[BUG] GUM_INSTRUMENTATION_ERROR_WRONG_SIGNATURE, GUM_ATTACH_WRONG_SIGNATURE

Cannot intercept libc.so strncmp Error: unable to intercept function at 0xe8a287d7; please file a bug

Environment: Android 11 (aarch64)

Process.enumerateModules().find(module => module.name === "libc.so")
{
    "base": "0xe89c2000",
    "name": "libc.so",
    "path": "/apex/com.android.runtime/lib/bionic/libc.so",
    "size": 724992
}

* /apex/com.android.runtime/lib/bionic/libc.so
* GHIDRA DISASSEMBLY (OFFSET + 0x10000)
                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             noreturn int __stdcall strncmp(char * __s1, char * __s2,
                               assume LRset = 0x0
                               assume TMode = 0x1
             int               r0:4           <RETURN>
             char *            r0:4           __s1
             char *            r1:4           __s2
             size_t            r2:4           __n
                             strncmp                                         XREF[3]:     Entry Point(*), 
                                                                                          strncmp:00096760(T), 
                                                                                          strncmp:00096768(c), 0009b250(*)  
        000767d6 4a b1           cbz        __n,LAB_000767ec
                             LAB_000767d8                                    XREF[1]:     000767ea(j)  
        000767d8 11 f8 01 cb     ldrb.w     r12,[__s2],#0x1
        000767dc 03 78           ldrb       r3,[__s1,#0x0]
        000767de 63 45           cmp        r3,r12
        000767e0 06 d1           bne        LAB_000767f0
        000767e2 1b b1           cbz        r3,LAB_000767ec
        000767e4 01 3a           subs       __n,#0x1
        000767e6 00 f1 01 00     add.w      __s1,__s1,#0x1
        000767ea f5 d1           bne        LAB_000767d8
                             LAB_000767ec                                    XREF[2]:     000767d6(j), 000767e2(j)  
        000767ec 00 20           movs       __s1,#0x0
        000767ee 70 47           bx         lr
                             LAB_000767f0                                    XREF[1]:     000767e0(j)  
        000767f0 a3 eb 0c 00     sub.w      __s1,r3,r12
        000767f4 70 47           bx         lr

Seems to have something to do with https://github.com/frida/frida-gum/blob/97b65df2040ca102b48141fdb59b2b96c7c6e9e4/gum/backend-arm/guminterceptor-arm.c#L190

error intercepting strncmp offset: 0x667d7
Error: unable to intercept function at 0xe8a287d7; please file a bug
    at value (frida/runtime/core.js:408)
    at <anonymous> (./intercept_libc.so.js:65)
    at apply (native)
    at <anonymous> (frida/runtime/core.js:51)

Interceptor.attach(Module.getExportByName('libc.so', "strncmp"), {
    onEnter(args) {
        const str1 = args[0].readCString();
        const str2 = args[1].readCString();
        const num = args[2].toInt32();
        console.log(`strncmp called with str1: ${str1}, str2: ${str2}, num: ${num}`);
    },
    onLeave(retval) {
        console.log(`strncmp returned: ${retval.toInt32()}`);
    }
});

https://github.com/frida/frida-gum/blob/97b65df2040ca102b48141fdb59b2b96c7c6e9e4/bindings/gumjs/gumquickinterceptor.c#L591

https://github.com/frida/frida-gum/blob/97b65df2040ca102b48141fdb59b2b96c7c6e9e4/bindings/gumjs/gumv8interceptor.cpp#L658

https://github.com/frida/frida-gum/blob/97b65df2040ca102b48141fdb59b2b96c7c6e9e4/gum/guminterceptor.c#L439

https://github.com/frida/frida-gum/blob/97b65df2040ca102b48141fdb59b2b96c7c6e9e4/gum/guminterceptor.c#L888

https://github.com/frida/frida-gum/blob/97b65df2040ca102b48141fdb59b2b96c7c6e9e4/gum/guminterceptor.c#L925

https://github.com/frida/frida-gum/blob/97b65df2040ca102b48141fdb59b2b96c7c6e9e4/gum/backend-arm/guminterceptor-arm.c#L190

IMPORTANT: THE ISSUE DOES NOT OCCUR WITH ANDROID 6.0 libc.so

Android 6.0 (armv7l)
Process.enumerateModules().find(module => module.name === "libc.so")
{
    "base": "0xb6c32000",
    "name": "libc.so",
    "path": "/system/lib/libc.so",
    "size": 532480
}

* /system/lib/libc.so
* GHIDRA DISASSEMBLY (OFFSET + 0x10000)
                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             int __stdcall strncmp(char * __s1, char * __s2, size_t _
                               assume LRset = 0x0
                               assume TMode = 0x1
             int               r0:4           <RETURN>
             char *            r0:4           __s1
             char *            r1:4           __s2
             size_t            r2:4           __n
                             strncmp                                         XREF[3]:     Entry Point(*), 
                                                                                          strncmp:000248dc(T), 
                                                                                          strncmp:000248e4(c), 00084ab0(*)  
        00044272 30 b5           push       {r4,r5,lr}
        00044274 72 b1           cbz        __n,LAB_00044294
        00044276 44 1e           subs       r4,__s1,#0x1
        00044278 0d 46           mov        r5,__s2
                             LAB_0004427a                                    XREF[1]:     00044290(j)  
        0004427a 14 f8 01 3f     ldrb.w     r3,[r4,#0x1]!
        0004427e 15 f8 01 0b     ldrb.w     __s1,[r5],#0x1
        00044282 83 42           cmp        r3,__s1
        00044284 01 d0           beq        LAB_0004428a
        00044286 18 1a           subs       __s1,r3,__s1
        00044288 30 bd           pop        {r4,r5,pc}
                             LAB_0004428a                                    XREF[1]:     00044284(j)  
        0004428a 2b b1           cbz        r3,LAB_00044298
        0004428c 53 1b           subs       r3,__n,r5
        0004428e cb 18           adds       r3,__s2,r3
        00044290 f3 d1           bne        LAB_0004427a
        00044292 01 e0           b          LAB_00044298
                             LAB_00044294                                    XREF[1]:     00044274(j)  
        00044294 10 46           mov        __s1,__n
        00044296 30 bd           pop        {r4,r5,pc}
                             LAB_00044298                                    XREF[2]:     0004428a(j), 00044292(j)  
        00044298 18 46           mov        __s1,r3
        0004429a 30 bd           pop        {r4,r5,pc}

@oleavr

frida / frida-gum

[BUG] GUM_INSTRUMENTATION_ERROR_WRONG_SIGNATURE, GUM_ATTACH_WRONG_SIGNATURE #803