search

facebook / fishhook

A library that enables dynamically rebinding symbols in Mach-O binaries running on iOS.
BSD 3-Clause "New" or "Revised" License
5.17k stars 965 forks source link

If hooking in __DATA_CONST/__AUTH_CONST, promise writable before trying to write #84

Open maniackk opened 3 years ago

maniackk commented 3 years ago

Issue: #80 and #82.

fix:int mprotect(void *address, size_t size, int protect); function Require address alignment. Before that, I tried to use vm_protect function, I found some case that vm_protect return KERN_SUCCESS , but memory don't set VM_PROT_WRITE success.

facebook-github-bot commented 3 years ago

Hi @maniackk!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@fb.com. Thanks!

facebook-github-bot commented 3 years ago

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Facebook open source project. Thanks!

maniackk commented 3 years ago

oldProtection = get_protection(rebindings); is wrong, It save struct rebindings_entry *rebindings memory protection. We should save section protection.

I commit code that oldProtection = get_protection((void *)trunc_address);.

and I found a problem when program set same section protection in multithread(iOS 14.5).

zhutc commented 3 years ago

This issue appears again in iOS15.


Exception Type:  EXC_BAD_ACCESS (SIGKILL)
Exception Subtype: KERN_PROTECTION_FAILURE at 0x00000001d4424da8
VM Region Info: 0x1d4424da8 is in 0x1d44249b8-0x1d4450278;  bytes after start: 1008  bytes before end: 177359
      REGION TYPE                 START - END      [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      __DATA_CONST             1d43fc5c0-1d44249b8 [  161K] r--/rw- SM=COW  ...k/MediaRemote
--->  __DATA_CONST             1d44249b8-1d4450278 [  174K] r--/rw- SM=COW  ...ork/CoreUtils
      __DATA_CONST             1d4450278-1d4453430 [   12K] r--/rw- SM=COW  .../FamilyCircle

Termination Reason: Namespace SPRINGBOARD, Code 0x8badf00d
Termination Description: SPRINGBOARD, <RBSTerminateContext| domain:10 code:0x8BADF00D explanation:scene-create watchdog transgression: application<ctrip.com>:444 exhausted real (wall clock) time allowance of 19.91 seconds | ProcessVisibility: Foreground | ProcessState: Running | WatchdogEvent: scene-create | WatchdogVisibility: Foreground | WatchdogCPUStatistics: ( | "Elapsed total CPU time (seconds): 19.580 (user 14.590, system 4.990), 16% CPU", | "Elapsed application CPU time (seconds): 0.034, 0% CPU" | ) reportType:CrashLog maxTerminationResistance:Interactive>
Triggered by Thread:  0

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0  MyApp                    0x0000000102d584bc perform_rebinding_with_section + 7177404 (fishhook.c:149)
1  MyApp                    0x0000000102d58460 perform_rebinding_with_section + 7177312 (fishhook.c:143)
2  MyApp                    0x0000000102d5816c rebind_symbols_for_image + 7176556 (fishhook.c:222)
tirodkar commented 2 years ago

@grp are there plans to merge these PR's?

https://github.com/google/EarlGrey/issues/1641