search

facebook / fishhook

A library that enables dynamically rebinding symbols in Mach-O binaries running on iOS.
BSD 3-Clause "New" or "Revised" License
5.17k stars 965 forks source link

iOS 14.5 crashed #82

Open cfxiao opened 3 years ago

cfxiao commented 3 years ago
0 perform_rebinding_with_section(fishhook.c:137)
1 perform_rebinding_with_section(fishhook.c:131)
2 rebind_symbols_for_image(fishhook.c:208)
3 rebind_symbols(fishhook.c:252)

iOS 14.5 crashed when hook GCD.

cfxiao commented 3 years ago

image

cfxiao commented 3 years ago

Hook fsync also crashes.

feikang commented 3 years ago

have the same problem. I can reproduce the crash with iPhone Xs and OS version 14.5(18E5140j) beta. but iPhone 7 can't reproduce it.

leirenbaobao commented 3 years ago

@cfxiao can you supply detail codes? which func been hooked?

biosli commented 3 years ago

@leirenbaobao it seems that he hook the dispatch_sync. And I try to hook malloc / realloc get same crash report.

I'm pretty sure the iOS 14.5 beta at newer phones such as iPhoneXs, has change the memory offset of core library.

leirenbaobao commented 3 years ago

@biosli I tested some funcs. some crashes. what puzzle me is that even offset changed normal dynamic binding still work without hook.maybe it's nothing to do with offset.

leirenbaobao commented 3 years ago

I suppose write to a read-only address. https://stackoverflow.com/questions/19741409/whats-the-difference-between-code-1-and-code-2-in-exc-bad-access

maniackk commented 3 years ago

I found some case that vm_protect return KERN_SUCCESS , but memory don't set VM_PROT_WRITE success. like mprotect method

oldProtection = get_protection(rebindings);is wrong, It save struct rebindings_entry *rebindings memory protection. We should save section protection.

I commit code that oldProtection = get_protection((void *)trunc_address);.

and I found a problem when program set same section protection in multithread(iOS 14.5).

https://github.com/facebook/fishhook/pull/84/files

maniackk commented 3 years ago

@leirenbaobao it seems that he hook the dispatch_sync. And I try to hook malloc / realloc get same crash report.

I'm pretty sure the iOS 14.5 beta at newer phones such as iPhoneXs, has change the memory offset of core library.

https://github.com/facebook/fishhook/pull/84 fix bug

daybreak1024 commented 3 years ago

When will the crash be fixed?

I used #84 code and it worked.But it's not merged into the main branch,so can I use it?

maniackk commented 3 years ago

When will the crash be fixed?

I used #84 code and it worked.But it's not merged into the main branch,so can I use it?

you can use it !

crash reason:

  1. int mprotect(void *address, size_t size, int protect);function Require address alignment at all iOS version(Not only iOS 14.5). apple doc
  2. The memory mapped to the __DATA_CONST section is readable and writable before iOS 14.5; but in iOS 14.5 maybe readwrite,maybe readonly。
d6638219 commented 3 years ago

iOS15 crash

kaspesla commented 3 years ago

Thanks for the fix!! In case anyone else is using fishhook on the Mac, you will need this fix for macOS 12.