Investigate gdbserver Role in SIGILL in Android Emulator Debugging

In my previous article, I’ve successfully compiled gdbserver for further examination. Let’s start examining it’s role and mechanism that causes SIGILL

in01

This is the partial view of dissasembly:

in02

Instruction at 0x830C should be 0xE1A0003, but it is written as 0xEF9F0001 which surely causes SIGILL. You can read my previous article on analysis of how I can arrive at this conclusion.

The above writing log resides in linux_write_memory (linux-low.c) with function prototype as follow:

in03

Value of interest is the second parameter of this function which is const unsigned char *myaddr.

But before accusing the gdbserver of guilt, let’s combine debug and remote communication log into the gdbserver, first to pinpoint the exact source of opcode info:

in04

The above getpkt command is write memory, the format can be found in https://sourceware.org/gdb/onlinedocs/gdb/Packets.html#Packets as follows:

‘X addr,length:XX…’
Write data to memory, where the data is transmitted in binary. Memory is specified by its address addr and number of bytes length; ‘XX…’ is binary data (see Binary Data).

By performing additional log info location (i.e. “packet from remote” string), re-compile and re-deploy, the source of getpkt X command is found to be in process_serial_event function (server.c), it is verified that the source of writing is from debugger client.

But upon examining the above communication protocol sequence, it is rather absurd, because, first, the client try to request opcode at 0x830C (m830c,4), which is given correctly by gdbserver as 0xE1A00003, but then, came the request from client of the same location, to be written by 0xEF9F0001.

At this point, we have now identified that it is the client that causes SIGILL by feeding incorrect value as instruction. This is potentially dangerous, especially when the incorrect one happen to be valid arm or thumb instruction. It will cause confusion and instability of debuggee program.

So, this is still a long way to go, because now I have to compile and examine the debugger client source. If you happen to be Android Developer who read this article, I hope that you can shed some light about this issue.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: