search

Gedsh / InviZible

Android application for online privacy and security
https://invizible.net
GNU General Public License v3.0
1.45k stars 102 forks source link

Memory tagging error - Pixel 8 and 8 Pro #253

Closed emtreulapollaguera closed 1 month ago

emtreulapollaguera commented 6 months ago

Following the recent debbug from Graphene OS about memory tagging exploit in Pixel 8 and Pixel 8 Pro, the Invizivle Pro trigger that vulnerability.

Attached the Graphene OS log report:

type: crash osVersion: google/shiba/shiba:14/AP1A.240305.019.A1/2024031100:user/release-keys package: pan.alexander.tordnscrypt:3210 process: pan.alexander.tordnscrypt processUptime: 0 + 0 ms installer: com.android.packageinstaller

signal 11 (SIGSEGV), code 9 (SEGV_MTESERR), fault addr 0x0e00c2d543fb70a0

backtrace:

00 pc 000000000000aa40 /data/app/~~vCHzwJnvssKFEvcggpsviw==/pan.alexander.tordnscrypt-Q0O8YpftVbXDPi91KtcGDg==/lib/arm64/libinvizible.so (handle_events+684) (BuildId: ea0fd6a76bdd6c9e36262d5581ae69c819c73e05)

  #01 pc 00000000008ddc44  /data/app/~~vCHzwJnvssKFEvcggpsviw==/pan.alexander.tordnscrypt-Q0O8YpftVbXDPi91KtcGDg==/oat/arm64/base.odex (art_jni_trampoline+116)
  #02 pc 00000000008dee64  /data/app/~~vCHzwJnvssKFEvcggpsviw==/pan.alexander.tordnscrypt-Q0O8YpftVbXDPi91KtcGDg==/oat/arm64/base.odex (pan.alexander.tordnscrypt.vpn.service.ServiceVPN.u+868)
  #03 pc 0000000000671684  /data/app/~~vCHzwJnvssKFEvcggpsviw==/pan.alexander.tordnscrypt-Q0O8YpftVbXDPi91KtcGDg==/oat/arm64/base.odex (pan.alexander.tordnscrypt.vpn.service.c.run+84)
  #04 pc 000000000014b310  /system/framework/arm64/boot.oat (java.lang.Thread.run+64) (BuildId: 1235208ba9cfe671264e87eb4b4dae4dc404ed76)
  #05 pc 00000000003e6774  /apex/com.android.art/lib64/libart.so (art_quick_invoke_stub+612) (BuildId: ce9324755fe74aeab83add3986a7e459)
  #06 pc 00000000003c7fb4  /apex/com.android.art/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+228) (BuildId: ce9324755fe74aeab83add3986a7e459)
  #07 pc 00000000004da9ac  /apex/com.android.art/lib64/libart.so (art::Thread::CreateCallback(void*)+1660) (BuildId: ce9324755fe74aeab83add3986a7e459)
  #08 pc 00000000004da31c  /apex/com.android.art/lib64/libart.so (art::Thread::CreateCallbackWithUffdGc(void*)+12) (BuildId: ce9324755fe74aeab83add3986a7e459)
  #09 pc 00000000000d5e6c  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204) (BuildId: d1502eff54d5bd153bc5164ce1722801)
  #10 pc 0000000000069a64  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68) (BuildId: d1502eff54d5bd153bc5164ce1722801)

Learn more about MTE reports: https://source.android.com/docs/security/test/memory-safety/mte-reports

Screenshot_20240312-185857

Gedsh commented 6 months ago

From https://source.android.com/docs/security/test/memory-safety/mte-reports

In C/C++, a pointer returned from a call to malloc() or operator new() or similar functions can only be used to access memory within the bounds of that allocation, and only while the allocation is alive (not free-ed or delete-ed). MTE is used in Android to detect violations of this rule, referred to in the crash reports as "Buffer Overflow"/"Buffer Underflow" and "Use After Free" issues.

In VPN mode, InviZible uses objects from native C code, and native C code uses objects from the Java runtime. This way, objects can live longer, causing a crash when memory tagging is enabled. I don't think I can do anything about it.