Open buffcow opened 3 years ago
FD-
commented
3 years ago It seems like this problem is caused by a bug when extracting the genericJniStub in CastArtMethod::init. When I ensure that getInterpreterBridge(true) is used, this crash does not occur anymore. I don't know the side effects though, so a comment from @ganyao114 would be highly appreciated!
FD-
commented
3 years ago More complete stack trace of the crash on Android 9 (though please note I'm using a modified version of SandHook):
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] JNI DETECTED ERROR IN APPLICATION: use of invalid jobject 0x178d2c30
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] from void android.content.UriMatcher.addURI(java.lang.String, java.lang.String, int)
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] "main" prio=5 tid=1 Runnable
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] | group="main" sCount=0 dsCount=0 flags=0 obj=0x783bc870 self=0x76da414c00
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] | sysTid=6416 nice=0 cgrp=default sched=1073741825/1 handle=0x7760311548
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] | state=R schedstat=( 433716405 4673284 153 ) utm=34 stm=9 core=3 HZ=100
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] | stack=0x7ffa487000-0x7ffa489000 stackSize=8MB
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] | held mutexes= "mutator lock"(shared held)
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #00 pc 00000000003c15a4 /system/lib64/libart.so (offset fa000) (art::DumpNativeStack(std::__1::basic_ostream<char, std::__1::char_traits<char>>&, int, BacktraceMap*, char const*, art::ArtMethod*, void*, bool)+220)
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #01 pc 000000000048ec54 /system/lib64/libart.so (offset 3e5000) (art::Thread::DumpStack(std::__1::basic_ostream<char, std::__1::char_traits<char>>&, bool, BacktraceMap*, bool) const+352)
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #02 pc 00000000002e4b1c /system/lib64/libart.so (offset fa000) (art::JavaVMExt::JniAbort(char const*, char const*)+968)
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #03 pc 00000000002e501c /system/lib64/libart.so (offset fa000) (art::JavaVMExt::JniAbortF(char const*, char const*, ...)+180)
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #04 pc 0000000000494878 /system/lib64/libart.so (offset 3e5000) (art::Thread::DecodeJObject(_jobject*) const+808)
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #05 pc 000000000045d710 /system/lib64/libart.so (offset 3e5000) (art::(anonymous namespace)::ArgArray::BuildArgArrayFromJValues(art::ScopedObjectAccessAlreadyRunnable const&, art::ObjPtr<art::mirror::Object>, jvalue*)+208)
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #06 pc 000000000045d500 /system/lib64/libart.so (offset 3e5000) (art::InvokeWithJValues(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, jvalue*)+384)
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #07 pc 00000000003621cc /system/lib64/libart.so (offset fa000) (art::JNI::CallStaticVoidMethodA(_JNIEnv*, _jclass*, _jmethodID*, jvalue*)+636)
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #08 pc 00000000000077d0 /data/app/com.fd.sandhooktest-ebs_bejhZrDKWm7cQ7Czug==/base.apk (offset 1ae000) (_JNIEnv::CallStaticVoidMethodA(_jclass*, _jmethodID*, jvalue const*)+56)
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #09 pc 00000000000074bc /data/app/com.fd.sandhooktest-ebs_bejhZrDKWm7cQ7Czug==/base.apk (offset 1ae000) (FFIJniDispatcher(FFIClosure*, void*, void**, void*)+712)
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #10 pc 0000000000018b70 /data/app/com.fd.sandhooktest-ebs_bejhZrDKWm7cQ7Czug==/base.apk (offset 1ae000) (FFIDispatcher(ffi_cif*, void*, void**, void*)+120)
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #11 pc 000000000001b320 /data/app/com.fd.sandhooktest-ebs_bejhZrDKWm7cQ7Czug==/base.apk (offset 1ae000) (???)
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #12 pc 000000000001bc40 /data/app/com.fd.sandhooktest-ebs_bejhZrDKWm7cQ7Czug==/base.apk (offset 1ae000) (???)
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #13 pc 000000000000f34c /data/app/com.fd.sandhooktest-ebs_bejhZrDKWm7cQ7Czug==/oat/arm64/base.odex (offset f000) (com.swift.sandhook.ClassNeverCall.neverCallNative [DEDUPED]+124)
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #14 pc 0000000000554f88 /system/lib64/libart.so (offset 3e5000) (art_quick_invoke_stub+584)
2021-04-27 15:36:58.044 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #15 pc 00000000000cf6c8 /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+200)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #16 pc 000000000027f22c /system/lib64/libart.so (offset fa000) (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+344)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #17 pc 0000000000279240 /system/lib64/libart.so (offset fa000) (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+968)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #18 pc 0000000000527738 /system/lib64/libart.so (offset 3e5000) (MterpInvokeVirtualQuick+584)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #19 pc 000000000054b414 /system/lib64/libart.so (offset 3e5000) (ExecuteMterpImpl+29972)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #20 pc 000000000015b626 /data/app/com.fd.sandhooktest-ebs_bejhZrDKWm7cQ7Czug==/oat/arm64/base.vdex (com.fd.sandhooktest.MainActivity.onCreate+78)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #21 pc 0000000000252f44 /system/lib64/libart.so (offset fa000) (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.1476001603+488)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #22 pc 0000000000514fa8 /system/lib64/libart.so (offset 3e5000) (artQuickToInterpreterBridge+1020)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #23 pc 000000000055e0fc /system/lib64/libart.so (offset 3e5000) (art_quick_to_interpreter_bridge+92)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #24 pc 00000000014eee1c /system/framework/arm64/boot-framework.oat (offset 916000) (android.app.Activity.performCreate+172)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #25 pc 000000000096a8f0 /system/framework/arm64/boot-framework.oat (offset 916000) (android.app.Instrumentation.callActivityOnCreate+80)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #26 pc 0000000000de7b40 /system/framework/arm64/boot-framework.oat (offset 916000) (android.app.ActivityThread.performLaunchActivity+2112)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #27 pc 0000000000dee8d8 /system/framework/arm64/boot-framework.oat (offset 916000) (android.app.ActivityThread.handleLaunchActivity+424)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #28 pc 000000000151e534 /system/framework/arm64/boot-framework.oat (offset 916000) (android.app.servertransaction.LaunchActivityItem.execute+372)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #29 pc 00000000009dfdb4 /system/framework/arm64/boot-framework.oat (offset 916000) (android.app.servertransaction.TransactionExecutor.executeCallbacks+708)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #30 pc 00000000009dfa78 /system/framework/arm64/boot-framework.oat (offset 916000) (android.app.servertransaction.TransactionExecutor.execute+280)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #31 pc 0000000000dd2324 /system/framework/arm64/boot-framework.oat (offset 916000) (android.app.ActivityThread$H.handleMessage+340)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #32 pc 0000000001640574 /system/framework/arm64/boot-framework.oat (offset 916000) (android.os.Handler.dispatchMessage+180)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #33 pc 0000000001647b70 /system/framework/arm64/boot-framework.oat (offset 916000) (android.os.Looper.loop+1264)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #34 pc 0000000000de6648 /system/framework/arm64/boot-framework.oat (offset 916000) (android.app.ActivityThread.main+664)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #35 pc 000000000055524c /system/lib64/libart.so (offset 3e5000) (art_quick_invoke_static_stub+604)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #36 pc 00000000000cf6e8 /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #37 pc 000000000045c85c /system/lib64/libart.so (offset 3e5000) (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+104)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #38 pc 000000000045e2b0 /system/lib64/libart.so (offset 3e5000) (art::InvokeMethod(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jobject*, _jobject*, unsigned long)+1440)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #39 pc 00000000003ee18c /system/lib64/libart.so (offset fa000) (art::Method_invoke(_JNIEnv*, _jobject*, _jobject*, _jobjectArray*)+52)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #40 pc 000000000078eed4 /system/framework/arm64/boot-core-oj.oat (offset 2dc000) (java.lang.Class.getDeclaredMethodInternal [DEDUPED]+180)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #41 pc 0000000001a4cb08 /system/framework/arm64/boot-framework.oat (offset 916000) (com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run+136)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #42 pc 0000000001a58380 /system/framework/arm64/boot-framework.oat (offset 916000) (com.android.internal.os.ZygoteInit.main+3088)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #43 pc 000000000055524c /system/lib64/libart.so (offset 3e5000) (art_quick_invoke_static_stub+604)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #44 pc 00000000000cf6e8 /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #45 pc 000000000045c85c /system/lib64/libart.so (offset 3e5000) (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+104)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #46 pc 000000000045c4bc /system/lib64/libart.so (offset 3e5000) (art::InvokeWithVarArgs(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, std::__va_list)+424)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #47 pc 0000000000361ac8 /system/lib64/libart.so (offset fa000) (art::JNI::CallStaticVoidMethodV(_JNIEnv*, _jclass*, _jmethodID*, std::__va_list)+652)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #48 pc 00000000000b1fa0 /system/lib64/libandroid_runtime.so (_JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...)+116)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #49 pc 00000000000b49c4 /system/lib64/libandroid_runtime.so (android::AndroidRuntime::start(char const*, android::Vector<android::String8> const&, bool)+752)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #50 pc 000000000000251c /system/bin/app_process64 (main+2000)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] native: #51 pc 00000000000ca47c /system/lib64/libc.so (__libc_init+88)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] at android.content.UriMatcher.addURI(Native method)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] at com.fd.sandhooktest.MainActivity.onCreate(MainActivity.java:65)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] at android.app.Activity.performCreate(Activity.java:7136)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] at android.app.Activity.performCreate(Activity.java:7127)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1272)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2905)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3060)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:78)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:108)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:68)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1818)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] at android.os.Handler.dispatchMessage(Handler.java:106)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] at android.os.Looper.loop(Looper.java:193)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] at android.app.ActivityThread.main(ActivityThread.java:6762)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] at java.lang.reflect.Method.invoke(Native method)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542] at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:858)
2021-04-27 15:36:58.045 6416-6416/? A/fd.sandhooktes: java_vm_ext.cc:542]
xposedcompat_new 会出现这个异常 方法应该在SetObjectArrayElement here
和这个错误类似