fishhook icon indicating copy to clipboard operation
fishhook copied to clipboard

Published 20 hours ago verified publisher icon facebook

iOS 14.5 crashed

Open cfxiao opened this issue 4 years ago • 13 comments

0 perform_rebinding_with_section(fishhook.c:137)
1 perform_rebinding_with_section(fishhook.c:131)
2 rebind_symbols_for_image(fishhook.c:208)
3 rebind_symbols(fishhook.c:252)

iOS 14.5 crashed when hook GCD.

cfxiao avatar Feb 03 '21 09:02 cfxiao

image

cfxiao avatar Feb 03 '21 10:02 cfxiao

Hook fsync also crashes.

cfxiao avatar Feb 03 '21 10:02 cfxiao

have the same problem. I can reproduce the crash with iPhone Xs and OS version 14.5(18E5140j) beta. but iPhone 7 can't reproduce it.

feikang avatar Feb 03 '21 11:02 feikang

@cfxiao can you supply detail codes? which func been hooked?

leirenbaobao avatar Feb 04 '21 06:02 leirenbaobao

@leirenbaobao it seems that he hook the dispatch_sync. And I try to hook malloc / realloc get same crash report.

I'm pretty sure the iOS 14.5 beta at newer phones such as iPhoneXs, has change the memory offset of core library.

biosli avatar Feb 04 '21 07:02 biosli

@biosli I tested some funcs. some crashes. what puzzle me is that even offset changed normal dynamic binding still work without hook.maybe it's nothing to do with offset.

leirenbaobao avatar Feb 07 '21 14:02 leirenbaobao

I suppose write to a read-only address. https://stackoverflow.com/questions/19741409/whats-the-difference-between-code-1-and-code-2-in-exc-bad-access

leirenbaobao avatar Feb 08 '21 09:02 leirenbaobao

I found some case that vm_protect return KERN_SUCCESS , but memory don't set VM_PROT_WRITE success. like mprotect method

oldProtection = get_protection(rebindings); is wrong, It save struct rebindings_entry *rebindings memory protection. We should save section protection.

I commit code that oldProtection = get_protection((void *)trunc_address);.

and I found a problem when program set same section protection in multithread(iOS 14.5).

https://github.com/facebook/fishhook/pull/84/files

maniackk avatar Feb 28 '21 07:02 maniackk

@leirenbaobao it seems that he hook the dispatch_sync. And I try to hook malloc / realloc get same crash report.

I'm pretty sure the iOS 14.5 beta at newer phones such as iPhoneXs, has change the memory offset of core library.

https://github.com/facebook/fishhook/pull/84 fix bug

maniackk avatar Mar 04 '21 02:03 maniackk

When will the crash be fixed?

I used #84 code and it worked.But it's not merged into the main branch,so can I use it?

daybreak1024 avatar Apr 29 '21 06:04 daybreak1024

When will the crash be fixed?

I used #84 code and it worked.But it's not merged into the main branch,so can I use it?

you can use it !

crash reason:

  1. int mprotect(void *address, size_t size, int protect); function Require address alignment at all iOS version(Not only iOS 14.5). apple doc
  2. The memory mapped to the __DATA_CONST section is readable and writable before iOS 14.5; but in iOS 14.5 maybe readwrite,maybe readonly。

maniackk avatar Apr 29 '21 06:04 maniackk

iOS15 crash

d6638219 avatar Jun 09 '21 01:06 d6638219

Thanks for the fix!! In case anyone else is using fishhook on the Mac, you will need this fix for macOS 12.

kaspesla avatar Jun 09 '21 21:06 kaspesla