search

coolstar / electra

Electra iOS 11.0 - 11.1.2 jailbreak toolkit based on async_awake
GNU General Public License v3.0
656 stars 163 forks source link

TweakInject.dylib Received signal 11 #224

Closed liuxuan30 closed 6 years ago

liuxuan30 commented 6 years ago

Just trying to test my tweak from iOS10 to Electra 1.0.4 with latest tweak injector, however after open an app a few seconds, it crashed with some log like this:

Mar 24 11:54:08 Xuans-iPhone Fruit(TweakInject.dylib)[1121] <Notice>: Received signal 11
Mar 24 11:54:08 Xuans-iPhone kernel(Sandbox)[0] <Notice>: Sandbox: Fruit(1121) deny(1) file-write-create /private/var/mobile/Containers/Data/Application/759D1198-BEE1-4113-B892-E5526B88797D/.safeMode-6421d5bb6d757b7728055d5202b56cba79ada12a

Crash log:

Date/Time:           2018-03-24 11:54:27.5668 +0800
Launch Time:         2018-03-24 11:54:07.4460 +0800
OS Version:          iPhone OS 11.1.1 (15B150)
Baseband Version:    3.21.01
Report Version:      104

Exception Type:  EXC_BAD_ACCESS (SIGKILL)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000068
VM Region Info: 0x68 is not in any region.  Bytes before following region: 4310794136
      REGION TYPE                      START - END             [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      __TEXT                 0000000100f18000-0000000100f1c000 [   16K] r-x/r-x SM=COW  ...it.app/Fruit]

Termination Reason: Namespace SPRINGBOARD, Code 0x8badf00d
Termination Description: SPRINGBOARD, scene-create watchdog transgression: com.halfbrick.FruitNinjaLite exhausted real (wall clock) time allowance of 19.78 seconds |  | Elapsed total CPU time (seconds): 22.620 (user 22.620, system 0.000), 57% CPU | Elapsed application CPU time (seconds): 10.779, 27% CPU | 
Triggered by Thread:  0

Filtered syslog:
None found

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   libsystem_c.dylib               0x0000000182bb5774 0x182bae000 + 30580
1   libsystem_c.dylib               0x0000000182bb5770 0x182bae000 + 30576
2   libsystem_c.dylib               0x0000000182bbb104 0x182bae000 + 53508
3   TweakInject.dylib               0x000000010275eeb8 0x102758000 + 28344
4   libsystem_platform.dylib        0x0000000182dafb44 0x182da8000 + 31556
5   libobjc.A.dylib                 0x00000001823e16b4 0x1823d0000 + 71348
6   libobjc.A.dylib                 0x00000001823ec758 0x1823d0000 + 116568
7   MyTweak.dylib               0x00000001029b91d8 0x1029a8000 + 70104

MyTweak is my test tweak from iOS10.

I don't have better logs shows why TweakInject.dylib Received signal 11, so I printed my logs to locate, it shows it will stuck on one line that if I tried to access a NSMutableSet like:

DDLog(@"try to get testIds: %@", self.testIds);

It's reproducible with a very simple test tweak, the source code is here: TestTweak.zip Just modify Makefile to point to the correct theos path. It only prints log 

Mar 24 13:28:02 Xuans-iPhone stackar(TestTweak.dylib)[1939] <Notice>: ******AnalysisManager****** -[AnalysisManager testCrash]:49 test crash start
Mar 24 13:28:02 Xuans-iPhone stackar(TweakInject.dylib)[1939] <Notice>: Received signal 11
Mar 24 13:28:02 Xuans-iPhone kernel(Sandbox)[0] <Notice>: Sandbox: stackar(1939) deny(1) file-write-create /private/var/mobile/Containers/Data/Application/80A25EF6-6FAA-41D7-B4AB-D6493B0B9287/.safeMode-b36dd3409a331bc1f6fb4a571b9b59cfec97774e

and the app hangs, later it crashed

the test tweak is very simple:


#include <mach-o/getsect.h>
#include <objc/runtime.h>
#include <sys/sysctl.h>
#include <sys/types.h>
#include <dlfcn.h>
#include <notify.h>

#import <UIKit/UIKit.h>

#import "AnalysisManager.h"

@interface AnalysisManager ()

- (void)testCrash;

@end

@implementation AnalysisManager

+ (instancetype)defaultManager {
    static AnalysisManager *_instance;
    static dispatch_once_t once;
    dispatch_once(&once, ^{
        _instance = [[AnalysisManager alloc] init];
    });
    return _instance;
}

- (instancetype)init {
    self = [super init];
    if (self) {
        _testIds = [NSMutableSet set];
        NSLog(@"mutable set created");
    }
    return self;
}

- (void)applicationDidLaunch {
    [self testCrash];
}

- (void)testCrash {
    NSLog(@"test crash start");
    NSLog(@"try to get testIds: %@", self.testIds);
    NSLog(@"test crash done");
}

@end
liuxuan30 commented 6 years ago

UPDATE: I tried to open some apps to see, and sometimes, it will print like this:

Mar 24 13:55:59 Xuans-iPhone Fruit(TestTweak.dylib)[939] <Notice>: ******AnalysisManager****** -[AnalysisManager testCrash]:50 try to get testIds: <OS_xpc_uint64: <uint64: 0x1c002d320>: 1>
Mar 24 13:55:59 Xuans-iPhone Fruit(TestTweak.dylib)[939] <Notice>: ******AnalysisManager****** -[AnalysisManager testCrash]:51 test crash done

So it more seems like a overflow issue, I created a NSmutableSet membe while it points to a OS_xpc_uint64

liuxuan30 commented 6 years ago

@coolstar are you able to reproduce it? As it's a very important bug.

liuxuan30 commented 6 years ago

many thanks to @stek29 pointing out that I didn't specify

ADDITIONAL_OBJCFLAGS = -fobjc-arc

in my makefile, so the set is deallocated. turning it on and it works fine then.