search

frida / frida-gum

Cross-platform instrumentation and introspection library written in C
https://frida.re
Other
750 stars 245 forks source link

Run "frida-gum-example" but report "Segmentation fault" error in linux-arm #400

Open cc5ec opened 4 years ago

cc5ec commented 4 years ago

I build frida-gum and devkit by arm-unknown-linux-musleabi cross toolchains. Then i build frida-gum-example.c in devkit folder. I run frida-gum-example in my IOT device, but report "Segmentation fault" error. My IOT's linux kernel version is Linux xxxx 3.4.39 #103 SMP PREEMPT Thu Mar 5 03:00:52 UTC 2020 armv7l GNU/Linux

CPUINFO is 

Processor       : ARMv7 Processor rev 5 (v7l)
processor       : 0
BogoMIPS        : 1942.85

processor       : 1
BogoMIPS        : 1942.85

processor       : 2
BogoMIPS        : 1942.85

processor       : 3
BogoMIPS        : 1942.85

Features        : swp half thumb fastmult vfp edsp thumbee neon vfpv3 tls vfpv4 idiva idivt 
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xc07
CPU revision    : 5

Hardware        : sun8i
Revision        : 0000
Serial          : 87681f28d9376c118000
Chipid          : 6c1180001f28d937876811460461872a

I want know why report "Segmentation fault", so i upload gdb to my IOT device, and run gdb frida-gum-example GDB find the Segmentation fault position is:

Starting program: /tmp/frida-gum-example 

Program received signal SIGSEGV, Segmentation fault.
0x0006989c in _frida_ARM_getInstruction ()
(gdb)

Then i add a breakpoint in 0x0006989c and run, program breaked, disassemble is 

Dump of assembler code for function _frida_ARM_getInstruction:
   0x00069864 <+0>:     mov     r12, #0
   0x00069868 <+4>:     push    {r4, r5, r6, r7, r8, lr}
   0x0006986c <+8>:     ldr     r6, [sp, #24]
   0x00069870 <+12>:    cmp     r2, #3
   0x00069874 <+16>:    strh    r12, [r6]
   0x00069878 <+20>:    bls     0x699d8 <_frida_ARM_getInstruction+372>
   0x0006987c <+24>:    mov     r4, r3
   0x00069880 <+28>:    ldr     r3, [r3, #784]  ; 0x310
   0x00069884 <+32>:    mov     r8, r0
   0x00069888 <+36>:    ldr     r0, [r3, #236]  ; 0xec
   0x0006988c <+40>:    mov     r7, r1
   0x00069890 <+44>:    cmp     r0, r12
   0x00069894 <+48>:    bne     0x69914 <_frida_ARM_getInstruction+176>
   0x00069898 <+52>:    ldr     r0, [r8, #4]
=> 0x0006989c <+56>:    ldrb    r5, [r7, #1]
   0x000698a0 <+60>:    ldrb    r3, [r7]
   0x000698a4 <+64>:    cmp     r0, #0
   0x000698a8 <+68>:    ldrb    r1, [r7, #2]
   0x000698ac <+72>:    orrge   r5, r3, r5, lsl #8
   0x000698b0 <+76>:    ldrb    r2, [r7, #3]
   0x000698b4 <+80>:    orrge   r5, r5, r1, lsl #16
   0x000698b8 <+84>:    orrge   r5, r5, r2, lsl #24
   0x000698bc <+88>:    bge     0x698d0 <_frida_ARM_getInstruction+108>
   0x000698c0 <+92>:    lsl     r5, r5, #16
   0x000698c4 <+96>:    orr     r5, r5, r1, lsl #8
   0x000698c8 <+100>:   orr     r5, r5, r2
   0x000698cc <+104>:   orr     r5, r5, r3, lsl #24
   0x000698d0 <+108>:   ldr     r0, [pc, #460]  ; 0x69aa4 <_frida_ARM_getInstruction+576>
   0x000698d4 <+112>:   mov     r2, r5
   0x000698d8 <+116>:   mov     r1, r4
   0x000698dc <+120>:   add     r0, pc, r0
   0x000698e0 <+124>:   bl      0x68fcc <decodeInstruction_4.isra.146.part.147>
   0x000698e4 <+128>:   subs    r7, r0, #0
   0x000698e8 <+132>:   mov     r0, r4
   0x000698ec <+136>:   beq     0x69948 <_frida_ARM_getInstruction+228>
   0x000698f0 <+140>:   bl      0x3f418 <_frida_MCInst_getOpcode>
   0x000698f4 <+144>:   cmp     r0, #604        ; 0x25c
   0x000698f8 <+148>:   bne     0x69968 <_frida_ARM_getInstruction+260>
   0x000698fc <+152>:   lsr     r5, r5, #28
   0x00069900 <+156>:   cmp     r5, #15
   0x00069904 <+160>:   beq     0x699d8 <_frida_ARM_getInstruction+372>
   0x00069908 <+164>:   cmp     r5, #14
   0x0006990c <+168>:   movne   r7, #1

I can find, the "Segmentation fault" position code is: 0x0006989c <+56>: ldrb r5, [r7, #1]

so, I show the registers by "info registers" command, the result is:

(gdb) info registers 
r0             0x0      0
r1             0xb6fdabb0       3070077872
r2             0xffffffff       4294967295
r3             0xb6fdabb0       3070077872
r4             0xbefff960       3204446560
r5             0x0      0
r6             0xbefff75a       3204446042
r7             0x0      0
r8             0xb6fda348       3070075720
r9             0x1      1
r10            0x69864  432228
r11            0xbefff960       3204446560
r12            0xb6fda548       3070076232
sp             0xbefff6f8       0xbefff6f8
lr             0xb6fdac30       -1224889296
pc             0x6989c  0x6989c <_frida_ARM_getInstruction+56>
cpsr           0x60000010       1610612752

you can find, r7 register is 0!!!!!!!!!!!!!!!!!!!! This is cause "Segmentation fault" reason!!!!

so, i find the source code in ARMDisassmbler.c find code about the asm postision is 

    if (MODE_IS_BIG_ENDIAN(ud->mode))
        insn = (code[3] << 0) | (code[2] << 8) |
            (code[1] <<  16) | ((uint32_t) code[0] << 24);
    else
        insn = ((uint32_t) code[3] << 24) | (code[2] << 16) |
            (code[1] <<  8) | (code[0] <<  0);

r7 register is code, but zero.

Is this a bug of frida-gum?

cc5ec commented 4 years ago

ooooop!!I know why "Segmentation fault". because of i static link this program, so dlsym function return 0!!!!!