hook strcmp 出现一个很奇怪的问题

[ndl1302732]

typedef int ( PFN_STRCMP)(const char lhs, const char* rhs); PFN_STRCMP pOrgStrcmp = NULL; int fake_strcmp(const char __lhs, const char rhs){ int ret = pOrgStrcmp(lhs, __rhs); LOGI("fake_strcmp"); return ret; }

static void hook(){ DobbyHook((void )strcmp, (void )fake_strcmp, (void **)&pOrgStrcmp); }

在fake_strcmp函数中 1 使用LOGI("fake_strcmp"); 打印log程序会奔溃 2 把LOGI("fake_strcmp");去掉，程序不会奔溃

LOGI是宏 调用__android_log_print实现。

崩溃堆栈如下： --------- beginning of crash 08-18 15:51:40.358 8085-8085/com.xx.xx.xx A/libc: Fatal signal 11 (SIGSEGV), code 2, fault addr 0xbe749f80 in tid 8085 (m.xx.xx.xx) 08-18 15:51:40.460 3139-3139/? A/DEBUG: 08-18 15:51:40.460 3139-3139/? A/DEBUG: Build fingerprint: 'Android/aosp_hammerhead/hammerhead:6.0/MRA58K/jerry06170301:userdebug/test-keys' 08-18 15:51:40.460 3139-3139/? A/DEBUG: Revision: '0' 08-18 15:51:40.460 3139-3139/? A/DEBUG: ABI: 'arm' 08-18 15:51:40.460 3139-3139/? A/DEBUG: pid: 8085, tid: 8085, name: m.xx.xx.xx >>> com.xx.xx.xx <<< 08-18 15:51:40.460 3139-3139/? A/DEBUG: signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xbe749f80 08-18 15:51:40.471 3139-3139/? A/DEBUG: r0 be74a4fc r1 b3a1691f r2 be74a98c r3 0003b88c 08-18 15:51:40.471 3139-3139/? A/DEBUG: r4 00000400 r5 be74a98c r6 be74a56c r7 00000000 08-18 15:51:40.471 3139-3139/? A/DEBUG: r8 b3a1691f r9 b4d96a80 sl 00000035 fp bef46bfc 08-18 15:51:40.471 3139-3139/? A/DEBUG: ip 00000208 sp be749f48 lr b6cecadb pc b6ce8b8a cpsr 600d0030 08-18 15:51:40.471 3139-3139/? A/DEBUG: backtrace: 08-18 15:51:40.471 3139-3139/? A/DEBUG: #00 pc 00021b8a /system/lib/libc.so (offset 0x18000) 08-18 15:51:40.472 3139-3139/? A/DEBUG: #01 pc 00025ad7 /system/lib/libc.so (offset 0x18000) 08-18 15:51:40.650 3139-3139/? A/DEBUG: Tombstone written to: /data/tombstones/tombstone_05 08-18 15:51:40.650 3139-3139/? E/DEBUG: AM write failed: Broken pipe

[ndl1302732]

同样的代码在pixelXL上执行正常。在nexus5上出现如上问题

[jmpews]

strcmp 是一个敏感函数, __android_log_print 内部会使用 strcmp 最终导致递归.

[ndl1302732]

thank you