search

frida / frida-gum

Cross-platform instrumentation and introspection library written in C
https://frida.re
Other
753 stars 245 forks source link

Segfault when using gumjs-devkit on OSX. #694

Open WorksButNotTested opened 1 year ago

WorksButNotTested commented 1 year ago

test.cpp

#include "frida-gumjs.h"

__attribute__((constructor)) static void init(void) {
    puts("START");
    gum_init_embedded ();

    GumScriptScheduler *scheduler = gum_script_backend_get_scheduler();
    puts("END");

}

hi.cpp

#include <stdio.h>

int main() {
    puts("HI");
}

build

wget https://github.com/frida/frida/releases/download/16.0.5/frida-gumjs-devkit-16.0.5-macos-x86_64.tar.xz
tar Jxvf frida-gumjs-devkit-16.0.5-macos-x86_64.tar.xz
clang++ -o hi hi.cpp
clang++ -o test ./test.cpp -I . -L . -lfrida-gumjs -shared -ldl -lresolv

run

DYLD_INSERT_LIBRARIES=./test ./hi
START
END
zsh: segmentation fault  DYLD_INSERT_LIBRARIES=./test ./hi

info

$ sw_vers
ProductName:    macOS
ProductVersion: 12.6.1
BuildVersion:   21G217

$ clang --version
Apple clang version 14.0.0 (clang-1400.0.29.202)
Target: x86_64-apple-darwin21.6.0
Thread model: posix
InstalledDir: /Library/Developer/CommandLineTools/usr/bin

debug

$ lldb
(lldb) env DYLD_INSERT_LIBRARIES=./test
(lldb) target create ./hi
(lldb) r
Process 23865 launched: '/Users/jon/git/bug/hi' (x86_64)
START
END
Process 23865 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x0000000000000000
error: memory read failed for 0x0
Target 0: (hi) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0000000000000000
    frame #1: 0x0000000102e29e5e test`std::__1::__stdinbuf<char>::imbue(std::__1::locale const&) [inlined] std::__1::codecvt<char, char, __mbstate_t>::encoding(this=<unavailable>) const at __locale:939:16 [opt]
    frame #2: 0x0000000102e29e55 test`std::__1::__stdinbuf<char>::imbue(this=0x00000001035116f0, __loc=<unavailable>) at __std_stream:84:26 [opt]
    frame #3: 0x0000000102e29dea test`std::__1::__stdinbuf<char>::__stdinbuf(this=0x00000001035116f0, __fp=0x00007ff84b462900, __st=<unavailable>) at __std_stream:76:5 [opt]
    frame #4: 0x0000000102e29b0e test`std::__1::DoIOSInit::DoIOSInit() [inlined] std::__1::__stdinbuf<char>::__stdinbuf(this=0x00000001035116f0, __fp=<unavailable>, __st=<unavailable>) at __std_stream:75:1 [opt]
    frame #5: 0x0000000102e29af8 test`std::__1::DoIOSInit::DoIOSInit(this=<unavailable>) at iostream.cpp:111:59 [opt]
    frame #6: 0x0000000102e29d52 test`std::__1::ios_base::Init::Init() [inlined] std::__1::DoIOSInit::DoIOSInit(this=<unavailable>) at iostream.cpp:107:1 [opt]
    frame #7: 0x0000000102e29d4d test`std::__1::ios_base::Init::Init(this=<unavailable>) at iostream.cpp:152:22 [opt]
    frame #8: 0x0000000100024e4f dyld`invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 182
    frame #9: 0x000000010004baad dyld`invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 242
    frame #10: 0x0000000100042e26 dyld`invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 557
    frame #11: 0x0000000100011db3 dyld`dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 129
    frame #12: 0x0000000100042bb7 dyld`dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 179
    frame #13: 0x000000010004b604 dyld`dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 466
    frame #14: 0x0000000100024d82 dyld`dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 144
    frame #15: 0x0000000100024f0e dyld`dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const*>&) const + 178
    frame #16: 0x0000000100024fb2 dyld`dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const + 108
    frame #17: 0x0000000100038826 dyld`dyld4::APIs::runAllInitializersForMain() + 222
    frame #18: 0x000000010001638d dyld`dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 3443
    frame #19: 0x00000001000154e4 dyld`start + 388
WorksButNotTested commented 1 year ago

This seems to be alleviated by setting...

CC= \
    "clang" \
    "-target" \
    "x86_64-apple-macos10.9"
CXX= \
    "clang++" \
    "-target" \
    "x86_64-apple-macos10.9"

I copied this from the build system for frida-gum itself, but I'm not sure why it is needed?

oleavr commented 1 year ago

This seems to be alleviated by setting...

CC= \
  "clang" \
  "-target" \
  "x86_64-apple-macos10.9"
CXX= \
  "clang++" \
  "-target" \
  "x86_64-apple-macos10.9"

I copied this from the build system for frida-gum itself, but I'm not sure why it is needed?

This must be due to ABI differences dependent on OS version requirements.