', '-'}; static const char dump_msg[] = "upload_file_minidump\"; filename=\"dump\""; static const char content_type_msg[] = "Content-Type: application/octet-stream"; static const char url_chunk_msg[] = "url-chunk-"; static const char process_type_msg[] = "ptype"; struct kernel_iovec iov[29]; iov[0].iov_base = mime_boundary; iov[0].iov_len = sizeof(mime_boundary) - 1; iov[1].iov_base = const_cast(rn); iov[1].iov_len = sizeof(rn); iov[2].iov_base = const_cast(form_data_msg); iov[2].iov_len = sizeof(form_data_msg) - 1; iov[3].iov_base = const_cast(prod_msg); iov[3].iov_len = sizeof(prod_msg) - 1; iov[4].iov_base = const_cast(quote_msg); iov[4].iov_len = sizeof(quote_msg); iov[5].iov_base = const_cast(rn); iov[5].iov_len = sizeof(rn); iov[6].iov_base = const_cast(rn); iov[6].iov_len = sizeof(rn); iov[7].iov_base = const_cast(chrome_linux_msg); iov[7].iov_len = sizeof(chrome_linux_msg) - 1; iov[8].iov_base = const_cast(rn); iov[8].iov_len = sizeof(rn); iov[9].iov_base = mime_boundary; iov[9].iov_len = sizeof(mime_boundary) - 1; iov[10].iov_base = const_cast(rn); iov[10].iov_len = sizeof(rn); iov[11].iov_base = const_cast(form_data_msg); iov[11].iov_len = sizeof(form_data_msg) - 1; iov[12].iov_base = const_cast(ver_msg); iov[12].iov_len = sizeof(ver_msg) - 1; iov[13].iov_base = const_cast(quote_msg); iov[13].iov_len = sizeof(quote_msg); iov[14].iov_base = const_cast(rn); iov[14].iov_len = sizeof(rn); iov[15].iov_base = const_cast(rn); iov[15].iov_len = sizeof(rn); iov[16].iov_base = const_cast(version_msg); iov[16].iov_len = sizeof(version_msg) - 1; iov[17].iov_base = const_cast(rn); iov[17].iov_len = sizeof(rn); iov[18].iov_base = mime_boundary; iov[18].iov_len = sizeof(mime_boundary) - 1; iov[19].iov_base = const_cast(rn); iov[19].iov_len = sizeof(rn); iov[20].iov_base = const_cast(form_data_msg); iov[20].iov_len = sizeof(form_data_msg) - 1; iov[21].iov_base = const_cast(guid_msg); iov[21].iov_len = sizeof(guid_msg) - 1; iov[22].iov_base = const_cast(quote_msg); iov[22].iov_len = sizeof(quote_msg); iov[23].iov_base = const_cast(rn); iov[23].iov_len = sizeof(rn); iov[24].iov_base = const_cast(rn); iov[24].iov_len = sizeof(rn); iov[25].iov_base = const_cast(guid); iov[25].iov_len = guid_length; iov[26].iov_base = const_cast(rn); iov[26].iov_len = sizeof(rn); iov[27].iov_base = mime_boundary; iov[27].iov_len = sizeof(mime_boundary) - 1; iov[28].iov_base = const_cast(rn); iov[28].iov_len = sizeof(rn); sys_writev(fd, iov, 29); if (process_type_length) { iov[0].iov_base = const_cast(form_data_msg); iov[0].iov_len = sizeof(form_data_msg) - 1; iov[1].iov_base = const_cast(process_type_msg); iov[1].iov_len = sizeof(process_type_msg) - 1; iov[2].iov_base = const_cast(quote_msg); iov[2].iov_len = sizeof(quote_msg); iov[3].iov_base = const_cast(rn); iov[3].iov_len = sizeof(rn); iov[4].iov_base = const_cast(rn); iov[4].iov_len = sizeof(rn); iov[5].iov_base = const_cast(process_type); iov[5].iov_len = process_type_length; iov[6].iov_base = const_cast(rn); iov[6].iov_len = sizeof(rn); iov[7].iov_base = mime_boundary; iov[7].iov_len = sizeof(mime_boundary) - 1; iov[8].iov_base = const_cast(rn); iov[8].iov_len = sizeof(rn); sys_writev(fd, iov, 9); } if (crash_url_length) { unsigned i = 0, done = 0; static const unsigned kMaxCrashChunkSize = 64; static const unsigned kMaxUrlLength = 8 * kMaxCrashChunkSize; if (crash_url_length > kMaxUrlLength) crash_url_length = kMaxUrlLength; while (crash_url_length) { char num[16]; const unsigned num_len = my_int_len(++i); my_itos(num, i, num_len); iov[0].iov_base = const_cast(form_data_msg); iov[0].iov_len = sizeof(form_data_msg) - 1; iov[1].iov_base = const_cast(url_chunk_msg); iov[1].iov_len = sizeof(url_chunk_msg) - 1; iov[2].iov_base = num; iov[2].iov_len = num_len; iov[3].iov_base = const_cast(quote_msg); iov[3].iov_len = sizeof(quote_msg); iov[4].iov_base = const_cast(rn); iov[4].iov_len = sizeof(rn); iov[5].iov_base = const_cast(rn); iov[5].iov_len = sizeof(rn); const unsigned len = crash_url_length > kMaxCrashChunkSize ? kMaxCrashChunkSize : crash_url_length; iov[6].iov_base = const_cast(crash_url + done); iov[6].iov_len = len; iov[7].iov_base = const_cast(rn); iov[7].iov_len = sizeof(rn); iov[8].iov_base = mime_boundary; iov[8].iov_len = sizeof(mime_boundary) - 1; iov[9].iov_base = const_cast(rn); iov[9].iov_len = sizeof(rn); sys_writev(fd, iov, 10); done += len; crash_url_length -= len; } } iov[0].iov_base = const_cast(form_data_msg); iov[0].iov_len = sizeof(form_data_msg) - 1; iov[1].iov_base = const_cast(dump_msg); iov[1].iov_len = sizeof(dump_msg) - 1; iov[2].iov_base = const_cast(rn); iov[2].iov_len = sizeof(rn); iov[3].iov_base = const_cast(content_type_msg); iov[3].iov_len = sizeof(content_type_msg) - 1; iov[4].iov_base = const_cast(rn); iov[4].iov_len = sizeof(rn); iov[5].iov_base = const_cast(rn); iov[5].iov_len = sizeof(rn); iov[6].iov_base = dump_data; iov[6].iov_len = st.st_size; iov[7].iov_base = const_cast(rn); iov[7].iov_len = sizeof(rn); iov[8].iov_base = mime_boundary; iov[8].iov_len = sizeof(mime_boundary) - 1; iov[9].iov_base = const_cast(dashdash_msg); iov[9].iov_len = sizeof(dashdash_msg); iov[10].iov_base = const_cast(rn); iov[10].iov_len = sizeof(rn); sys_writev(fd, iov, 11); sys_close(fd); // The --header argument to wget looks like: // --header=Content-Type: multipart/form-data; boundary=XYZ // where the boundary has two fewer leading '-' chars static const char header_msg[] = "--header=Content-Type: multipart/form-data; boundary="; char* const header = reinterpret_cast(allocator.Alloc( sizeof(header_msg) - 1 + sizeof(mime_boundary) - 2)); memcpy(header, header_msg, sizeof(header_msg) - 1); memcpy(header + sizeof(header_msg) - 1, mime_boundary + 2, sizeof(mime_boundary) - 2); // We grab the NUL byte from the end of |mime_boundary|. // The --post-file argument to wget looks like: // --post-file=/tmp/... static const char post_file_msg[] = "--post-file="; char* const post_file = reinterpret_cast(allocator.Alloc( sizeof(post_file_msg) - 1 + sizeof(buf))); memcpy(post_file, post_file_msg, sizeof(post_file_msg) - 1); memcpy(post_file + sizeof(post_file_msg) - 1, buf, sizeof(buf)); const pid_t child = sys_fork(); if (!child) { // This code is called both when a browser is crashing (in which case, // nothing really matters any more) and when a renderer crashes, in which // case we need to continue. // // Since we are a multithreaded app, if we were just to fork(), we might // grab file descriptors which have just been created in another thread and // hold them open for too long. // // Thus, we have to loop and try and close everything. const int fd = sys_open("/proc/self/fd", O_DIRECTORY | O_RDONLY, 0); if (fd < 0) { for (unsigned i = 3; i < 8192; ++i) sys_close(i); } else { google_breakpad::DirectoryReader reader(fd); const char* name; while (reader.GetNextEntry(&name)) { int i; if (my_strtoui(&i, name) && i > 2 && i != fd) sys_close(fd); reader.PopEntry(); } sys_close(fd); } sys_setsid(); // Leave one end of a pipe in the wget process and watch for it getting // closed by the wget process exiting. int fds[2]; sys_pipe(fds); const pid_t child = sys_fork(); if (child) { sys_close(fds[1]); char id_buf[17]; const int len = HANDLE_EINTR(read(fds[0], id_buf, sizeof(id_buf) - 1)); if (len > 0) { id_buf[len] = 0; static const char msg[] = "\nCrash dump id: "; sys_write(2, msg, sizeof(msg) - 1); sys_write(2, id_buf, my_strlen(id_buf)); sys_write(2, "\n", 1); } sys_unlink(filename); sys_unlink(buf); sys__exit(0); } sys_close(fds[0]); sys_dup2(fds[1], 3); static const char* const kWgetBinary = "/usr/bin/wget"; const char* args[] = { kWgetBinary, header, post_file, kUploadURL, "-O", // output reply to fd 3 "/dev/fd/3", NULL, }; execv("/usr/bin/wget", const_cast(args)); static const char msg[] = "Cannot upload crash dump: cannot exec " "/usr/bin/wget\n"; sys_write(2, msg, sizeof(msg) - 1); sys__exit(1); } return child; } // This is defined in chrome/browser/google_update_settings_linux.cc, it's the // static string containing the user's unique GUID. We send this in the crash // report. namespace google_update { extern std::string linux_guid; } static bool CrashDone(const char* dump_path, const char* minidump_id, void* context, bool succeeded) { // WARNING: this code runs in a compromised context. It may not call into // libc nor allocate memory normally. if (!succeeded) return false; google_breakpad::PageAllocator allocator; const unsigned dump_path_len = my_strlen(dump_path); const unsigned minidump_id_len = my_strlen(minidump_id); char *const path = reinterpret_cast(allocator.Alloc( dump_path_len + 1 /* '/' */ + minidump_id_len + 4 /* ".dmp" */ + 1 /* NUL */)); memcpy(path, dump_path, dump_path_len); path[dump_path_len] = '/'; memcpy(path + dump_path_len + 1, minidump_id, minidump_id_len); memcpy(path + dump_path_len + 1 + minidump_id_len, ".dmp", 4); path[dump_path_len + 1 + minidump_id_len + 4] = 0; UploadCrashDump(path, "browser", 7, NULL, 0, google_update::linux_guid.data(), google_update::linux_guid.length()); return true; } void EnableCrashDumping() { // We leak this object. new google_breakpad::ExceptionHandler("/tmp", NULL, CrashDone, NULL, true /* install handlers */); } // This is defined in chrome/renderer/renderer_logging_linux.cc, it's the // static string containing the current active URL. We send this in the crash // report. namespace renderer_logging { extern std::string active_url; } static bool RendererCrashHandler(const void* crash_context, size_t crash_context_size, void* context) { const int fd = (int) context; int fds[2]; socketpair(AF_UNIX, SOCK_STREAM, 0, fds); // The length of the control message: static const unsigned kControlMsgSize = CMSG_SPACE(sizeof(int)); struct kernel_msghdr msg; my_memset(&msg, 0, sizeof(struct kernel_msghdr)); struct kernel_iovec iov[3]; iov[0].iov_base = const_cast(crash_context); iov[0].iov_len = crash_context_size; iov[1].iov_base = const_cast(google_update::linux_guid.data()); iov[1].iov_len = google_update::linux_guid.size(); iov[2].iov_base = const_cast(renderer_logging::active_url.data()); iov[2].iov_len = renderer_logging::active_url.size(); msg.msg_iov = iov; msg.msg_iovlen = 3; char cmsg[kControlMsgSize]; memset(cmsg, 0, kControlMsgSize); msg.msg_control = cmsg; msg.msg_controllen = sizeof(cmsg); struct cmsghdr *hdr = CMSG_FIRSTHDR(&msg); hdr->cmsg_level = SOL_SOCKET; hdr->cmsg_type = SCM_RIGHTS; hdr->cmsg_len = CMSG_LEN(sizeof(int)); *((int*) CMSG_DATA(hdr)) = fds[1]; HANDLE_EINTR(sys_sendmsg(fd, &msg, 0)); sys_close(fds[1]); char b; HANDLE_EINTR(sys_read(fds[0], &b, 1)); return true; } void EnableRendererCrashDumping() { const int fd = Singleton()->Get(kCrashDumpSignal); // We deliberately leak this object. google_breakpad::ExceptionHandler* handler = new google_breakpad::ExceptionHandler("" /* unused */, NULL, NULL, (void*) fd, true); handler->set_crash_handler(RendererCrashHandler); } void InitCrashReporter() { // Determine the process type and take appropriate action. const CommandLine& parsed_command_line = *CommandLine::ForCurrentProcess(); const std::wstring process_type = parsed_command_line.GetSwitchValue(switches::kProcessType); if (process_type.empty()) { if (!GoogleUpdateSettings::GetCollectStatsConsent()) return; EnableCrashDumping(); } else if (process_type == switches::kRendererProcess || process_type == switches::kZygoteProcess) { // We might be chrooted in a zygote or renderer process so we cannot call // GetCollectStatsConsent because that needs access the the user's home // dir. Instead, we set a command line flag for these processes. if (!parsed_command_line.HasSwitch(switches::kRendererCrashDump)) return; EnableRendererCrashDumping(); } }