fishhook icon indicating copy to clipboard operation
fishhook copied to clipboard

Published 20 hours ago verified publisher icon facebook

If hooking in __DATA_CONST/__AUTH_CONST, promise writable before trying to write

Open maniackk opened this issue 3 years ago • 5 comments

Issue: #80 and #82.

fix:int mprotect(void *address, size_t size, int protect); function Require address alignment. Before that, I tried to use vm_protect function, I found some case that vm_protect return KERN_SUCCESS , but memory don't set VM_PROT_WRITE success.

maniackk avatar Feb 28 '21 11:02 maniackk

Hi @maniackk!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at [email protected]. Thanks!

facebook-github-bot avatar Feb 28 '21 11:02 facebook-github-bot

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Facebook open source project. Thanks!

facebook-github-bot avatar Feb 28 '21 12:02 facebook-github-bot

oldProtection = get_protection(rebindings); is wrong, It save struct rebindings_entry *rebindings memory protection. We should save section protection.

I commit code that oldProtection = get_protection((void *)trunc_address);.

and I found a problem when program set same section protection in multithread(iOS 14.5).

maniackk avatar Mar 02 '21 13:03 maniackk

This issue appears again in iOS15.


Exception Type:  EXC_BAD_ACCESS (SIGKILL)
Exception Subtype: KERN_PROTECTION_FAILURE at 0x00000001d4424da8
VM Region Info: 0x1d4424da8 is in 0x1d44249b8-0x1d4450278;  bytes after start: 1008  bytes before end: 177359
      REGION TYPE                 START - END      [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      __DATA_CONST             1d43fc5c0-1d44249b8 [  161K] r--/rw- SM=COW  ...k/MediaRemote
--->  __DATA_CONST             1d44249b8-1d4450278 [  174K] r--/rw- SM=COW  ...ork/CoreUtils
      __DATA_CONST             1d4450278-1d4453430 [   12K] r--/rw- SM=COW  .../FamilyCircle

Termination Reason: Namespace SPRINGBOARD, Code 0x8badf00d
Termination Description: SPRINGBOARD, <RBSTerminateContext| domain:10 code:0x8BADF00D explanation:scene-create watchdog transgression: application<ctrip.com>:444 exhausted real (wall clock) time allowance of 19.91 seconds | ProcessVisibility: Foreground | ProcessState: Running | WatchdogEvent: scene-create | WatchdogVisibility: Foreground | WatchdogCPUStatistics: ( | "Elapsed total CPU time (seconds): 19.580 (user 14.590, system 4.990), 16% CPU", | "Elapsed application CPU time (seconds): 0.034, 0% CPU" | ) reportType:CrashLog maxTerminationResistance:Interactive>
Triggered by Thread:  0

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0  MyApp                	0x0000000102d584bc perform_rebinding_with_section + 7177404 (fishhook.c:149)
1  MyApp                	0x0000000102d58460 perform_rebinding_with_section + 7177312 (fishhook.c:143)
2  MyApp                	0x0000000102d5816c rebind_symbols_for_image + 7176556 (fishhook.c:222)

zhutc avatar Jun 08 '21 07:06 zhutc

@grp are there plans to merge these PR's?

https://github.com/google/EarlGrey/issues/1641

tirodkar avatar Sep 13 '21 17:09 tirodkar