Closed l2dy closed 6 days ago
I think this is an issue with ios_system. It may also happen when launching a command after closing a window you receive a "segmentation fault".
I will try to track this down for 17.3.0.
Please let me know if you find anything from your side. It is hard to catch though.
PS: Other tools in ios_system also have problems when dealing with control sequences, etc... It would be a good moment to take a deep look at them too.
From Address Sanitizer logs I have attached in OP, it seems that ios_switchSession
is having trouble with an strcmp()
call.
With the traditional "printf" debug method (https://github.com/l2dy-forks/ios_system/commit/0de9a6e365c515505ab580ace1846d48a3f38421), I found a UAF that came from dereferencing currentSession->context
(0x10c156580
in backtrace).
This may or may not be related to the segment fault, but is definitely a bug.
ios_switchSession: before strcmp currentSession=0x10d817a80,currentSession.context=0x10c1480c0,sessionName=0x10cfb6421
ios_switchSession: strcmp currentSession=\M-IW\M^P\^D\^A,sessionName=7C01E794-38E9-4E88-9EED-006825C2643E-9060-000005AF28421777
ios_switchSession: before strcmp currentSession=0x10d815e80,currentSession.context=0x10c156580,sessionName=0x10cfb6421
ios_switchSession: strcmp currentSession=\M-IW\M^P\^D\^A,sessionName=7C01E794-38E9-4E88-9EED-006825C2643E-9060-000005AF28421777
[...snip...]
ios_switchSession: before strcmp currentSession=0x10d815e80,currentSession.context=0x10c156580,sessionName=0x10cf685b1
=================================================================
==9060==ERROR: AddressSanitizer: heap-use-after-free on address 0x00010c156580 at pc 0x000106be1ef0 bp 0x00016e00c070 sp 0x00016e00b830
READ of size 4 at 0x00010c156580 thread T8
#0 0x106be1eec in wrap_strlen+0x244 (/private/var/containers/Bundle/Application/89A015D9-DB19-4474-8111-3ED5237A49F8/Blink.app/Frameworks/libclang_rt.asan_ios_dynamic.dylib:arm64e+0x19eec)
#1 0x1abab33a4 in <redacted>+0x7bc (/usr/lib/system/libsystem_trace.dylib:arm64e+0x53a4)
#2 0x1abaafc0c in <redacted>+0x190 (/usr/lib/system/libsystem_trace.dylib:arm64e+0x1c0c)
#3 0x1922a8b0c in _CFLogvEx3+0xb8 (/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:arm64e+0x9eb0c)
#4 0x191246074 in <redacted>+0xa0 (/System/Library/Frameworks/Foundation.framework/Foundation:arm64e+0xa2074)
#5 0x191245fa8 in NSLog+0x34 (/System/Library/Frameworks/Foundation.framework/Foundation:arm64e+0xa1fa8)
#6 0x107b879bc in ios_switchSession+0xb0 (/private/var/containers/Bundle/Application/89A015D9-DB19-4474-8111-3ED5237A49F8/Blink.app/Frameworks/ios_system.framework/ios_system:arm64+0xf9bc)
currentSession
seems to be a thread-local variable. Does Blink use separate threads to start each shell's ios_system session?
PS: currentSession
is initialized on first use of int ios_system(const char* inputCmd)
in each thread. https://github.com/holzschu/ios_system/blob/430d87dd15b42fc321cc256dc394ea93ab256e48/ios_system.m#L2629-L2632
Without Address Sanitizer, Xcode pauses execution here. thread_context
is also among the thread-local variables in ios_system, so it's very likely a thread-safety issue.
// Thread-local input and output streams
extern __thread FILE* thread_stdin;
extern __thread FILE* thread_stdout;
extern __thread FILE* thread_stderr;
extern __thread void* thread_context;
If I recall, and I have not touched this for some time, yeah we should be using separate threads. But there may be some internal mechanisms though that are not working well or that we are not using properly. I have another hunch that there is something with the descriptors getting mixed in some cases.
Fixed 17.3.0
Checklist
Configuration
Custom build of Blink commit df04676bc07fde94b57a9cc7aedf2430ab996e07, iPadOS 17.3.1
Describe the bug
Note: I'm reporting a crash on my custom build of Blink because I don't have access to TestFlight or official build. Please try to reproduce the crash on official build before investigating.
With the following steps, I can reliably reproduce a crash of the ssh command or the entire app after a few attempts.
Steps to reproduce:
ssh <unreachable_host>
(e.g.ssh ::1
) once.Cmd+W
to close the current tab.ssh <unreachable_host>
several times.Address Sanitizer logs